Cadaver Worm: An Exercise in Malware Fiction
by Dmitry Vostokov
Memory Dump Analysis Anthology, Volume 7
- Cover Page
- Title Page
- Copyright Page
- Summary of Contents
- Contents
- Preface
- Acknowledgements
- Part 1: Professional Crash Dump Analysis and Debugging
- WinDbg Shortcuts
- Two WinDbg Scripts That Changed the World
- Raw Stack Dump of All Threads (Kernel Space)
- The Design of Memory Dump Analysis: 7 Steps of Highly Successful Analysts
- Postmortem Effects of -g
- Event Owners
- Improbable Occurrence
- Pattern Cooperation
- Page Heap Implementation
- More Common Mistakes in Memory Analysis
- Memory Dump Analysis Best Practices
- Part 2: Crash Dump Analysis Patterns
- FPU Exception
- Hidden Parameter
- Memory Leak (Page Tables)
- Unrecognizable Symbolic Information
- Network Packet Buildup
- Disconnected Network Adapter
- Problem Module
- Empty Stack Trace
- Debugger Bug
- Value References
- Self-Diagnosis (Registry)
- System Object
- Module Variable
- Stack Trace Collection (Predicate)
- Stack Trace Collection (I/O Requests)
- Regular Data
- Translated Exception
- Blocked DPC
- Late Crash Dump
- Blocked Thread (Timeout)
- Punctuated Memory Leak
- Insufficient Memory (Reserved Virtual Memory)
- Coincidental Error Code
- Stored Exception
- Activity Resonance
- Value Adding Process
- Memory Leak (I/O Completion Packets)
- No Current Thread
- Unloaded Module
- Stack Trace Change
- Spike Interval
- Deviant Module
- Hidden Exception (Kernel Space)
- Handled Exception (Kernel Space)
- High Contention (.NET CLR Monitors)
- Frozen Process
- Incomplete Session
- Error Reporting Fault
- First Fault Stack Trace
- Hidden Process
- Disk Packet Buildup
- Deviant Token
- Module Collection
- Handle Leak
- Critical Stack Trace
- Debugger Omission
- Broken Link
- Wait Chain (Pushlocks)
- Insufficient Memory (Session Pool)
- Step Dumps
- Reduced Symbolic Information
- Injected Symbols
- Glued Stack Trace
- Distributed Wait Chain
- Ubiquitous Component (Kernel Space)
- One-Thread Process
- Module Product Process
- Crash Signature Invariant
- Small Values
- Shared Structure
- Wait Chain (CLR Monitors)
- Thread Cluster
- Module Collection (Predicate)
- False Effective Address
- Screwbolt Wait Chain
- Part 3: Core Dump Analysis Patterns (Mac OS X)
- GDB for WinDbg Users
- Stack Trace
- GDB Annoyances: Incomplete Stack Trace
- NULL Pointer (Data)
- Shared Buffer Overwrite
- Multiple Exceptions
- Double Free (Process Heap)
- Dynamic Memory Corruption (Process Heap)
- Spiking Thread
- NULL Pointer (Code)
- Execution Residue
- Coincidental Symbolic Information
- Paratext
- Truncated Dump
- C++ Exception
- Local Buffer Overflow
- Divide by Zero (User Mode)
- Stack Overflow (User Mode)
- Active Thread
- Part 4: Malware Analysis Patterns
- Part 5: A Bit of Science and Philosophy
- On Matter
- Commodities as Memories
- Software as Means of Production
- Notes on Memoidealism
- The Confluence of Computers, Philosophy, and Religion
- Analytic Memory Dump - A Mathematical Definition
- Sorting and Early Greek Philosophers
- General Abnormal Patterns of Structure and Behavior
- On Matter and Substances
- M-Memory
- Ontology of Memoidealism
- Philosophies of Persistence
- Information as Arrow
- Dialectical Triad in Memoidealism
- Part 6: Software Trace Analysis Patterns
- Software Trace Diagrams (STDiagrams)
- Macrofunction
- Linked Messages
- Marked Message
- Trace Frames
- Counter Value
- Message Context
- Error Distribution
- Break-in Activity
- Resume Activity
- Fiber Bundle
- Data Flow
- Empty Trace
- Error Message
- Periodic Message Block
- Visibility Limit
- Relative Density
- Sparse Trace
- Opposition Messages
- Split Trace
- Message Interleave
- Sheaf of Activities
- Indexical Trace
- Abnormal Value
- Dominant Event Sequence
- Pivot Message
- Traces of Individuality
- Indirect Facts
- Hidden Error
- Last Activity
- State and Event
- Dialogue
- Motif
- Exception Stack Trace (Java)
- Correlated Discontinuity
- Piecewise Activity
- Density Distribution
- Factor Group
- Silent Messages
- Shared Point
- Meta Trace
- Data Association
- State Dump
- Message Cover
- Message Set
- Error Thread
- Activity Divergence
- Part 7: Fun with Crash Dumps
- Part 8: Software Narratology
- Software Anti-Narrative
- Software Narratology Helps Fiction Writers
- Narremes in Software Narratology
- Narralog - A Software Trace Modeling Language
- What is a Software Narrative?
- Software Narrative Planes
- Software Narratology Square
- Writing and Validation of Historical Narratives
- Software Trace Analysis Patterns Domain Hierarchy
- Process Monitor as Modeling Tool
- Generalized Software Narrative and Trace
- Unified Computer Diagnostics: Incorporating Hardware Narratology
- Introducing Software Narratology of Things (Software NT)
- Part 9: Software Diagnostics, Troubleshooting and Debugging
- Unified and Generative Debugging
- Software Problem Description Language
- What are Software Trace and Memory Dump Analysis? A One Sentence Definition
- Software Problem Solving Tools as a Service
- Software Problem Description Patterns
- Software Behavior Pattern Prediction
- Patterns of Software Diagnostics
- Highly Effective Diagnostics
- Network Trace Analysis Patterns
- Software Diagnostics Services
- Architecture of Process Memory Dump Capture Done Right
- An Introduction to General Systems Thinking (Book Review)
- Software Diagnostics Institute Logo
- User Interface Problem Analysis Patterns
- Pattern-Based Software Diagnostics
- Software Diagnostics Discipline
- Architecture of memCPU
- Phenomenology of Software Diagnostics: A First Sketch
- Software Diagnostics Report Schemes
- Software Diagnostics Training: Two Approaches
- Software Disruption Patterns
- Static Code Analysis Patterns
- The Structure of Software Problem Solving Organization
- Bridging the Great Divide
- Elementary Software Diagnostics Patterns
- Zero Fault Software Diagnostics
- Agile Software Diagnostics
- ADDR Pattern Catalogue
- Thinking-Based Software Diagnostics
- Memory Acquisition Pattern Catalogue
- Trace Acquisition Pattern Catalogue
- Patterns of Software Diagnostics Architecture
- Detecting and Predicting the Unknown
- Software Diagnostics Metaphors
- Rapid Software Diagnostics Process (RSDP)
- Right First Time Software Diagnosis
- Software Diagnosis Codes
- Vulnerability Analysis Patterns (VAP)
- Part 10: Art and Visualization
- 2012 (Pessimistic)
- 2012 (Optimistic)
- A Bug in a Bag (Collections, Ex-hi-bit 1)
- A Bug Meets a Bug (The Clash of Civilizations)
- A Bug Catcher
- The Second Generation of CARE System (Trademark)
- RawStackGram
- A Memory Window
- Liquid Memory
- Computer Brain
- Computer Evolution
- M Spaces
- Happy Hellowin!
- Pointers in Nature
- Drink Sensibly Before The End Of The World!
- MM=DD=YY
- Process Monitor Log Visualized
- Holes Infinity (HI OS)
- Cyber Vostok Missions
- A Dump Machine
- The Power of Simplicity
- Happy St. Patrick's Screen
- Happy New Year 2014!
- I Love Software Diagnostics
- Puree Windows Cooking
- Political Computicarts
- The Day I Quit
- Hero of Dump Analysis, a Medal for Labor Day
- Diagnosed by Vostokov®™
- Stack Trace Shapes
- The Art of Internals
- Threadinking
- Part 11: Miscellaneous
- Appendix
- Index of WinDbg Commands
- Notes
- Cover Images
Cadaver Worm: An Exercise in Malware Fiction
The discovery of a “black hole horizon” in a complete memory dump inspired this fictitious malware. There in a dump we discovered an innocuous ASCII message:
fffff880`15925010 fffff880`159250d0 "Dumping physical memory to disk: 80% ."
A little thought and we realized that this page was saved to a page file at the time when only 80% of memory was dumped. So we do not know what was in that page during the remaining time (and would never know). We guess that Cadaver Worms live there spreading from PC to PC and causing blue screens immediately upon infection to minimize discovery. They are not in crash dumps because they relocate themselves during the system dump procedure. They thaw frozen CPUs and send themselves to network. Who would suspect a computer showing a blue screen sending network packets?
-
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.