{"id":227825,"date":"2009-01-18T17:24:52","date_gmt":"2009-01-18T16:24:52","guid":{"rendered":"http:\/\/172.22.49.24\/?p=122"},"modified":"2009-01-18T17:24:52","modified_gmt":"2009-01-18T16:24:52","slug":"keynote-sstic-2009-analyse-dynamique-depuis-lespace-noyau-avec-kolumbo","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-analyse-dynamique-depuis-lespace-noyau-avec-kolumbo\/","title":{"rendered":"Keynote SSTIC 2009 \u2013 Dynamic analysis from kernel space with Kolumbo"},"content":{"rendered":"

Presentation :\u00a0Julien DESFOSSEZ
\n<\/strong>
\nMain objective<\/strong>\u00a0: to be able to analyze malware, or any program, while avoiding anti-debugger protections.<\/p>\n

The usual protections (ptrace, breakpoints) are easily detectable.<\/p>\n

The tool operates in kernel space, according to different modes:<\/p>\n

Trace mode:<\/strong>
\nDisplay of system calls, registers (parameters), page table.
\nEach 0x80 interruption is intercepted; by modifying the handler in the idt, the information is processed and forwarded to its legitimate processing.<\/p>\n

Dump mode:<\/strong>
\nThe tool will reconstruct the ELF directly from memory, by reconstructing it from the separated segments (this is not\u00a0NOT\u00a0<\/strong><\/span>a copy of the file).
\nMoreover, the ELF format\u00a0is not valid<\/span>, This is not a problem, since the information necessary for its execution is present.
\nThe tool does not yet work with packers.<\/p>\n

Anti-fingerprint mode:<\/strong>
\nPurpose: to use current debuggers. By modifying the return code of ptrace (as with trace mode, we handle the system call), we can prevent it from returning an error, and therefore from being detected.<\/p>\n

Upcoming improvements: more advanced management of detections, packers, etc\u2026
\nTo be continued.<\/p>","protected":false},"excerpt":{"rendered":"

Presentation: Julien DESFOSSEZ Main objective: to be able to analyze malware, or any program, while [\u2026]<\/p>","protected":false},"author":10,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[22],"tags":[65],"class_list":["post-227825","post","type-post","status-publish","format-standard","hentry","category-veille-securite","tag-sstic"],"yoast_head":"\nKeynote SSTIC 2009 - Analyse dynamique depuis l'espace noyau avec Kolumbo - INTRINSEC<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-analyse-dynamique-depuis-lespace-noyau-avec-kolumbo\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Keynote SSTIC 2009 - Analyse dynamique depuis l'espace noyau avec Kolumbo\" \/>\n<meta property=\"og:description\" content=\"Pr\u00e9sentation :\u00a0Julien DESFOSSEZ Principal objectif\u00a0: pouvoir analyser un malware, ou n’importe quel programme, tout en […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-analyse-dynamique-depuis-lespace-noyau-avec-kolumbo\/\" \/>\n<meta property=\"og:site_name\" content=\"INTRINSEC\" \/>\n<meta property=\"article:published_time\" content=\"2009-01-18T16:24:52+00:00\" \/>\n<meta name=\"author\" content=\"Cyrille BARTHELEMY\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Intrinsec\" \/>\n<meta name=\"twitter:site\" content=\"@Intrinsec\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Cyrille BARTHELEMY\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/keynote-sstic-2009-analyse-dynamique-depuis-lespace-noyau-avec-kolumbo\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/keynote-sstic-2009-analyse-dynamique-depuis-lespace-noyau-avec-kolumbo\\\/\"},\"author\":{\"name\":\"Cyrille BARTHELEMY\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/4d0993f0e377e77d13e97f623123e109\"},\"headline\":\"Keynote SSTIC 2009 – Analyse dynamique depuis l'espace noyau avec Kolumbo\",\"datePublished\":\"2009-01-18T16:24:52+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/keynote-sstic-2009-analyse-dynamique-depuis-lespace-noyau-avec-kolumbo\\\/\"},\"wordCount\":215,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#organization\"},\"keywords\":[\"SSTIC\"],\"articleSection\":[\"Veille S\u00e9curit\u00e9\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/keynote-sstic-2009-analyse-dynamique-depuis-lespace-noyau-avec-kolumbo\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/keynote-sstic-2009-analyse-dynamique-depuis-lespace-noyau-avec-kolumbo\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/keynote-sstic-2009-analyse-dynamique-depuis-lespace-noyau-avec-kolumbo\\\/\",\"name\":\"Keynote SSTIC 2009 - Analyse dynamique depuis l'espace noyau avec Kolumbo - INTRINSEC\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\"},\"datePublished\":\"2009-01-18T16:24:52+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/keynote-sstic-2009-analyse-dynamique-depuis-lespace-noyau-avec-kolumbo\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/keynote-sstic-2009-analyse-dynamique-depuis-lespace-noyau-avec-kolumbo\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/keynote-sstic-2009-analyse-dynamique-depuis-lespace-noyau-avec-kolumbo\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.intrinsec.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Keynote SSTIC 2009 – Analyse dynamique depuis l'espace noyau avec Kolumbo\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"name\":\"INTRINSEC\",\"description\":\"Notre m\u00e9tier , Prot\u00e9ger le v\u00f4tre\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.intrinsec.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#organization\",\"name\":\"INTRINSEC\",\"alternateName\":\"ISEC\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/libellule.png\",\"contentUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/libellule.png\",\"width\":1322,\"height\":1322,\"caption\":\"INTRINSEC\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/Intrinsec\",\"https:\\\/\\\/fr.linkedin.com\\\/company\\\/intrinsec\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UC0trUZAHNZOUbxYnNdecM4A\"],\"description\":\"soci\u00e9t\u00e9 de consulting, pure player cybers\u00e9curit\u00e9 fran\u00e7ais et europ\u00e9en depuis plus de 30ans, sp\u00e9cialiste dans la s\u00e9curit\u00e9 offensive & audit (pentest\\\/red team), GRC, et services IMSS comme le SOC, CTI et CERT Intrinsec est qualifi\u00e9 PASSI Elev\u00e9, PRIS Elev\u00e9 et PACS par l'ANSSI\",\"email\":\"contact@intrinsec.com\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/4d0993f0e377e77d13e97f623123e109\",\"name\":\"Cyrille BARTHELEMY\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/1ea58be7f50cd5a369de3c03eb2ce4d5d8b053ad42ca848d6cc15a39f6dc605e?s=96&d=retro&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/1ea58be7f50cd5a369de3c03eb2ce4d5d8b053ad42ca848d6cc15a39f6dc605e?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/1ea58be7f50cd5a369de3c03eb2ce4d5d8b053ad42ca848d6cc15a39f6dc605e?s=96&d=retro&r=g\",\"caption\":\"Cyrille BARTHELEMY\"},\"sameAs\":[\"https:\\\/\\\/www.intrinsec.com\"],\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/author\\\/cby\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Keynote SSTIC 2009 - Dynamic analysis from kernel space with Kolumbo - INTRINSEC","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-analyse-dynamique-depuis-lespace-noyau-avec-kolumbo\/","og_locale":"en_US","og_type":"article","og_title":"Keynote SSTIC 2009 - Analyse dynamique depuis l'espace noyau avec Kolumbo","og_description":"Pr\u00e9sentation :\u00a0Julien DESFOSSEZ Principal objectif\u00a0: pouvoir analyser un malware, ou n’importe quel programme, tout en […]","og_url":"https:\/\/www.intrinsec.com\/en\/keynote-sstic-2009-analyse-dynamique-depuis-lespace-noyau-avec-kolumbo\/","og_site_name":"INTRINSEC","article_published_time":"2009-01-18T16:24:52+00:00","author":"Cyrille BARTHELEMY","twitter_card":"summary_large_image","twitter_creator":"@Intrinsec","twitter_site":"@Intrinsec","twitter_misc":{"Written by":"Cyrille BARTHELEMY","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.intrinsec.com\/keynote-sstic-2009-analyse-dynamique-depuis-lespace-noyau-avec-kolumbo\/#article","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/keynote-sstic-2009-analyse-dynamique-depuis-lespace-noyau-avec-kolumbo\/"},"author":{"name":"Cyrille BARTHELEMY","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/4d0993f0e377e77d13e97f623123e109"},"headline":"Keynote SSTIC 2009 – Analyse dynamique depuis l'espace noyau avec Kolumbo","datePublished":"2009-01-18T16:24:52+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intrinsec.com\/keynote-sstic-2009-analyse-dynamique-depuis-lespace-noyau-avec-kolumbo\/"},"wordCount":215,"commentCount":0,"publisher":{"@id":"https:\/\/www.intrinsec.com\/#organization"},"keywords":["SSTIC"],"articleSection":["Veille S\u00e9curit\u00e9"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.intrinsec.com\/keynote-sstic-2009-analyse-dynamique-depuis-lespace-noyau-avec-kolumbo\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.intrinsec.com\/keynote-sstic-2009-analyse-dynamique-depuis-lespace-noyau-avec-kolumbo\/","url":"https:\/\/www.intrinsec.com\/keynote-sstic-2009-analyse-dynamique-depuis-lespace-noyau-avec-kolumbo\/","name":"Keynote SSTIC 2009 - Dynamic analysis from kernel space with Kolumbo - INTRINSEC","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/#website"},"datePublished":"2009-01-18T16:24:52+00:00","breadcrumb":{"@id":"https:\/\/www.intrinsec.com\/keynote-sstic-2009-analyse-dynamique-depuis-lespace-noyau-avec-kolumbo\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intrinsec.com\/keynote-sstic-2009-analyse-dynamique-depuis-lespace-noyau-avec-kolumbo\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.intrinsec.com\/keynote-sstic-2009-analyse-dynamique-depuis-lespace-noyau-avec-kolumbo\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.intrinsec.com\/"},{"@type":"ListItem","position":2,"name":"Keynote SSTIC 2009 – Analyse dynamique depuis l'espace noyau avec Kolumbo"}]},{"@type":"WebSite","@id":"https:\/\/www.intrinsec.com\/#website","url":"https:\/\/www.intrinsec.com\/","name":"INTRINSEC","description":"Our job is to protect yours.","publisher":{"@id":"https:\/\/www.intrinsec.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intrinsec.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.intrinsec.com\/#organization","name":"INTRINSEC","alternateName":"ISEC","url":"https:\/\/www.intrinsec.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.intrinsec.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/02\/libellule.png","contentUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/02\/libellule.png","width":1322,"height":1322,"caption":"INTRINSEC"},"image":{"@id":"https:\/\/www.intrinsec.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/Intrinsec","https:\/\/fr.linkedin.com\/company\/intrinsec","https:\/\/www.youtube.com\/channel\/UC0trUZAHNZOUbxYnNdecM4A"],"description":"Intrinsec, a consulting firm and pure-play French and European cybersecurity provider for over 30 years, specializes in offensive security and auditing (penetration testing\/red teams), GRC, and IMSS services such as SOC, CTI, and CERT. Intrinsec is qualified at PASSI High, PRIS High, and PACS levels by ANSSI.","email":"contact@intrinsec.com"},{"@type":"Person","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/4d0993f0e377e77d13e97f623123e109","name":"Cyrille BARTHELEMY","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/1ea58be7f50cd5a369de3c03eb2ce4d5d8b053ad42ca848d6cc15a39f6dc605e?s=96&d=retro&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/1ea58be7f50cd5a369de3c03eb2ce4d5d8b053ad42ca848d6cc15a39f6dc605e?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/1ea58be7f50cd5a369de3c03eb2ce4d5d8b053ad42ca848d6cc15a39f6dc605e?s=96&d=retro&r=g","caption":"Cyrille BARTHELEMY"},"sameAs":["https:\/\/www.intrinsec.com"],"url":"https:\/\/www.intrinsec.com\/en\/author\/cby\/"}]}},"_links":{"self":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/227825","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/comments?post=227825"}],"version-history":[{"count":0,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/227825\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/media?parent=227825"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/categories?post=227825"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/tags?post=227825"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}