This article examines the average lifespan of kernel bugs, revealing they typically go undetected for over two years, with some lasting nearly 21 years. It highlights a tool that identifies historical bugs and discusses trends in bug discovery, particularly improvements in recent years.

This is a Windows driver that detects kernel memory drivers and hidden threads, useful for rootkit developers to improve their evasion techniques. It implements several analysis methods, such as NMI callbacks and APC stack walks, to identify suspicious activity. You need to enable test signing and debugging to run it.

The article discusses how the lack of kernel address space layout randomization (KASLR) on Pixel devices allows for predictable kernel memory access. It explains the implications of static physical memory allocation and how attackers can exploit this to write to kernel memory without needing to leak KASLR. The findings highlight security vulnerabilities in the Android kernel on Pixel phones.

This article details the architecture and techniques of Singularity, a Loadable Kernel Module rootkit for Linux 6.x. It covers methods for process concealment, file system stealth, and privilege escalation, highlighting how it evades detection through advanced hooking and anti-forensic tactics.

The article discusses the concept of sandboxing agents at the kernel level, exploring its implications for security and system integrity. It emphasizes the importance of isolating processes to prevent malicious activities and enhance overall system protection. Various techniques and strategies for implementing effective kernel-level sandboxing are also examined.

Hells Hollow introduces a novel technique for SSDT hooking, leveraging Alt Syscalls to bypass Microsoft’s PatchGuard protections on Windows 11. This method allows rootkits to intercept and manipulate system calls by modifying the KTRAP_FRAME, thus enabling a range of malicious activities while highlighting the vulnerabilities within the Windows kernel. Limitations of the technique are discussed, including its resistance to certain security measures like Hyper-V and HVCI.

NovaHypervisor is a defensive x64 Intel hypervisor designed to protect against kernel-based attacks by safeguarding memory structures and defense products on Windows 10 and later. Written in C++ and Assembly, it is in early development, not yet suitable for production, and includes instructions for setup, memory protection commands, and logging. Users must enable specific virtualization features to run the hypervisor effectively.