Storm Worm Process Injection from the Windows Kernel
I spent a few hours looking at the storm worm and wrote up a quick informal paper on how to extract the actual malicious payload. If you're interested in how to use asynchronous procedure call to inject code into a userspace process this paper might be interesting to you.
This paper will detail the analysis methods of W32/StormWorm.gen1 and show a process injection method it uses to run malicious code in user-space. This variant loads a driver into the kernel which then injects itself into the running services.exe process. The worm then connects to a P2P network sending spam, initiating DDoS from the infected computer. This technique does not use a packer in the traditional sense but a two-stage loader to inject itself into a running process from kernel space. I will show the decoding process and methods for extracting the true malicious code from the driver executable.