Summary
Hi all! I have been in OS security research for more than 10 years working on various areas related to Windows and Linux kernel- and user-level security, rootkit detection, memory forensics, bare-metal hypervisors. I apply theoretical knowledge and practical expertise to make computer systems secure and reliable. My current research focuses on security analytics to detect advanced threats in complex systems.
Find me on:
I have published more than 40 research papers, and one patent.
My research results were presented at more than 15 conferences:
HITB 2023 (Thailand),
EKOPARTY 2022 (Argentina), ROOTCON 2022 (Philippines), LABScon 2022 (USA), BlackHat 2022 (USA),
BlackHat 2021 (UK), Texas Cyber Summit 2021 (USA), IEEE SP SADFE 2021 (USA),
HITB 2020 (Singapore),
BlackHat 2018 (UK),
REcon 2016 (Canada),
seven ADFSL conferences 2014-2022 (USA),
RusCrypto 2011 (Russia).
My blog is here - igorkorkin.blogspot.com
Education
2004-2009 Moscow Engineering Physics Institute (NRNU MEPhI)
Department of Cryptology and Cybersecurity (#42).
MSc in Computer Science, diploma with distinction.
Master topic: “Stealth Malware Detection System in OS Windows”.
2009-2012 Moscow Engineering Physics Institute (NRNU MEPhI)
Department of Cryptology and Cybersecurity (#42)
Ph.D. in Computer Science.
Thesis topic: “Statistical Detection of Hardware Virtualization Based Rootkits”.
The recent research projects:
Blasting Event-Driven Cornucopia: WMI-based User-Space Attacks Blind SIEMs and EDRs
BlackHat USA, Las Vegas, USA, August 6-11, 2022.
Veni, No Vidi, No Vici: Attacks on ETW Blind EDR Sensors
BlackHat Europe Conference, London, UK, November 10-11, 2021.
Protected Process Light will be Protected – MemoryRanger Fills The Gap Again
Systematic Approaches to Digital Forensic Engineering (SADFE) International Workshop;
2021 IEEE Symposium on Security and Privacy Workshops, San Francisco, CA, USA, May 24-27, 2021.
Texas Cyber Summit IV, Oct 29–30, 2021, USA, TX, San Antonio.
Windows Kernel Hijacking is Not an Option: MemoryRanger Comes to the Rescue Again
Hack In The Box Security Conference (HITBLockdown002), July 25, 2020, Singapore
Journal of Digital Forensics, Security and Law, USA, June 10, 2021.
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
ADFSL Conference, Daytona Beach, Florida, USA, May 15-16, 2019.
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
BlackHat Europe Conference, London, UK, December 5-6, 2018.
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of Dynamically Allocated Memory in Windows Kernel
ADFSL Conference, Daytona Beach, Florida, USA, May 17-18, 2018.
Detect Kernel-Mode Rootkits via Real-Time Logging & Controlling Memory Access
ADFSL Conference, Daytona Beach, Florida, USA, May 17-18, 2017.
Monitoring & controlling kernel-mode events by HyperPlatform
REcon conference, Montreal, Canada, 17-19 June 2016.
Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump Using CUDA-enabled GPU Hardware
ADFSL Conference, Daytona Beach, Florida, USA, May 24-25, 2016.
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluctuations
ADFSL Conference, Daytona Beach, Florida, USA, May 19-21, 2015.
Applying Memory Forensics to Rootkit Detection
ADFSL Conference, Daytona Beach, Florida, USA, May 28-29, 2014.
Recorded Talks
HITB 2023
ALPChecker – Detecting Spoofing and Blinding Attacks
Texas Cyber Summit 2022
Windows built-in Sandbox Disables Microsoft Defender and other EDR/AV: Attack Detection and Prevention via MemoryRanger
Ekoparty 2022
Blinding Endpoint Security Solutions: WMI attack vectors
Black Hat USA 2022
Blasting Event-Driven Cornucopia: WMI-based User-Space Attacks Blind SIEMs and EDRs
RootCon2022
Microsoft Defender Will Be Defended - MemoryRanger Prevents Blinding Windows AV
Black Hat Europe 2021
Veni, No Vidi, No Vici: Attacks on ETW Blind EDR Sensors
Texas Cyber Summit 2021
Protected Process Light will be Protected – MemoryRanger Fills the Gap Again
Texas Cyber Summit 2021
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge
(lightning talk)
HITB2020
Kernel Hijacking is Not an Option: MemoryRanger Comes to the Rescue Again
Black Hat Europe 2018
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
Work History
Lead Security Researcher, Expert B
LLC Ventra (3 years), Huawei Technologies (0,7 year) November 2019 – August 2023
Research Protection Mechanisms of Linux and their robustness against rootkits
Achievement: published a patent:
• Google Patents - CN114519186A - https://patents.google.com/patent/CN114519186A/en
• WIPO Patent Scope - WO2022105610 - https://patentscope.wipo.int/search/en/detail.jsf?docId=WO2022105610
Research Algorithms to protect Windows Huawei Applications from common user-level intrusions
Achievement: team award.
Research Data Storage Protection Technologies. Achievement: Strategic Planning.
Presented at various Huawei events.
Lead Security Research Engineer
Special System Engineering Centre (ssec.ru) March 2019 – October 2019
Development of the advanced firewall system for Windows-based hosts using C/C++, STL, and Npcap library;
Presenting the current research results at academic conferences and in scientific journals.
Senior Researcher
FGUP CNIIHM (www.cniihm.ru) February 2009 – March 2019
Development of kernel-mode drivers and user-mode apps using C/C++, WDK, VS, WinDbg;
Cybersecurity and digital forensics research in various expert teams;
Various docs and publications for customers.
Visiting Professor (volunteering)
Moscow Engineering Physics Institute (MEPhI), Moscow, Russia September 2012 – now
Scientific advisor for the undergraduate and postgraduate students;
External expert for the examination board in the Department of Cryptology and Discrete Mathematics No.42;
The details about me are here https://kaf42.mephi.ru
Talks and Papers in English:
(2023) ALPChecker – Detecting Spoofing and Blinding Attacks
by Anastasiia Kropova and Igor Korkin
HITBSecConf2023 (talk), arXiv (paper)
RASP for LSASS: Preventing Mimikatz-Related Attacks
by Anna Revazova and Igor Korkin
arXiv (paper)
(2022) Microsoft Defender Will Be Defended: MemoryRanger Prevents Blinding Windows AV
by Denis Pogonin and Igor Korkin
ADFSL (talk and paper), ROOTCON16 (talk)
(2022) Human-Controlled Fuzzing With AFL
by Maxim Grishin and Igor Korkin
ADFSL (talk and paper), ROOTCON16 (talk)
(2021) Your Linux Passwords Are in Danger: MimiDove Meets the Challenge
by Svetlana Golub and Igor Korkin
https://texascyber.com/briefings_schedule/your-linux-passwords-are-in-danger-mimidove-meets-the-challenge/
Talks and Papers in Russian:
(2024) Apply Hybrid Approach to Directed Fuzzing of the Linux Kernel with Syzkaller
by Maxim Grishin and Igor Korkin
The Second All-Russian Scientific and Technical Conference "Cybernetics and Information Security" (CIS-2024)"
Publisher: National Research Nuclear University Mephi, Moscow, Russia.
https://www.elibrary.ru/item.asp?id=75062616&selid=75062727 paper.pdf
(2023) Analysis of Windows 11 OS protection mechanisms against code injection attacks
by Konstantin Schastlivtsev and Igor Korkin
Cybernetics and Information Security "CIS-2023" collection of scientific papers from the all-russian scientific and technical conference. Publisher: National Research Nuclear University Mephi, Moscow, Russia.
https://elibrary.ru/item.asp?pff=1&id=54719692 paper.pdf
(2022) Ransomware detection based on machine learning models and Event Tracing for Windows
by Artem Kalinkin, Svetlana Golub, Igor Korkin, Danil Pyatovskiy
https://www.semanticscholar.org/paper/Ransomware-detection-based-on-machine-learning-and-Kalinkin-Golub/ae5e53215f24a0e4eb38d834ac38a084cb86ce85
(2022) An Analysis of Local Security Authority Subsystem Services for Windows and Linux
by Svetlana Golub and Igor Korkin
Security of Information Technologies, 2074-7128 (Print); ISSN: 2074-7136 (On-Line), pp 57-69, Issue. 29(1),
https://elibrary.ru/item.asp?id=48069755 https://dx.doi.org/10.26583/bit.2022.1.06
(2021) Expanding the Scope of Clang Static Analyzer For Detecting New Vulnerabilities
by Maxim Rudik and Igor Korkin
Estestvennye i tekhnicheskie nauki. ISSN 1684-2626, pp. 225-230, Issue 7 (158)
https://dx.doi.org/10.25633/ETN.2021.07.13
(2020) Analysis of Ways to Get a Copy of The Ram of a Computer Running Mac OS
(2020) Analysis of Memory Dump Approaches for the MAC OS
Korkin I. Y., Lyashenko V. A., Lipnitsky A. A., Pak M. A., Bykovsky P. S.
Actual Scientific Research in the Modern World (Aktualʹnye naučnye issledovaniâ v sovremennom mire). ISSN: 2524-0986, pp. 77-85, Issue 6-2 (62), 2020.
https://elibrary.ru/item.asp?id=43092509 and paper.pdf
(2019) Advanced Rootkit Detection Using Memory Forensics
by Vladislav Poddubnyy and Igor Korkin
https://cyberleninka.ru/article/n/sredstvo-obnaruzheniya-skrytogo-ispolnimogo-koda-v-pamyati-oc-windows
https://dx.doi.org/10.21681/2311-3456-2019-5-75-82 and paper.pdf
(2019) Revealing Cryptocurrency Mining Malware via Event Tracing for Windows (ETW)
by Oleg Kazakov and Igor Korkin
https://cyberleninka.ru/article/n/obnaruzhenie-kriptomaynerov-v-os-windows-instrumentami-tehnologii-etw
https://dx.doi.org/10.21681/2311-3456-2019-5-83-88 and paper.pdf
Awards
finalist for Skolkovo Cybersecurity Challenge 2016 (Cyberday Conference 2016), 'Cyber-security of wireless implantable medical devices for supporting life', Moscow, Russia (December 8, 2016) (http://sk.ru/news/b/pressreleases/archive/2016/12/02/skolkovo-cybersecurity-challenge-2016-otobrano-15-proektovfinalistov.aspx);
3rd place at Microsoft Summer School on the Internet of Things in Kazan, Russia (July 17 - 23, 2016);
(https://www.microsoft.com/en-us/research/blog/microsoft-research-brings-summer-school-russias-emergent-tech-hub/);
1 of 2 top papers at Conference on Digital Forensics, Security and Law in Daytona Beach, Florida, USA (May 18-21, 2015) (http://igorkorkin.blogspot.ru/2015/05/two-challenges-of-stealthy-hypervisors.html);
1st place in the championship ‘Hackers vs. Forensics’ on Forum “Positive Hack Days” in Moscow, Russia (May 30-31, 2012) (https://twitter.com/devteev/status/206117807212077057);
finalist of the Conference RusCrypto 2011, ‘Detection of nested virtual machine monitors’ Moscow Region, Russia (March 30 - April 2, 2011) (https://www.ruscrypto.ru/accociation/news/2011-03-21.html).
Patents
Data Protection Method, Apparatus, Storage Medium, and Computer Device (2022)
• Google Patents - CN114519186A - https://patents.google.com/patent/CN114519186A/en
• WIPO Patent Scope - WO2022105610 - https://patentscope.wipo.int/search/en/detail.jsf?docId=WO2022105610
Research activity
presented at the three BlackHat conferences:
• USA 2022 - https://www.blackhat.com/us-22/briefings/schedule/#blasting-event-driven-cornucopia-wmi-based-user-space-attacks-blind-siems-and-edrs-27211
• Europe 2021 - https://www.blackhat.com/eu-21/briefings/schedule/speakers.html#igor-korkin-34812
• Europe 2018 - https://www.blackhat.com/eu-18/briefings/schedule/speakers.html#igor-korkin-34812
presented two talks at the Texas Cyber Summit 2021 -
https://texascyber.com/speaker/igor-korkin/
presented at the 2021 SADFE Workshop in conjunction with the 42nd IEEE Symposium on Security and Privacy - http://sadfe.org/Sadfe21/program21.html
presented at the HITBLockdown002 Singapore 2020 -
https://conference.hitb.org/hitb-lockdown002/sessions/kernel-hijacking-is-not-an-option-memoryranger-comes-to-rescue-again/
participated in REcon 2016 conference -
https://recon.cx/2016/speakers/satoshi_tanda.html
made presentations at seven ADFSL Conferences on Digital Forensics, Security and Law in the USA in 2014-2022
https://commons.erau.edu/do/search/?q=igor%20korkin
Publishing Systems Records
DsLib.net - www.dslib.net/author/igor.korkin.html
Academia.edu - https://mephi.academia.edu/IgorKorkin
OpenReview - https://openreview.net/profile?id=~Igor_Korkin1
ResearchGate - https://www.researchgate.net/profile/Igor-Korkin-2
Semantic Scholar - https://www.semanticscholar.org/author/3114387
Web of Science - https://www.webofscience.com/wos/author/record/294131
SCOPUS - https://www.scopus.com/authid/detail.uri?authorId=57219459633
ResearcherID - https://www.webofscience.com/wos/author/record/N-2544-2013
Google Scholar Citations - https://scholar.google.com/citations?user=0RJh3vYAAAAJ
Microsoft Academic - https://academic.microsoft.com/profile/g2820jge-5i08-4730-82i6-he4j874i02h9/IgorKorkin
Russian Science Citation Index РИНЦ SPIN (Science Index) 1220-1064; AuthorID: https://www.elibrary.ru/author_profile.asp?id=680616
Training/Courses
completed a training "Advanced Fuzzing and Crash Analysis" by Richard Johnson from HITBSecTrain 2020.
(https://www.credential.net/93e2f22e-78ba-4e2e-9cdd-dc3a298d3c85?key=7b203a657dbe63350659506c42bf35239991cafce3726f016fcd87665ee0f8a1);
completed a course ‘Malicious Software and its Underground Economy: Two Sides to Every Story’ by Dr Lorenzo Cavallaro. Certificate with distinction. (July-August 2013) (https://www.coursera.org/verify/ZN9G8KA5NC)
Ph.D. Thesis
Igor Korkin
Statistical Detection of Hardware Virtualization Based Rootkits (in Russian)
"Методика обнаружения нелегитимного программного обеспечения, использующего технологию аппаратной виртуализации"
(Method for the Detection of Illegitimate Software that Uses Hardware Virtualization Technology)
Defended on February 9, 2012; approved on August 30, 2012, 151 p
Links:
• IAEA Ref #45100139: https://inis.iaea.org/search/45100139
• ЦИТИС: Интернет-номер И120213185334, Инвентарный номер 04201255358
• РГБ: https://search.rsl.ru/ru/record/01005007262 & https://search.rsl.ru/ru/record/01005409054
The English version presented at the 10th ADFSL Conference - igorkorkin.blogspot.com/2015/05/two-challenges-of-stealthy-hypervisors.html
Papers & Conferences
Anastasiia Kropova and Igor Korkin
ALPChecker – Detecting Spoofing and Blinding Attacks
→ Proceedings of the Hack In The Box Security Conference (HITBSecConf2023), CommSec Track, Phuket, Thailand, August 21-25, 2023
https://conference.hitb.org/hitbsecconf2023hkt/session/commsec-alpchecker-detecting-spoofing-and-blinding-attacks/
https://www.youtube.com/watch?v=DV0dls206zc
→ The paper has been published on arXiv (2023) - https://arxiv.org/abs/2401.01376
Anna Revazova and Igor Korkin
RASP for LSASS: Preventing Mimikatz-Related Attacks
→ The paper has been published on arXiv (2023) - https://arxiv.org/abs/2401.00316
Artem Kalinkin, Svetlana Golub, Igor Korkin, Danil Pyatovskiy
Ransomware detection based on machine learning models and Event Tracing for Windows
https://www.semanticscholar.org/paper/Ransomware-detection-based-on-machine-learning-and-Kalinkin-Golub/ae5e53215f24a0e4eb38d834ac38a084cb86ce85
Igor Korkin, Claudiu Teodorescu, Andrey Golchikov
Blasting Event-Driven Cornucopia: WMI-based User-Space Attacks Blind SIEMs and EDRs
In Proceedings of the BlackHat USA Conference, Las Vegas, USA, August 10, 2022.
→ All the details are here - https://www.blackhat.com/us-22/briefings/schedule/#blasting-event-driven-cornucopia-wmi-based-user-space-attacks-blind-siems-and-edrs-27211
Blasting Event Driven Cornucopia: WMI Edition -
Proceedings of the LABScon, Scottsdale, Arizona, USA, September 23, 2022
Blinding Endpoint Security Solutions: WMI attack vectors -
Proceedings of the EKOPARTY, Buenos Aires, Argentina, November 3-5, 2022
Denis Pogonin and Igor Korkin
Microsoft Defender Will Be Defended: MemoryRanger Prevents Blinding Windows AV
→ Proceedings of the 15th Annual ADFSL 2022 Conference on Digital Forensics, Security and Law, Florida, USA, Online, July 25, 2022, https://commons.erau.edu/adfsl/2022/presentations/7/
→ Proceedings of the ROOTCON 16, Philippines, Virtual, September 27, 2022, slides, video
Maxim Grishin and Igor Korkin
Human-Controlled Fuzzing With AFL
→ Proceedings of the 15th Annual ADFSL 2022 Conference on Digital Forensics, Security and Law, Florida, USA, Online, July 25, 2022, https://commons.erau.edu/adfsl/2022/presentations/3/
→ Proceedings of the ROOTCON 16, Philippines, Virtual, September 27, 2022, slides, video
Igor Korkin, Claudiu Teodorescu, Andrey Golchikov
Veni, No Vidi, No Vici: Attacks on ETW Blind EDR Sensors
In Proceedings of the BlackHat Europe Conference, London, UK, November 10, 2021.
All the details are here - https://www.blackhat.com/eu-21/briefings/schedule/#veni-no-vidi-no-vici-attacks-on-etw-blind-edr-sensors-24842
Igor Korkin, Svetlana Golub
Slides "Your Linux Passwords Are in Danger: MimiDove Meets the Challenge"
Texas Cyber Summit IV, Oct 29–30, 2021, USA, TX, San Antonio,
All the details are here - https://igorkorkin.blogspot.com/2021/11/your-linux-passwords-are-in-danger.html
Conference Proceedings (a short paper) "Your Linux Passwords Are in Danger: MimiDove Meets the Challenge"
The paper has been published in the IOSR Journal of Computer Engineering (IOSR-JCE)
e-ISSN: 2278-0661, p-ISSN: 2278-8727, Volume 23, Issue 6, Ser. I (Nov. –Dec. 2021), pp. 27-28.
https://www.iosrjournals.org/iosr-jce/papers/Vol23-issue6/Ser-1/C2306012728.pdf and
https://doi.org/10.9790/0661-2306012728
Full Paper "An Analysis of Local Security Authority Subsystem Services for Windows and Linux"
The paper has been published in the Security of Information Technologies, 29 № 1, ( Feb-March, 2022),
2074-7128 (Print); ISSN: 2074-7136 (On-Line), pp 57-69
https://bit.mephi.ru/index.php/bit/issue/view/95
https://elibrary.ru/item.asp?id=48069755
Igor Korkin
Paper "Protected Process Light is not Protected: MemoryRanger Fills The Gap Again"
Systematic Approaches to Digital Forensic Engineering (SADFE) International Workshop in conjunction with the 42nd IEEE Symposium on Security and Privacy.
in Proceedings of 2021 IEEE Symposium on Security and Privacy Workshops, San Francisco, CA, USA, May 24-27, 2021, pp.298-308, the paper can be retrieved from https://conferences.computer.org/sp/pdfs/spw/2021/893400a298.pdf and
https://doi.org/10.1109/SPW53761.2021.00050
Conference "Protected Process Light will be Protected – MemoryRanger Fills the Gap Again"
Texas Cyber Summit IV, Oct 29–30, 2021, USA, TX, San Antonio,
https://texascyber.com/briefings_schedule/memoryranger/
All the details are here - https://igorkorkin.blogspot.com/2021/10/protected-process-light-will-be.html
Igor Korkin
(Windows) Kernel Hijacking is Not an Option: MemoryRanger Comes to the Rescue Again
In Proceedings of the Hack In The Box Security Conference (HITBLockdown002), July 25, 2020, Singapore
The paper has been published in the Journal of Digital Forensics, Security and Law (JDFSL), Vol 16, No.1, Article 4, June 2021.
All the details are here - https://igorkorkin.blogspot.com/2021/05/kernel-hijacking-is-not-option.html
Igor Korkin
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
Journal of Digital Forensics, Security and Law, Vol 14, No 3, pp 1-10., 2019, ISSN: 1558-7223. Retrieved from
https://commons.erau.edu/jdfsl/vol14/iss3/3/
https://dx.doi.org/10.15394/jdfsl.2019.1625
Igor Korkin
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
Proceedings of the 14th Annual ADFSL 2019 Conference on Digital Forensics, Security and Law, Daytona Beach, Florida, USA, May 15-16, 2019, ISSN 1931-7379. commons.erau.edu/adfsl/2019/paper-presentation/7/
All the details are here - https://igorkorkin.blogspot.com/2019/04/memoryranger-prevents-hijacking.html
Igor Korkin
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces
In Proceedings of the BlackHat Europe Conference, London, UK, December 5-6, 2018.
All the details are here - igorkorkin.blogspot.com/2018/12/divide-et-impera-memoryranger-runs.html
https://www.blackhat.com/eu-18/briefings/schedule/index.html#divide-et-impera-memoryranger-runs-drivers-in-isolated-kernel-spaces-12668
Igor Korkin
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of Dynamically Allocated Memory in Windows Kernel
Proceedings of the 13th Annual ADFSL 2018 Conference on Digital Forensics, Security and Law, San Antonio, Texas, USA, May 17-18, 2018, ISSN 1931-7379.
All the details are here - https://igorkorkin.blogspot.com/2018/03/hypervisor-based-active-data-protection.html
Igor Korkin, Satoshi Tanda
Detect Kernel-Mode Rootkits via Real-Time Logging & Controlling Memory Access
Proceedings of the 12th Annual ADFSL 2017 Conference on Digital Forensics, Security and Law, Daytona Beach, Florida, USA, 15-16 May 2017, ISSN 1931-7379.
All the details are here - https://igorkorkin.blogspot.com/2017/03/memorymonrwx-detect-kernel-mode.html
Satoshi Tanda, Igor Korkin
Monitoring & controlling kernel-mode events by HyperPlatform
REcon conference, Montreal, Canada, 17-19 June 2016.
All the details are here - https://igorkorkin.blogspot.com/2016/06/monitoring-controlling-kernel-mode.html
Igor Korkin, Ivan Nesterov
Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump Using CUDA-enabled GPU Hardware
Proceedings of the 11th Annual ADFSL 2016 Conference on Digital Forensics, Security and Law, Daytona Beach, Florida, USA, 24-26 May 2016, ISSN 1931-7379, pp 47-82
All the details are here - https://igorkorkin.blogspot.com/2016/05/acceleration-of-statistical-detection.html
Igor Korkin
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluctuations
Journal of Digital Forensics, Security and Law, Vol 10, No 2, pp 7-38., September 2015, ISSN: 1558-7223. Retrieved from commons.erau.edu/jdfsl/vol10/iss2/2
dx.doi.org/10.15394/jdfsl.2015.1200
Igor Korkin
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluctuations
Proceedings of the 10th Annual ADFSL 2015 Conference on Digital Forensics, Security and Law, Daytona Beach, Florida, USA, 19-21 May 2015, ISSN 1931-7379, pp 33-57
All the details are here - https://igorkorkin.blogspot.com/2015/05/two-challenges-of-stealthy-hypervisors.html
Igor Korkin, Ivan Nesterov
Applying Memory Forensics to Rootkit Detection
Proceedings of the 9th Annual ADFSL 2014 Conference on Digital Forensics, Security and Law, Richmond, Virginia, USA, 28-29 May 2014, ISSN 1931-7379, pp 115-141
All the details are here - https://igorkorkin.blogspot.com/2014/07/applying-memory-forensics-to-rootkit.html
Other Publications in English:
Igor Korkin
Anti-Rootkits in the Era of Cyber Wars
Hakin9 Extra Magazine, English Edition, Vol.2. No.7 Issue 07/2012 (11) ISSN 1733-7186. August 2012, pp 26-29
Igor Korkin
Strong Approach to Hardware-VM Rootkits Detection
Hakin9 Extra Magazine, English Edition, Issue 06/2011 (6) ISSN 1733-7186. November 2011, pp 30-33
Other Publications in Russian:
Korkin I. Y., Lyashenko V. A., Lipnitsky A. A., Pak M. A., Bykovsky P. S.
Analysis of Memory Dump Approaches for the MAC OS
Actual Scientific Research in the Modern World (Aktualʹnye naučnye issledovaniâ v sovremennom mire). ISSN: 2524-0986, Issues 6-2 (62), 2020. https://elibrary.ru/item.asp?id=43092509
I. Y. Korkin, V.A. Poddubnyy
Advanced Rootkit Detection Using Memory Forensics
CyberSecurity, Issue 05/2019 (33), 75-82, August 18, 2019, https://cyberrus.com/wp-content/uploads/2019/08/75-82-533-19_11.-Poddubnyy.pdf
I. Y. Korkin, O.A. Kazakov
Revealing Cryptocurrency Mining Malware via Event Tracing for Windows (ETW)
CyberSecurity, Issue 05/2019 (33), 83-88, August 18, 2019, https://cyberrus.com/wp-content/uploads/2019/08/83-88-533-19_12.-Kazakov.pdf
I. Y. Korkin, O. A. Kazakov
Detection of Hidden Cryptocurrency Mining Malware in Windows OS
7th International Scientific and Practical Conference 'Information Security Management in Modern Society', National Research University Higher School of Economics, Moscow, Russia, May 29-30, 2019, https://vipforum.ru/upload/events/vshe/Программа%20УИБ2019_Ф.pdf
I. Y. Korkin, V. A. Poddubnyy
Detection of Hidden Executable Code in Windows Memory
7th International Scientific and Practical Conference 'Information Security Management in Modern Society', National Research University Higher School of Economics, Moscow, Russia, May 29-30, 2019, https://vipforum.ru/upload/events/vshe/Программа%20УИБ2019_Ф.pdf
I. Y. Korkin
Cyber-Security of Autonomous Wireless Medical Devices For Supporting Life
Skolkovo Cybersecurity Challenge 2016 (Cyberday Conference 2016), Moscow, Russia
I. Y. Korkin
Rootkits: Security Issues and Trends
Hacker Magazine, Issue 05/2013 (172), ISSN 1609-1019, 74-79.
I. Y. Korkin
Hypervisor Level Detection Method in Computer Systems
21 Russian Scientific Conference "Methods and technical tools of information security", 2012, 110-113.
A. E. Zhukov, I. Y. Korkin, B. M. Sukhinin
Processor Instructions Execution Models in Computer Systems Supporting Hardware Virtualization When an Intruder Takes Detection Countermeasures
Security of Information Technologies №1, 2012, ISSN 2074-7128, 85-89.
I. Y. Korkin
The Proof of Statistical Criteria for Hardware Virtualization-Based Rootkits Detection in Computer Systems
Security of Information Technologies №1, 2012, ISSN 2074-7128, 90-92.
I. Y. Korkin
Detection of Nested Virtual Machine Monitors (Hypervisors)
High Availability Systems №2, 2011, ISSN 2072-9472, 76-77.
I. Y. Korkin
Statistical Detection of Nested Virtual Machine Monitors
20 Russian Scientific Conference "Methods and technical tools of information security", 2011, 146-147.
I. Y. Korkin
New Statistical Metrics and Methods of Virtual Machines Monitors Detection in Computer Systems
Natural and Engineering Sciences №4, 2011, ISSN 1684-2626, 498-502.
I. Y. Korkin
Detection Hardware Virtual Machine Based Rootkits Method with Caching Approach
Security of Information Technologies №1, 2011, ISSN 2074-7128, 101-103.
I. Y. Korkin
Statistical Identification of Computer Systems’ Modes
15 Conference "Telecommunications and New Information Technologies in Education", 2011, 163.
I. Y. Korkin
A New Approach to Identify Hardware Virtualization in Computer Systems
14 International Telecommunication Conference of Students and Young Scientists' "Youth and Science", 2010, 241-242.
I. Y. Korkin
Virtual Machine Monitors Detection Method
19 Russian Scientific Conference "Methods and technical tools of information security", 2010, 113-114.
I. Y. Korkin
Hardware Virtualization Method Detection in Computer Systems
17 Russian Scientific Conference "Information security issues in universities system", 2010, 114-115.
I. Y. Korkin
Stealthy Processes Detection Method in Windows
16 Russian Scientific Conference "Information security issues in universities system", 2009, 111-112.
I. Y. Korkin
Stealthy Malware Technologies and New Ways of Detecting Them
Security of Information Technologies №1, 2009, ISSN 2074-7128, 43-46.
I. Y. Korkin, P. I. Prokopsev, P. P. Pavlishin, E. A. Semenkova
Measuring the sharp surface of cutting tools (Cutter profilometer)
Journal of “Tractors and agricultural machinery”, №5, 2005, ISSN 0235-8573, 35-36.