Security research and development framework

Amr Thabet Q-CERT

  download slides (PDF)

This is a free open-source development framework created to support the writing of security tools and malware analysis tools and to convert security research and ideas from the theoretical approach to the practical implementation.

This development framework has been created mainly to support the malware field to create malware analysis tools and anti-virus tools easily without reinventing the wheel and to inspire innovative minds to write their research in this field and implement it using SRDF.

The framework is divided into two parts: User-Mode and Kernel-Mode

The User Mode Features:

  • Assembler and disassembler
  • x86 emulator
  • Debugger
  • PE analyzer & ELF analyser
  • Process analyser (loaded DLLs, memory maps, etc.)
  • MD5, SSDeep and WildList Scanner (YARA)
  • API hooker and process injection
  • Backend database, XML serializer
  • Pcap reader and packet analyser
  • And many more

The Kernel-Mode part tries to make it easy to write your own filter device driver (not with WDF and callbacks) and gives an easy, object-oriented (as much as we can) development framework with these features.

The Kernel Mode Features:

  • Object-oriented and easy to use development framework
  • Easy IRP dispatching mechanism
  • SSDT hooker
  • Layered devices filtering
  • TDI firewall
  • File and registry manager
  • Kernel mode easy to use internet sockets
  • Filesystem filter
The Kernel-Mode part is still in progress and many features will be added in the near future.

The presentation will cover the following:

  • The project's goal and the requirements of a security development platform
  • The design of the project and how it meet its goals
  • The features of the Security Research and Development Framework and what it can do
  • The roadmap of the project and what's the next for the project
  • How to build tools easily with the Security Research and Development Framework and some success stories

VB2013 takes place 2-4 October 2013 in Berlin, Germany.

The full programme for VB2013, including abstracts for each paper, can be viewed here.

Click here for more details about the conference.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.