Hooking or code flow subversion is a very critical part of rootkit technology and most rootkits implement this in some form or another. This section discusses different approaches to hooking along with their merits and drawbacks. Discussions consist of hooking functions inline, call tables, import address table (IAT), interrupt descriptor table (IDT), system service descriptor table (SSDT), object type callbacks, driver dispatch table etc.
Kernel Mode Security
Every release of Windows raises the security bar by adding platform security mitigations that make kernel mode rootkits difficult to install and execute. This section discusses some of these techniques and their effectiveness in thwarting rootkits. Mitigation techniques like kernel mode code signing (KMCS), kernel patch protection (KPP/PatchGuard), secure/measured/trusted boot, supervisor-mode execution prevention (SMEP), No-Execute (NX) Pools etc. are covered here.
The kernel patch protection technology on 64-bit versions of Windows attempts to prevent hooking in the kernel. To allow kernel mode components (primarily Anti-Malware software) to continue intercepting system wide operations, Windows provides a bunch of filtering mechanisms. This section covers mechanisms such as IRP based filters, registry callbacks, file system mini-filters, image load notifications, process/thread creation/deletion/access callbacks, network filters and early load anti-malware.
Invisibility is one of the most important characteristic of a rootkit. This section covers some of the techniques used by rootkits to hide themselves like direct kernel object manipulation (DKOM), position independent code, driver object grafting, filtering directory listings and registry queries. Techniques used by rootkits for privilege escalation, anti-debugging and stealth execution are also covered.
In order to regain execution after system reboots, rootkits need to make themselves persistent by writing to the filesystem, disk and optionally to the registry. This section covers the different persistence techniques like auto-start entry points (ASEPs), system binary trojaning, master/ volume boot record (MBR/ VBR) injection, direct disk writes, shadow volumes, alternate data streams (ADS) etc. Techniques used by rootkits for self-protection are also covered.
Detecting the latest and most sophisticated kernel mode rootkits is an ongoing race among rootkits detectors to study the latest malware trends and add support for them. This section covers some of the contemporary root-kit detectors that take different approaches to pinpointing medication to code and data structures in the kernel. Tools like Volatility Framework, GMER, Kernel Detective etc. as well as classic rootkits like TDSS/TDL4 and ZeroAccess are used as case studies.