Rootkits

Four types:

  • Userland - Patching, Import Address Table, inline

  • Kernel - IDT, SSDT, DKOM, Driver IRP

  • Hypervisor (bootkit) - Boot Sector, MBR, GPT, VBR

  • Firmware / Hardware - UEFI, Micro-controller, Hard Drive

Userland

the simplest form of rootkit, sits in the operating system where applications and users interact (userland). involves hooking / redirecting the import address table pointers of running processes and directly patching loaded code in memory to redirect execution paths.

Less likely to crash processes/systems than other rootkits but more vulnerable to detection. Userland hooking is also performed applications so can be difficult to detect.

Import Address table (IAT) - simplest form of usland rootkits, changes the address location in a process's IAT

Inline/Trampoline hooks - modify functions themselves adding a jump (or equivalent) to the malicious code

Example of legitimate hooks: svchost, vmtools, security tools, and codemeter/ hasp copy protection. DLL examples:

  • setupapi.dll

  • mswsock.dll

  • sfc_os.dll

  • adsldpc.dll

  • advapi32.dll

  • secu32.dll

  • ws2_32.dll

  • iphlpapi.dll

  • ntdll.dll

  • kernel32.dll

  • user32.dll

  • gdi32.dll

Kernel (DKOM)

can subvert everything running within the OS, often with simple changes. Modification of critical system tables like IDT, SSDP, IRP can redirect code execution and attacks like direct kernel object manipulation (DKOM). Very difficult to detect and can be used to unhook specific processes

Microsoft have worked to mitigate kernel rootkit technology via PatchGuard and Driver Signature Enforcement

Hypervisor Bootkits

virtualisation attacks are the successor of boot sector and master boot record attacks. Hardware based features like TPM and security boot technologies prevent many of these techniques and as older systems are replaced, are very effective against bootkits.

Hardware/ Firmware

newest generation of rootkits that seek to limit footprint on disk to obfuscate and complicate detection. although generally rare, they are very system-dependent, and typically required more traditional rootkit techniques (like driver loading), to setup making detection still feasible.

Bring your own Vulnerable Driver (BYOVD)

Drivers provide the operating system kernel code (injected into kernel) to extend its functionality.

BYOVD takes advantage of flaws in existing Windows drivers to load a secondary malicious driver (as from Win10 1607, Microsoft enforce all drivers to be signed by them). Services are most commonly to load drivers (forensics artifacts include, memory event logs and registry entries).

Loldrivers was made to help investigators: https://www.loldrivers.io/

PreviousCode InjectionNextRootkits

Last updated