Hacking Notes
  • Ports & Enumeration
  • Antivirus Evasion
    • AMSI bypass
    • Macros / VBA
    • ETW bypass
    • EDR Evasion
    • EXE Packers
    • Powershell process-injection
    • Shellter
    • Payload generation
  • Port Forwarding
    • SSH
    • NetSH
    • Tools
    • Chisel
    • Meterpreter
  • Cloud
  • Word List Creation
  • Active Directory
    • Domain Enumeration
    • Domain Trusts
    • Domain Mapping
    • discretionary access control list (DACL)
      • ForceChangePassword
      • AddKeyLinkCredential
      • GenericWrite/ GenericAll
      • WriteOwner
      • GPO Exploitation
    • MS SQL
    • gMSA
    • Exchange
    • Group Exploitation
    • Domain Exploitation
    • Kerberos Attacks
    • SCCM
    • NTDS dumping
    • Impacket
    • ADCS exploitation
      • ESC 1
      • ESC4
      • ESC7
    • Privilege Escalation
      • Windows
        • System Enumeration
        • Credentials enumeration
        • Unsecure Service Path
        • Unsecure Path security
        • Misconfigured Reg
        • DLL Hijacking
        • Privilege enumeration
          • Tools
        • Vulnerable Apps
        • UAC Bypass
        • Service Enumeration
      • Unix
        • Linux Enumeration
        • Insecure File Permissions
        • Linux Escalate
        • Restricted shell escape
    • LAPS
  • Cloud
    • Azure
      • Tools
        • AzureCli - AZ
        • AzureCli - PowerShell
        • AzureAD
        • MicroBurst
        • SkyArk
        • PowerZure
        • BlueMap
        • AzureHound
        • BARK
        • GraphRunner
      • User attacks
        • CredMaster
        • TrevorSpray
      • o365
    • G-Cloud
    • Enumeration
      • AWS Cli
        • AWS Cli
      • Pacu
      • Organizational Trust
  • Web Application
    • Info
    • Log Poisoning / PHP Wrapping
    • HTTP Request Smuggling
    • Client Side Desync
    • Enumeration
    • Databases
    • SQL Injection
      • WAF Bypass
    • WebSocket
    • File Inclusion
    • Brute forcing
    • Cross Site Scripting (XSS)
  • Cracking
    • Hashcat
    • John The Ripper
    • Wireless
  • Wireless
    • Tools
    • WPS
    • WEP
    • WPA/ WPA-2/ WPA-3
    • WPA-Enterprise
    • PMKID
    • Captive Portal
  • DFIR
    • Forensics
      • Plaso
      • Microsoft
      • Windows
        • Anti-Forensics
        • Microsoft Forensics
          • ShimCache/ AppCompatCache
          • Defender
          • PowerShell / CMD
          • Registry
          • AmCache
          • Zone.Identifiers ADS
          • RecentFileCache
          • Prefetch
          • Lnk
          • Jumplist / RecentFiles
          • Shellbags
          • BAM/ DAM
          • SRUM
          • NTFS
          • EVTX
            • Security logs
            • WMI-Activity Operations
              • PowerShell/WinRM Operational
            • Task Scheduler
            • RDP Activity
            • Lateral Movement
          • hunting
          • Recycle Bin
          • Scheduled Tasks
        • o365
          • Mailbox Rules
      • Timeline Analysis
      • Forensics Tooling
        • Log2Timline / Plaso
        • Quarantine extraction
        • Scanning
          • Signature Scanning
          • AV Scanning
        • Logon Tracer
        • TimeSketch
        • Bulk_Extractor
        • FLS & Mactime
        • Manual Forensics
        • FTK
        • BulkExtractor & BulkExtractor-Rec
      • Linux
      • Azure
      • Active Directory
      • AnyDesk
    • Memory Analysis
      • Windows
        • Memory Acquisition
        • Code Injection
        • Rootkits
        • Rootkits
        • WMI/ PowerShell
        • Persistence & Lateral movement
        • Memory Acquisition
        • Baseliner
        • Identifying Code injection
        • Rookits
        • Process Objects
      • Tooling
        • Strings, bstrings and grep
        • Volatility
          • VolWeb
          • Memory Baseliner
        • MemProcFS
          • Code Injection
    • ReverseEngineering
    • Mobile
  • Networking
    • Radio
    • Vlans & Wired networking
    • Network Access Control
    • IPV6
    • Wireless
      • cracking
      • Aircrack-ng
      • WEP
      • WPA/ WPA2
      • WPA Enterprise
      • WPS
    • Bluetooth
  • Misc
    • Shells
      • WinRM / PowerShell
      • WinRM
      • Msfconsole
      • WinRM// PowerShell
      • Socat
      • Python
      • Netcat
      • PHP
      • Upgrade Shells
      • PowerCat
    • Buffer Overflow
      • General Information
      • Exploiting BufferOverflow
        • Find the Offset
        • Build the Exploit
        • Identifiy The BufferOverflow Character
        • Identify BadChars
        • Find the Jump Point
        • Generate Payload
        • Create Padding
    • Powershell
      • Quick Commands
      • Powershell Lateral Movement
    • Random Bits
    • Phishing
    • Coding
      • C#
    • Git
  • Command & Control
    • Meterpreter
    • Droppers
    • CobaltStrike
      • teamserver
      • Payload generation
        • Stagers
        • AV/EDR Bypass
          • Obfuscation
          • Sandbox Evasion
          • Win32 API
          • EDR Evasion
          • Encrypters
      • Listeners
      • Malleable Profiles
      • Initial Acces / Aggressors
      • Beacon Object Files (BOF)
      • Cheatsheet
    • Lateral Movement
    • Persistence
      • Low Priv User
      • High Priv User
  • Mobile App Testing
    • IOS
Powered by GitBook
On this page
  • Four types:
  • Userland
  • Kernel (DKOM)
  • Hypervisor Bootkits
  • Hardware/ Firmware
  • Bring your own Vulnerable Driver (BYOVD)
Edit on GitHub
  1. DFIR
  2. Memory Analysis
  3. Windows

Rootkits

Four types:

  • Userland - Patching, Import Address Table, inline

  • Kernel - IDT, SSDT, DKOM, Driver IRP

  • Hypervisor (bootkit) - Boot Sector, MBR, GPT, VBR

  • Firmware / Hardware - UEFI, Micro-controller, Hard Drive

Userland

the simplest form of rootkit, sits in the operating system where applications and users interact (userland). involves hooking / redirecting the import address table pointers of running processes and directly patching loaded code in memory to redirect execution paths.

Less likely to crash processes/systems than other rootkits but more vulnerable to detection. Userland hooking is also performed applications so can be difficult to detect.

Import Address table (IAT) - simplest form of usland rootkits, changes the address location in a process's IAT

Inline/Trampoline hooks - modify functions themselves adding a jump (or equivalent) to the malicious code

Example of legitimate hooks: svchost, vmtools, security tools, and codemeter/ hasp copy protection. DLL examples:

  • setupapi.dll

  • mswsock.dll

  • sfc_os.dll

  • adsldpc.dll

  • advapi32.dll

  • secu32.dll

  • ws2_32.dll

  • iphlpapi.dll

  • ntdll.dll

  • kernel32.dll

  • user32.dll

  • gdi32.dll

Kernel (DKOM)

can subvert everything running within the OS, often with simple changes. Modification of critical system tables like IDT, SSDP, IRP can redirect code execution and attacks like direct kernel object manipulation (DKOM). Very difficult to detect and can be used to unhook specific processes

Microsoft have worked to mitigate kernel rootkit technology via PatchGuard and Driver Signature Enforcement

Hypervisor Bootkits

virtualisation attacks are the successor of boot sector and master boot record attacks. Hardware based features like TPM and security boot technologies prevent many of these techniques and as older systems are replaced, are very effective against bootkits.

Hardware/ Firmware

newest generation of rootkits that seek to limit footprint on disk to obfuscate and complicate detection. although generally rare, they are very system-dependent, and typically required more traditional rootkit techniques (like driver loading), to setup making detection still feasible.

Bring your own Vulnerable Driver (BYOVD)

Drivers provide the operating system kernel code (injected into kernel) to extend its functionality.

BYOVD takes advantage of flaws in existing Windows drivers to load a secondary malicious driver (as from Win10 1607, Microsoft enforce all drivers to be signed by them). Services are most commonly to load drivers (forensics artifacts include, memory event logs and registry entries).

PreviousCode InjectionNextRootkits

Last updated 11 months ago

Loldrivers was made to help investigators:

https://www.loldrivers.io/