Rootkits and Bootkits

This post will take a look at Windows internals and see how attackers are able to use rootkits and bootkits to attack systems.

Rootkits are malicious software that actively conceals its existence and actions from the system and users. Rootkits provide a glimpse into the challenges facing kernal security.

Bootkits can also be rootkits, if they try to hide their presence, but are malware specifically targeted to the Windows kernal. They try to corrupt or change the behavior of Master Boot Records to accomplish their goals.

Rootkits are much more common on 32bit machines, though some techniques can be used to attach 64bit machines. These tactics include bypassing the driver signing check, stealing digital signatures or modifying the Windows boot path.

Because kernal memory is flat, and any driver can access any part of it, it is a prime target for stealth attacks. Code can be overwritten or modified anywhere. New pointers can be given or new executables placed.

Using LiveKD in addition to other forensic tools previously used, we can get a good idea of what Agony is doing. Running the command `dps nt!KiServiceTable L 191` lists all of the SSTD entries which are kernal drivers for specific APIs. Agony creates hooks for three of these APIs, filtering for relevant calls and passing the rest on to the real handler. These hooks can be identified in the table by not only their name, but by the address in memory, which is outside the kernal memory block. Because the malware calls the original handler, we can use the code to patch the address back and subvert the malware.

WinDbg gives you functionality to debug in the kernal. To start, from WinDbg use CTRL + break or find break in the menu and click on it.

This post has covered a lot of different things. Hopefully, just adding tools and knowledge to build a stronger understanding of malware and how to detect and prevent it.

Related posts:

Have you ever wondered who you are? Are you that human who is good at choosing colors, has an amazing memory to remember dates and little things in life, can predict the outcome even before it could…

Automatiser des tests fonctionnels avec Behat est une chose courante et plutôt facile à mettre en place. Par contre, dès qu’il sagit de tester les fonctionnalités impliquant du javascript, la tâche…

Ayurveda is an ancient Indian medicine system, which believes in the preservation of life and curing ailments through food and herbs .It is derived from two sanskrit words- Ayur and Veda. Where…