In this article regarding kernel mode rootkit we will be talking about user mode, kernel mode, and rootkit behavior. Trying to give example of kernel rootkit to make it more understood.
In short, kernel mode rootkit is a rootkit that works and operates in the kernel of the operating system. Mostly this is a driver.
To start with, kernel mode rootkit is a rootkit that works in the kernel. If we do a split in the operating system there are 2 spaces. There is the user space, where all the user stuff happens, and the kernel space, where the OS communicates with the hardware and manages all around the OS.
When we talk about kernel we are talking about drivers, system drivers. You can think of a driver as a translator between the operating system and the hardware. Each hardware has its own driver that can control it. Sending commands, getting information, and so on.
There are several types of drivers, from the bus driver that talks directly to the hardware to filter drives and software drivers. Filter drivers can change or enrich other drivers without the need to change the bus driver. Software drivers, or user mode drivers, can be used by software to communicate with the kernel drivers. You can refer to this document to get more information about types of Windows driver – types of Microsoft Windows drivers.
The big changes with drivers and rootkit:
In the older version of windows, once you were in the kernel you had the highest privilege on the system and you were able to do anything in there. You did not have to sign your driver and were able to load it using code during runtime. it was the age of rootkit. You can easily hide almost anything on the system. From the running process, users, registry keys to a hidden network connection. After Windows XP service pack 3, this was changes.
Since the change. You had to sign your driver and the trick to load it into the kernel was blocked. AfterXP SP3 the kernel of the Windows operating system was changed and a new era of rootkit was born – the bootkit.
Rootkit vs Bootkit:
The main diff between rootkit and bootkit is that bootkit aims the boot process of the system. Including changing the BIOS operation on the device with a rootkit infected one. Using bootkit to infect the BIOS location on the system can have a very big benefit for the malware. It can bypass most of the current security tools.
Kernel mode rootkit example:
In the below image, we demonstrate an example of kernel-mode rootkit that hides files on the OS. When you open windows explorer to browse the files. There is a WinApi named FindFirstFile that finds the first file in the current folder. Using the handle for the file search it continues to search for more files with the FindNextFile.
The API, in user mode, moving into kernel mode functions to get the files. This is done while moving down the road till we get the files from the physical hard disk. Using the hard disk bus driver. There are also filter driver during this road.
If I create a filter driver that filters files, that contain the number 8 in them, for this example. I can then remove the files count and the total size of the files with the number 8. Do the calculation and send it up the road to the upper driver. From there it will be returning to the GUI, our explorer, and show the information without the files we hide.
In this article, we explain what is kernel mode and kernel mode rootkit, related to the Windows environment. We also talk about bootkit that can start before the security tools or even change the BIOS loader for the device giving the rootkit the ultimate control on the system. We also show an example of how kernel rootkit manipulates files on the system to hide them.