Adlice forum
General Category => General Discussion => Topic started by: Malware on May 12, 2018, 09:10:04 AM
-
Hello I have an question about Rootkits
I heard About Rootkits who can infect Kernel via MBR or VBR (Alureon, Rovnix). And I heard some Rootkits found vurneability in Kernel and make a Backdoor which controls Kernel. And some Rootkits have a digital certificate. Some disable Code Signing and enable Test Signing. There is other way to infect Kernel in 64-bit sytem?
Thanks
-
Hi,
Welcome to Adlice.com forum.
Kernel-mode rootkits are now pretty uncommon in 64-bit Windows operating system.
Apart the ways you mentionned, it's possible to forcefully disable PatchGuard then hook GDT/LDT/IDT/SSDT tables or use DKOM. However, disabling PatchGuard is system specific so this method is almost never used (the only occurence I know of is Win64/Turla malware).
Regards.
-
I read, if KMCS activated, driver communicate with Kernel must have a Digital Certificate. It is true? And, for disabling Patch Guard and hooking Kernel driver must have a Digital Certificate
-
Hi,
Yes, When KMCS is enabled, all kernel-mode drivers must be signed using a valid certificate to load. So, to disable PatchGuard, the driver must be signed as well.
Here is an interesting article about it : PatchGuard v3 has no relation to “Purple Pill” (http://www.nynaeve.net/?p=158).
Regards.
-
Thank for your reply Curson
So, if I have 64-bit OS and Secure Boot off, I'm immune against Kernel Mode Rootkits?
I've read about User Mode program running in Kernel Mode. But I think it's too difficult.
And, there is no other way to infect Kernel?
For hooking Rootkit must be in a Kernel?
-
Hi,
You are welcome.
If driver-signing requirement and PatchGuard are enabled, you are safe.
No, only kernel-mode drivers can mess with kernel mode, not user-mode drivers.
Regards.
-
Allright, Rootkit can infect Kernel via MBR or VBR, found vurneability and make a Backdoor which controls Kernel or have a signed driver. There are the only ways to infect Kernel.
I understand it correctly?
-
Hi,
Yes, I think.
For the latest research about kernel-mode malware, kernelmode.info forum (http://www.kernelmode.info/forum/) is a great source of information.
Regards.
-
Oh, many thanks for link. I'm going to be read this forum. And I have last question - if I have not signed driver loaded in my Kernel (on 64-bit system) it is OK?
-
Hi,
You are welcome.
If TESTSIGNING (https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option) boot option is not enabled, unsigned kernel-mode drivers can't be loaded.
Regards.
-
Ok, when i have Secure Boot ON, Testsing Can not be disabled. Can I check is Testsing ON?
-
Hi,
When the BCDEdit option for test-signing is enabled, Windows does the following :
Displays a watermark with the text "Test Mode" in all four corners of the desktop, to remind users the system has test-signing enabled. Note Starting with Windows 7, Windows displays this watermark only in the lower left-hand corner of the desktop.
Regards.
-
Ok, and when i want to chceck if KMCS enabled, system show the similarly warning in Testsign case?
Is OK, when i have loaded unsigned driver in my Kernel (64-bit system)?
-
Hi,
Did you read the Microsoft doc page I linked in my previous answer ?
TESTSIGNING is a option in the bootcloader that is used to disable Kernel-Mode Code Signing Requirements.
You cannot load unsigned drivers if KMCS is enabled.
Regards.
-
Ah, sorry I overlooked it.
Yes, I know when KMCS on, unsigned driver can not be loaded to the Kernel. But i have loaded unsigned driver in my Kernel. I think.
-
Hi,
If you trust them, that's fine.
Regards.
-
Allright, many thanks Curson for answering my questions. And, you may lock this topic
Thank you
-
Hi,
You are very welcome.
Regards.