Adlice forum

General Category => General Discussion => Topic started by: Malware on May 12, 2018, 09:10:04 am

Title: Question about Rootkits
Post by: Malware on May 12, 2018, 09:10:04 am
Hello I have an question about Rootkits

I heard About Rootkits who can infect Kernel via MBR or VBR (Alureon, Rovnix). And I heard some Rootkits found vurneability in Kernel and make a Backdoor which controls Kernel. And some Rootkits have a digital certificate. Some disable Code Signing and enable Test Signing. There is other way to infect Kernel in 64-bit sytem?

Thanks
Title: Re: Question about Rootkits
Post by: Curson on May 12, 2018, 07:51:32 pm
Hi,

Welcome to Adlice.com forum.

Kernel-mode rootkits are now pretty uncommon in 64-bit Windows operating system.
Apart the ways you mentionned, it's possible to forcefully disable PatchGuard then hook GDT/LDT/IDT/SSDT tables or use DKOM. However, disabling PatchGuard is system specific so this method is almost never used (the only occurence I know of is Win64/Turla malware).

Regards.
Title: Re: Question about Rootkits
Post by: Malware on May 13, 2018, 07:27:42 pm
I read, if KMCS activated, driver communicate with Kernel must have a Digital Certificate. It is true? And, for disabling Patch Guard and hooking Kernel driver must have a Digital Certificate
Title: Re: Question about Rootkits
Post by: Curson on May 15, 2018, 08:00:07 pm
Hi,

Yes, When KMCS is enabled, all kernel-mode drivers must be signed using a valid certificate to load. So, to disable PatchGuard, the driver must be signed as well.
Here is an interesting article about it : PatchGuard v3 has no relation to “Purple Pill” (http://www.nynaeve.net/?p=158).

Regards.
Title: Re: Question about Rootkits
Post by: Malware on May 15, 2018, 10:22:08 pm
Thank for your reply Curson

So, if I have 64-bit OS and Secure Boot off, I'm immune against Kernel Mode Rootkits?

 I've read about User Mode program running in Kernel Mode. But I think it's too difficult.

 And, there is no other way to infect Kernel?

For hooking Rootkit must be in a Kernel?
Title: Re: Question about Rootkits
Post by: Curson on May 15, 2018, 11:50:01 pm
Hi,

You are welcome.
If driver-signing requirement and PatchGuard are enabled, you are safe.

No, only kernel-mode drivers can mess with kernel mode, not user-mode drivers.

Regards.
Title: Re: Question about Rootkits
Post by: Malware on May 17, 2018, 04:02:15 pm
Allright, Rootkit can infect Kernel via MBR or VBR, found vurneability and make a Backdoor which controls Kernel or have a signed driver. There are the only ways to infect Kernel.

I understand it correctly?
Title: Re: Question about Rootkits
Post by: Curson on May 17, 2018, 07:30:08 pm
Hi,

Yes, I think.
For the latest research about kernel-mode malware, kernelmode.info forum (http://www.kernelmode.info/forum/) is a great source of information.

Regards.
Title: Re: Question about Rootkits
Post by: Malware on May 17, 2018, 08:43:50 pm
Oh, many thanks for link. I'm going to be read this forum. And I have last question - if I have not signed driver loaded in my Kernel (on 64-bit system) it is OK?
Title: Re: Question about Rootkits
Post by: Curson on May 17, 2018, 11:21:19 pm
Hi,

You are welcome.
If TESTSIGNING (https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option) boot option is not enabled, unsigned kernel-mode drivers can't be loaded.

Regards.
Title: Re: Question about Rootkits
Post by: Malware on May 18, 2018, 10:59:45 pm
Ok, when i have Secure Boot ON, Testsing Can not be disabled. Can I check is Testsing ON?
Title: Re: Question about Rootkits
Post by: Curson on May 19, 2018, 01:52:00 am
Hi,
Quote
When the BCDEdit option for test-signing is enabled, Windows does the following :
Displays a watermark with the text "Test Mode" in all four corners of the desktop, to remind users the system has test-signing enabled. Note Starting with Windows 7, Windows displays this watermark only in the lower left-hand corner of the desktop.

Regards.
Title: Re: Question about Rootkits
Post by: Malware on May 21, 2018, 07:05:59 pm
Ok, and when i want to chceck if KMCS enabled, system show the similarly warning in Testsign case?

Is OK, when i have loaded unsigned driver in my Kernel (64-bit system)?
Title: Re: Question about Rootkits
Post by: Curson on May 21, 2018, 07:47:49 pm
Hi,

Did you read the Microsoft doc page I linked in my previous answer ?
TESTSIGNING is a option in the bootcloader that is used to disable Kernel-Mode Code Signing Requirements.

You cannot load unsigned drivers if KMCS is enabled.
Regards.
Title: Re: Question about Rootkits
Post by: Malware on May 24, 2018, 05:34:47 pm
Ah, sorry I overlooked it.

Yes, I know when KMCS on, unsigned driver can not be loaded to the Kernel. But i have loaded unsigned driver in my Kernel. I think.
Title: Re: Question about Rootkits
Post by: Curson on May 25, 2018, 07:31:45 pm
Hi,

If you trust them, that's fine.

Regards.
Title: Re: Question about Rootkits
Post by: Malware on May 26, 2018, 01:39:14 pm
Allright, many thanks Curson for answering my questions. And, you may lock this topic

Thank you
Title: Re: Question about Rootkits
Post by: Curson on May 28, 2018, 02:47:43 pm
Hi,

You are very welcome.

Regards.