Question about Rootkits

[Malware]

Hello I have an question about Rootkits

I heard About Rootkits who can infect Kernel via MBR or VBR (Alureon, Rovnix). And I heard some Rootkits found vurneability in Kernel and make a Backdoor which controls Kernel. And some Rootkits have a digital certificate. Some disable Code Signing and enable Test Signing. There is other way to infect Kernel in 64-bit sytem?

Thanks

[Curson]

Hi,

Welcome to Adlice.com forum.

Kernel-mode rootkits are now pretty uncommon in 64-bit Windows operating system.
Apart the ways you mentionned, it's possible to forcefully disable PatchGuard then hook GDT/LDT/IDT/SSDT tables or use DKOM. However, disabling PatchGuard is system specific so this method is almost never used (the only occurence I know of is Win64/Turla malware).

Regards.

[Malware]

I read, if KMCS activated, driver communicate with Kernel must have a Digital Certificate. It is true? And, for disabling Patch Guard and hooking Kernel driver must have a Digital Certificate

[Curson]

Hi,

Yes, When KMCS is enabled, all kernel-mode drivers must be signed using a valid certificate to load. So, to disable PatchGuard, the driver must be signed as well.
Here is an interesting article about it : PatchGuard v3 has no relation to “Purple Pill”.

Regards.

[Malware]

Thank for your reply Curson

So, if I have 64-bit OS and Secure Boot off, I'm immune against Kernel Mode Rootkits?

 I've read about User Mode program running in Kernel Mode. But I think it's too difficult.

 And, there is no other way to infect Kernel?

For hooking Rootkit must be in a Kernel?

[Curson]

Hi,

You are welcome.
If driver-signing requirement and PatchGuard are enabled, you are safe.

No, only kernel-mode drivers can mess with kernel mode, not user-mode drivers.

Regards.

[Malware]

Allright, Rootkit can infect Kernel via MBR or VBR, found vurneability and make a Backdoor which controls Kernel or have a signed driver. There are the only ways to infect Kernel.

I understand it correctly?

[Curson]

Hi,

Yes, I think.
For the latest research about kernel-mode malware, kernelmode.info forum is a great source of information.

Regards.

[Malware]

Oh, many thanks for link. I'm going to be read this forum. And I have last question - if I have not signed driver loaded in my Kernel (on 64-bit system) it is OK?

[Curson]

Hi,

You are welcome.
If TESTSIGNING boot option is not enabled, unsigned kernel-mode drivers can't be loaded.

Regards.

[Malware]

Ok, when i have Secure Boot ON, Testsing Can not be disabled. Can I check is Testsing ON?

[Curson]

Hi,

When the BCDEdit option for test-signing is enabled, Windows does the following :
Displays a watermark with the text "Test Mode" in all four corners of the desktop, to remind users the system has test-signing enabled. Note Starting with Windows 7, Windows displays this watermark only in the lower left-hand corner of the desktop.

Regards.

[Malware]

Ok, and when i want to chceck if KMCS enabled, system show the similarly warning in Testsign case?

Is OK, when i have loaded unsigned driver in my Kernel (64-bit system)?

[Curson]

Hi,

Did you read the Microsoft doc page I linked in my previous answer ?
TESTSIGNING is a option in the bootcloader that is used to disable Kernel-Mode Code Signing Requirements.

You cannot load unsigned drivers if KMCS is enabled.
Regards.

[Malware]

Ah, sorry I overlooked it.

Yes, I know when KMCS on, unsigned driver can not be loaded to the Kernel. But i have loaded unsigned driver in my Kernel. I think.