Author Topic: Question about Rootkits  (Read 22781 times)

0 Members and 2 Guests are viewing this topic.

May 12, 2018, 09:10:04 AM

Malware

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Question about Rootkits
« on: May 12, 2018, 09:10:04 AM »
Hello I have an question about Rootkits

I heard About Rootkits who can infect Kernel via MBR or VBR (Alureon, Rovnix). And I heard some Rootkits found vurneability in Kernel and make a Backdoor which controls Kernel. And some Rootkits have a digital certificate. Some disable Code Signing and enable Test Signing. There is other way to infect Kernel in 64-bit sytem?

Thanks

Reply #1May 12, 2018, 07:51:32 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Question about Rootkits
« Reply #1 on: May 12, 2018, 07:51:32 PM »
Hi,

Welcome to Adlice.com forum.

Kernel-mode rootkits are now pretty uncommon in 64-bit Windows operating system.
Apart the ways you mentionned, it's possible to forcefully disable PatchGuard then hook GDT/LDT/IDT/SSDT tables or use DKOM. However, disabling PatchGuard is system specific so this method is almost never used (the only occurence I know of is Win64/Turla malware).

Regards.

Reply #2May 13, 2018, 07:27:42 PM

Malware

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: Question about Rootkits
« Reply #2 on: May 13, 2018, 07:27:42 PM »
I read, if KMCS activated, driver communicate with Kernel must have a Digital Certificate. It is true? And, for disabling Patch Guard and hooking Kernel driver must have a Digital Certificate
« Last Edit: May 13, 2018, 09:03:04 PM by Malware »

Reply #3May 15, 2018, 08:00:07 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Question about Rootkits
« Reply #3 on: May 15, 2018, 08:00:07 PM »
Hi,

Yes, When KMCS is enabled, all kernel-mode drivers must be signed using a valid certificate to load. So, to disable PatchGuard, the driver must be signed as well.
Here is an interesting article about it : PatchGuard v3 has no relation to “Purple Pill”.

Regards.

Reply #4May 15, 2018, 10:22:08 PM

Malware

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: Question about Rootkits
« Reply #4 on: May 15, 2018, 10:22:08 PM »
Thank for your reply Curson

So, if I have 64-bit OS and Secure Boot off, I'm immune against Kernel Mode Rootkits?

 I've read about User Mode program running in Kernel Mode. But I think it's too difficult.

 And, there is no other way to infect Kernel?

For hooking Rootkit must be in a Kernel?
« Last Edit: May 15, 2018, 11:22:02 PM by Malware »

Reply #5May 15, 2018, 11:50:01 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Question about Rootkits
« Reply #5 on: May 15, 2018, 11:50:01 PM »
Hi,

You are welcome.
If driver-signing requirement and PatchGuard are enabled, you are safe.

No, only kernel-mode drivers can mess with kernel mode, not user-mode drivers.

Regards.

Reply #6May 17, 2018, 04:02:15 PM

Malware

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: Question about Rootkits
« Reply #6 on: May 17, 2018, 04:02:15 PM »
Allright, Rootkit can infect Kernel via MBR or VBR, found vurneability and make a Backdoor which controls Kernel or have a signed driver. There are the only ways to infect Kernel.

I understand it correctly?
« Last Edit: May 17, 2018, 06:53:14 PM by Malware »

Reply #7May 17, 2018, 07:30:08 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Question about Rootkits
« Reply #7 on: May 17, 2018, 07:30:08 PM »
Hi,

Yes, I think.
For the latest research about kernel-mode malware, kernelmode.info forum is a great source of information.

Regards.

Reply #8May 17, 2018, 08:43:50 PM

Malware

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: Question about Rootkits
« Reply #8 on: May 17, 2018, 08:43:50 PM »
Oh, many thanks for link. I'm going to be read this forum. And I have last question - if I have not signed driver loaded in my Kernel (on 64-bit system) it is OK?

Reply #9May 17, 2018, 11:21:19 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Question about Rootkits
« Reply #9 on: May 17, 2018, 11:21:19 PM »
Hi,

You are welcome.
If TESTSIGNING boot option is not enabled, unsigned kernel-mode drivers can't be loaded.

Regards.

Reply #10May 18, 2018, 10:59:45 PM

Malware

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: Question about Rootkits
« Reply #10 on: May 18, 2018, 10:59:45 PM »
Ok, when i have Secure Boot ON, Testsing Can not be disabled. Can I check is Testsing ON?

Reply #11May 19, 2018, 01:52:00 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Question about Rootkits
« Reply #11 on: May 19, 2018, 01:52:00 AM »
Hi,
Quote
When the BCDEdit option for test-signing is enabled, Windows does the following :
Displays a watermark with the text "Test Mode" in all four corners of the desktop, to remind users the system has test-signing enabled. Note Starting with Windows 7, Windows displays this watermark only in the lower left-hand corner of the desktop.

Regards.

Reply #12May 21, 2018, 07:05:59 PM

Malware

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: Question about Rootkits
« Reply #12 on: May 21, 2018, 07:05:59 PM »
Ok, and when i want to chceck if KMCS enabled, system show the similarly warning in Testsign case?

Is OK, when i have loaded unsigned driver in my Kernel (64-bit system)?

Reply #13May 21, 2018, 07:47:49 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Question about Rootkits
« Reply #13 on: May 21, 2018, 07:47:49 PM »
Hi,

Did you read the Microsoft doc page I linked in my previous answer ?
TESTSIGNING is a option in the bootcloader that is used to disable Kernel-Mode Code Signing Requirements.

You cannot load unsigned drivers if KMCS is enabled.
Regards.

Reply #14May 24, 2018, 05:34:47 PM

Malware

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: Question about Rootkits
« Reply #14 on: May 24, 2018, 05:34:47 PM »
Ah, sorry I overlooked it.

Yes, I know when KMCS on, unsigned driver can not be loaded to the Kernel. But i have loaded unsigned driver in my Kernel. I think.