Author Topic: Question about Rootkits  (Read 1196 times)

0 Members and 1 Guest are viewing this topic.

May 12, 2018, 09:10:04 am

Malware

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Question about Rootkits
« on: May 12, 2018, 09:10:04 am »
Hello I have an question about Rootkits

I heard About Rootkits who can infect Kernel via MBR or VBR (Alureon, Rovnix). And I heard some Rootkits found vurneability in Kernel and make a Backdoor which controls Kernel. And some Rootkits have a digital certificate. Some disable Code Signing and enable Test Signing. There is other way to infect Kernel in 64-bit sytem?

Thanks

Reply #1May 12, 2018, 07:51:32 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2077
  • Reputation:
    76
    • View Profile
Re: Question about Rootkits
« Reply #1 on: May 12, 2018, 07:51:32 pm »
Hi,

Welcome to Adlice.com forum.

Kernel-mode rootkits are now pretty uncommon in 64-bit Windows operating system.
Apart the ways you mentionned, it's possible to forcefully disable PatchGuard then hook GDT/LDT/IDT/SSDT tables or use DKOM. However, disabling PatchGuard is system specific so this method is almost never used (the only occurence I know of is Win64/Turla malware).

Regards.

Reply #2May 13, 2018, 07:27:42 pm

Malware

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: Question about Rootkits
« Reply #2 on: May 13, 2018, 07:27:42 pm »
I read, if KMCS activated, driver communicate with Kernel must have a Digital Certificate. It is true? And, for disabling Patch Guard and hooking Kernel driver must have a Digital Certificate
« Last Edit: May 13, 2018, 09:03:04 pm by Malware »

Reply #3May 15, 2018, 08:00:07 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2077
  • Reputation:
    76
    • View Profile
Re: Question about Rootkits
« Reply #3 on: May 15, 2018, 08:00:07 pm »
Hi,

Yes, When KMCS is enabled, all kernel-mode drivers must be signed using a valid certificate to load. So, to disable PatchGuard, the driver must be signed as well.
Here is an interesting article about it : PatchGuard v3 has no relation to “Purple Pill”.

Regards.

Reply #4May 15, 2018, 10:22:08 pm

Malware

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: Question about Rootkits
« Reply #4 on: May 15, 2018, 10:22:08 pm »
Thank for your reply Curson

So, if I have 64-bit OS and Secure Boot off, I'm immune against Kernel Mode Rootkits?

 I've read about User Mode program running in Kernel Mode. But I think it's too difficult.

 And, there is no other way to infect Kernel?

For hooking Rootkit must be in a Kernel?
« Last Edit: May 15, 2018, 11:22:02 pm by Malware »

Reply #5May 15, 2018, 11:50:01 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2077
  • Reputation:
    76
    • View Profile
Re: Question about Rootkits
« Reply #5 on: May 15, 2018, 11:50:01 pm »
Hi,

You are welcome.
If driver-signing requirement and PatchGuard are enabled, you are safe.

No, only kernel-mode drivers can mess with kernel mode, not user-mode drivers.

Regards.

Reply #6May 17, 2018, 04:02:15 pm

Malware

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: Question about Rootkits
« Reply #6 on: May 17, 2018, 04:02:15 pm »
Allright, Rootkit can infect Kernel via MBR or VBR, found vurneability and make a Backdoor which controls Kernel or have a signed driver. There are the only ways to infect Kernel.

I understand it correctly?
« Last Edit: May 17, 2018, 06:53:14 pm by Malware »

Reply #7May 17, 2018, 07:30:08 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2077
  • Reputation:
    76
    • View Profile
Re: Question about Rootkits
« Reply #7 on: May 17, 2018, 07:30:08 pm »
Hi,

Yes, I think.
For the latest research about kernel-mode malware, kernelmode.info forum is a great source of information.

Regards.

Reply #8May 17, 2018, 08:43:50 pm

Malware

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: Question about Rootkits
« Reply #8 on: May 17, 2018, 08:43:50 pm »
Oh, many thanks for link. I'm going to be read this forum. And I have last question - if I have not signed driver loaded in my Kernel (on 64-bit system) it is OK?

Reply #9May 17, 2018, 11:21:19 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2077
  • Reputation:
    76
    • View Profile
Re: Question about Rootkits
« Reply #9 on: May 17, 2018, 11:21:19 pm »
Hi,

You are welcome.
If TESTSIGNING boot option is not enabled, unsigned kernel-mode drivers can't be loaded.

Regards.

Reply #10May 18, 2018, 10:59:45 pm

Malware

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: Question about Rootkits
« Reply #10 on: May 18, 2018, 10:59:45 pm »
Ok, when i have Secure Boot ON, Testsing Can not be disabled. Can I check is Testsing ON?

Reply #11May 19, 2018, 01:52:00 am

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2077
  • Reputation:
    76
    • View Profile
Re: Question about Rootkits
« Reply #11 on: May 19, 2018, 01:52:00 am »
Hi,
Quote
When the BCDEdit option for test-signing is enabled, Windows does the following :
Displays a watermark with the text "Test Mode" in all four corners of the desktop, to remind users the system has test-signing enabled. Note Starting with Windows 7, Windows displays this watermark only in the lower left-hand corner of the desktop.

Regards.

Reply #12May 21, 2018, 07:05:59 pm

Malware

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: Question about Rootkits
« Reply #12 on: May 21, 2018, 07:05:59 pm »
Ok, and when i want to chceck if KMCS enabled, system show the similarly warning in Testsign case?

Is OK, when i have loaded unsigned driver in my Kernel (64-bit system)?

Reply #13May 21, 2018, 07:47:49 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2077
  • Reputation:
    76
    • View Profile
Re: Question about Rootkits
« Reply #13 on: May 21, 2018, 07:47:49 pm »
Hi,

Did you read the Microsoft doc page I linked in my previous answer ?
TESTSIGNING is a option in the bootcloader that is used to disable Kernel-Mode Code Signing Requirements.

You cannot load unsigned drivers if KMCS is enabled.
Regards.

Reply #14May 24, 2018, 05:34:47 pm

Malware

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: Question about Rootkits
« Reply #14 on: May 24, 2018, 05:34:47 pm »
Ah, sorry I overlooked it.

Yes, I know when KMCS on, unsigned driver can not be loaded to the Kernel. But i have loaded unsigned driver in my Kernel. I think.