Operating System Security :. A Study of Windows Rootkits. David Phillips. What Is a “Rootkit”?. The term “Root” (super user) originates from the Unix operating system and “kit” is the program that grants an attacker super-user abilities. Different Applications
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
A Study of Windows Rootkits
Easier to write (access to lots of user-space libraries and API’s that cannot be accessed from Kernel space).
No kernel module required.
Relatively easy to “inject” into other processes.
Does not have root privileges on system.
Easier for anti-Rootkit software to detect.
Affects only the behavior of a single process.
No access to kernel data structures.
Affects ALL processes running on the system.
Has root privileges.
Harder for anti-Rootkit software to detect.
Able to access kernel data structures.
More difficult to write.
System user must have adequate rights to install.
1.) A kernel space Rootkit that hides system process information by installing a hook function in the kernel’s System Service Dispatch Table in place of the kernel’s ZwQuerySystemInformation function.
2.) A user space Rootkit that hides system files by installing an inline function hook into Windows API FindNextFile function.
This function is executed in Kernel space.
This function is executed in User space in the context of the target process.
Once the JUMP has been inserted, whenever any thread in the target process calls the FindNextFile function – control will jump to the Rootkit’s detour function which changes the value of the HANDLE function parameter to an invalid value.