Hacking, Malware

Some notes on rootkits – Part 1

Rootkit major features

  • Maintain access
  • Conceal existence through stealth

Rootkit types

  • User-mode
  • Kernel-mode

User-mode rootkit main injection techniques

  • Windows hooks
  • CreateRemoteThread + LoadLibrary()
  • CreateRemoteThread + WriteProcessMemory()

Hooking techniques

  • Import Address Table hooking
  • Inline function hooking


  • Ring 3 – user-mode
  • Ring 0 – kernel-mode
  • Ring -1 – hypervisor

Bridging the rings

  • System call
  • Interrupt or call gate

Win32 API

  • kernel32.dll
  • advapi32.dll
  • user32.dll
  • gdi32.dll
  • The majority are simply stubs that check arguments before calling the real functions.
  • Call Native APIs and undocumented internal kernel functions.

Native API functions begin with

  • Rtl
  • Mm
  • Ps
  • etc.


  • NTDLL.dll

Windows Executive – Kernel

  • NTOSKRNL.exe, implements the functions exported by NTDLL.dll
  • Device Drivers.
  • Windows Hardware Abstraction Layer (HAL).

Kernel-mode Driver Architecture

  • Highest-level drivers (file-system drivers).
  • Intermediate drivers (WDM drivers, filter drivers).
  • Lowest-level drivers (WDM bus drivers).

Filter drivers

  • Install a driver as low in the chain as desired and modify data in transit.
  • Intercept and modify data before it is encrypted by the intermediate encryption filter driver.

Network driver

  • Protocol driver.
  • Filter-hook driver.

Network Device Interface Standard (NDIS) API

  • Implement lower-level NIC drivers with higher-level layers of the OSI reference model easily.

Transport Driver Interface (TDI)

  • Sits above NDIS and implements the OSI transport layer.


  • Filter packets.
  • Implement your own TCP/IP stack.
  • Insert filter drivers and filter-hook drivers into the existing driver stack, sniff and modify network packets.

Skeleton Driver

  • DriverEntry()
  • AddDevice
  • Dispatch routines
  • Unload()

Critical structures

  • I/O Request Packet (IRP)

Driver model



  • KMDF – Kernel-mode Driver Framework.
  • UMDF – User-mode Driver Framework.

Kernel-mode rootkits attributes

  • Stealth.
  • Persistence.
  • Severity.

Kernel-mode rootkits challenges

  • No error-handling.
  • Portability issues.
  • Resources competition.
  • Extensive testing required.
  • Find a way to get loaded (SCM/services.exe, etc).
  • Find a way to get executed and communicate with user-mode.
  • Remain stealthy and ensure persistence (hide registry keys, processes and files).

Table hooking

  • System Service Dispatch Table (SSDT)
  • Interrupt Dispatch Table (IDT)
  • Global Descriptor Table (GDT)
  • Local Descriptor Table (LDT)