The presentation discusses the process of writing a Windows rootkit, including loading, communicating with, and hiding the rootkit. The talk also covers the benefits and drawbacks of using kernel-level rootkits and the difficulty of detecting them.
- Kernel-level rootkits have significant access to the machine and are less targeted by security solutions
- Loading a rootkit can be done through vulnerable drivers or abusing legitimate drivers
- Communicating with a rootkit can be done through callbacks and other methods
- Hiding a rootkit can be achieved through various techniques, including redirecting file access
- The talk emphasizes the benefits and drawbacks of using kernel-level rootkits and the difficulty of detecting them
The presenter gives an example of how to abuse a mini filter by using the pre-create callback to redirect file access to a legitimate driver, making it difficult for antivirus software to discern whether the operation is legitimate or not.