Demystifying Modern Windows Rootkits

The presentation discusses the process of writing a Windows rootkit, including loading, communicating with, and hiding the rootkit. The talk also covers the benefits and drawbacks of using kernel-level rootkits and the difficulty of detecting them.

• Kernel-level rootkits have significant access to the machine and are less targeted by security solutions
• Loading a rootkit can be done through vulnerable drivers or abusing legitimate drivers
• Communicating with a rootkit can be done through callbacks and other methods
• Hiding a rootkit can be achieved through various techniques, including redirecting file access
• The talk emphasizes the benefits and drawbacks of using kernel-level rootkits and the difficulty of detecting them

The presenter gives an example of how to abuse a mini filter by using the pre-create callback to redirect file access to a legitimate driver, making it difficult for antivirus software to discern whether the operation is legitimate or not.

This talk will demystify the process of writing a rootkit, moving past theory and instead walking the audience through the process of going from a driver that says "Hello World" to a driver that abuses never-before-seen hooking methods to control the user-mode network stack. Analysis includes common patterns seen in malware and the drawbacks that come with malware in kernel-mode rather than user-mode.We'll walk through writing a rootkit from scratch, discussing how to load a rootkit, how to communicate with a rootkit, and how to hide a rootkit. With every method, we'll look into the drawbacks ranging from usability to detection vectors. The best part? We'll do this all under the radar, evading PatchGuard and anti-virus.