Demystifying Modern Windows Rootkits

Conference:  Defcon 28



The presentation discusses the process of writing a Windows rootkit, including loading, communicating, and hiding the rootkit, as well as the drawbacks and benefits of using kernel-level rootkits.
  • Kernel drivers have significant access to the machine and run at the same privilege level as a typical kernel anti-virus, making them a desirable target for attackers
  • Less mitigations and security solutions target kernel malware, and antivirus often have less visibility into the operations performed by kernel drivers
  • Vulnerable drivers can be easily exploited to load a rootkit, and using legitimate drivers can make it difficult for antivirus to detect suspicious operations
  • An example of abusing a mini filter is redirecting file access to a brand new file, which can be used to hide the rootkit
The presenter mentions that finding a zero day in a driver can be trivial with some reversing knowledge, and that using legitimate drivers has benefits because it only requires a few primitives to elevate privileges. They also note that it can be difficult for antivirus to discern whether an operation is from a legitimate application if a driver exposes suspicious operations over its interface, especially if a legitimate application uses that functionality.


This talk will demystify the process of writing a rootkit, moving past theory and instead walking the audience through the process of going from a driver that says "Hello World" to a driver that abuses never-before-seen hooking methods to control the user-mode network stack. Analysis includes common patterns seen in malware and the drawbacks that come with malware in kernel-mode rather than user-mode. We'll walk through writing a rootkit from scratch, discussing how to load a rootkit, how to communicate with a rootkit, and how to hide a rootkit. With every method, we'll look into the drawbacks ranging from usability to detection vectors. The best part? We'll do this all under the radar, evading PatchGuard and anti-virus.