The presentation discusses the process of writing a Windows rootkit, including loading, communicating, and hiding the rootkit, as well as the drawbacks and benefits of using kernel-level rootkits.
- Kernel drivers have significant access to the machine and run at the same privilege level as a typical kernel anti-virus, making them a desirable target for attackers
- Less mitigations and security solutions target kernel malware, and antivirus often have less visibility into the operations performed by kernel drivers
- Vulnerable drivers can be easily exploited to load a rootkit, and using legitimate drivers can make it difficult for antivirus to detect suspicious operations
- An example of abusing a mini filter is redirecting file access to a brand new file, which can be used to hide the rootkit
The presenter mentions that finding a zero day in a driver can be trivial with some reversing knowledge, and that using legitimate drivers has benefits because it only requires a few primitives to elevate privileges. They also note that it can be difficult for antivirus to discern whether an operation is from a legitimate application if a driver exposes suspicious operations over its interface, especially if a legitimate application uses that functionality.