Demystifying Modern Windows Rootkits

The presentation discusses the process of writing a Windows rootkit, including loading, communicating, and hiding the rootkit, as well as the drawbacks and benefits of using kernel-level rootkits.

• Kernel drivers have significant access to the machine and run at the same privilege level as a typical kernel anti-virus, making them a desirable target for attackers
• Less mitigations and security solutions target kernel malware, and antivirus often have less visibility into the operations performed by kernel drivers
• Vulnerable drivers can be easily exploited to load a rootkit, and using legitimate drivers can make it difficult for antivirus to detect suspicious operations
• An example of abusing a mini filter is redirecting file access to a brand new file, which can be used to hide the rootkit

The presenter mentions that finding a zero day in a driver can be trivial with some reversing knowledge, and that using legitimate drivers has benefits because it only requires a few primitives to elevate privileges. They also note that it can be difficult for antivirus to discern whether an operation is from a legitimate application if a driver exposes suspicious operations over its interface, especially if a legitimate application uses that functionality.

This talk will demystify the process of writing a rootkit, moving past theory and instead walking the audience through the process of going from a driver that says "Hello World" to a driver that abuses never-before-seen hooking methods to control the user-mode network stack. Analysis includes common patterns seen in malware and the drawbacks that come with malware in kernel-mode rather than user-mode. We'll walk through writing a rootkit from scratch, discussing how to load a rootkit, how to communicate with a rootkit, and how to hide a rootkit. With every method, we'll look into the drawbacks ranging from usability to detection vectors. The best part? We'll do this all under the radar, evading PatchGuard and anti-virus.