|
One theoretical way that could be used to migrate to a safe IRQL
would be to hook into one of the generalized object type initializer
procedures associated with a specific object type, such as
nt!PsThreadType or nt!PsProcessType4.3. The method taken to do this would be to first resolve
one of the exported object types and then alter one of the procedure
attributes, such as the OpenProcedure, to point into a
buffer that contains the payload to execute. The payload could then
make a determination on whether or not it's safe to execute based on
the current IRQL. It may also be safe, in some cases, to to assume
that the IRQL will be PASSIVE_LEVEL for a given object
type procedure. Matt Conover also describes how this can be done in
his Malware Profiling and Rootkit Detection on Windows
paper[1]. Thanks to Derek Soeder for suggesting this
approach.
|