Delayed Procedures

There are a number of features offered by the Windows kernel that allow device drivers to asynchronously execute code. Some examples of these features include asynchronous procedure calls (APCs), deferred procedure calls (DPCs), work items, threading, and so on. A backdoor can simply make use of the APIs exposed by the kernel to make use of any number of these to schedule a task that will run arbitrary code in kernel-mode. For example, a backdoor might queue a kernel-mode APC using the ntdll.dll trick described at the beginning of this section. When the APC executes, it runs code that has been altered in ntdll.dll in a kernel-mode context. This same basic concept would work for all other delayed procedures.

Category: Type II

Origin: This technique makes implicit use of operating system exposed features and therefore falls into the category of obvious. Greg Hoglund mentions these in particular in June, 2006[18].

Capabilities: Kernel-mode code execution.

Considerations: The important consideration here is that some of the methods that support running delayed procedures have restrictions about where the code pages reside. For example, a DPC is invoked at dispatch level and must therefore execute code that resides in non-paged memory.

Covertness: This technique is covert in the sense that the backdoor is always in a transient state of execution and therefore could be considered largely dormant. Since the backdoor state is stored alongside other transient state in the operating system, this technique should prove more difficult to detect when compared to some of the other approaches described in this paper.