Uninformed: Informative Information for the Uninformed

Vol 8» 2007.Sep


At this point it should be clear that there is no shortage of techniques that can be used to expose a local kernel-mode backdoor on Windows. These techniques provide a subtle way of weakening the security guarantees of the Windows kernel by exposing restricted resources to user-mode processes. These resources might include access to kernel-mode data, disabling of security checks, or the execution of arbitrary code in kernel-mode. There are many different reasons why these types of backdoors would be useful in the context of a rootkit.

The most obvious reason these techniques are useful in rootkits is for the very reason that they provide access to restricted resource. A less obvious reason for their usefulness is that they can be used as a method of reducing a rootkit's kernel-mode code profile. Since many tools are designed to scan kernel-mode memory for the presence of backdoors[32,14], any reduction of a rootkit's kernel-mode code profile can be useful. Rather than placing code in kernel-mode, techniques have been described for redirecting code execution to code stored in user-mode in a process-specific fashion. This is accomplished by redirecting code into a portion of the ntdll mapping which exists in every process, including the System process.

Understanding how different backdoor techniques work is necessary in order to consider approaches that might be taken to prevent or detect rootkits that employ them. For example, the presence of immutable memory may eliminate some of the common techniques used by many different types of rootkits. Likewise, when these techniques are eliminated, new ones will be developed, continuing the cycle that permeates most adversarial systems.