Techniques

To help properly catalog the techniques described in this section, the authors have attempted to include objective measurements of each technique. These measurements are broken down as follows:

• Category

  The authors have chosen to adopt Joanna Rutkowska's malware categorization in the interest of pursuing a standardized classification[34]. This model describes three types of malware. Type 0 malware categorizes non-intrusive malware; Type I includes malware that modifies things that should otherwise never be modified (code segments, MSRs, etc); Type II includes malware that modifies things that should be modified (global variables, other data); Type III is not within the scope of this document[33,34].

  In addition to the four malware types described by Rutkowska, the authors propose Type IIa which would categorize writable memory that should effectively be considered write-once in a given context. For example, when a global DPC is initialized, the DpcRoutine can be considered write-once. The authors consider this to be a derivative of Type II due to the fact that the memory remains writable and is less likely to be checked than that of Type I.

• Origin

  If possible, the first known instance of the technique's use or some additional background on its origin is given.

• Capabilities

  The capabilities the backdoor offers. This can be one or more of the following: kernel-mode code execution, access to kernel-mode data, access to restricted resources. If a technique allows kernel-mode code execution, then it implicitly has all other capabilities listed.

• Considerations

  Any restrictions or special points that must be made about the use of a given technique.

• Covertness

  A description of how easily the use of a given technique might be detected.

Since many of the techniques described in this document have been known for quite some time, the authors have taken a best effort approach to identifying sources of the original ideas. In many cases, this has proved to be difficult or impossible. For this reason, the authors request that any inaccuracy in citation be reported so that it may be corrected in future releases of this paper.

• Image Patches
  • Function Prologue Hooking
  • Disabling SeAccessCheck
  
  
• Descriptor Tables
  • IDT
  • GDT / LDT
  • SSDT
  
  
• Model-specific Registers
  • IA32_SYSENTER_EIP
  
  
• Page Table Entries
• Function Pointers
  • Import Address Table
  • KiDebugRoutine
  • KTHREAD's SuspendApc
  • Create Thread Notify Routine
  • Object Type Initializers
  • PsInvertedFunctionTable
  • Delayed Procedures
  
  
• Asynchronous Read Loop
• Leaking CS