Uninformed: Informative Information for the Uninformed

Vol 8» 2007.Sep

Image Patches

Perhaps the most obvious approach that can be used to backdoor the kernel involves the modification of code segments used by the kernel itself. This could include modifying the code segments of kernel-mode images like ntoskrnl.exe, ndis.sys, ntfs.sys, and so on. By making modifications to these code segments, it is possible to hijack kernel-mode execution whenever a hooked function is invoked. The possibilities surrounding the modification of code segments are limited only by what the kernel itself is capable of doing.