Understanding Kernel-Mode Rootkits
In this chapter, we are going to dig deeper into the Windows kernel and its internal structures and mechanisms. We will cover different techniques used by malware authors to hide the presence of their malware from users and antivirus products.
We will look at different advanced kernel-mode hooking techniques, process injection in kernel mode, and how to perform static and dynamic analysis there.
Before we get into rootkits and learn how they are implemented, we need to understand how the operating system (OS) works and how rootkits can target different parts of the OS and use it to their advantage.
In this chapter, we will cover the following topics:
- Kernel mode versus user mode
- Windows internals
- Rootkits and device drivers
- Hooking mechanisms
- DKOM
- Process injection in kernel mode
- KPP in x64 systems (PatchGuard)
- Static and dynamic analysis in kernel mode