Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Guides
Programming Guides & Questions
[Theory] Native Windows API (NTAPI)
Message
<blockquote data-quote="tim one" data-source="post: 737780" data-attributes="member: 25920"><p>Wow, I've forgotten this great thread! <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite109" alt=":)" title="Smile :)" loading="lazy" data-shortname=":)" /></p><p></p><p>Well school times are over for me and if I think about ring, now I think about Tolken's masterpiece <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite115" alt=":p" title="Stick out tongue :p" loading="lazy" data-shortname=":p" /></p><p></p><p>I remember something but not in depth however we consider that AVs install .sys drivers to analyze what happens at the kernel level.</p><p></p><p>Speaking of rootkits.</p><p></p><p>The information in the memory can be divided into two categories: "data" and "code".</p><p></p><p>Data refers to bytes that are not executed. Examples may be data structures directly related to the operation of the system kernel or data related to a Word document. Data are usually stored in memory regions called heaps, stacks or pools.</p><p></p><p>The Code, on the other hand, refers to the executable "instructions" that the processor must handle to perform its job.</p><p></p><p>Rootkits manage to gain invisibility by altering memory content with the aim of changing the behavior of the operating system or the way in which data is presented to the user. Rootkits work on code, data, or both categories of information stored in memory. The operation aimed at manipulating the contents of the memory is usually identified with the expression "memory patching".</p><p></p><p>When referring to the level of privileges with which an application is executed we use the term "ring". Ring 0 identifies processes running in kernel mode, ring 3 identifies applications running in user mode, such as the browser.</p><p></p><p>When the processor is operating in kernel mode, it has access to all system logs and memory.</p><p></p><p>When the CPU Unit is operating in user mode (level 3), only those areas of memory that are usable in user mode are allowed to access.</p><p></p><p>Since the code that runs in kernel mode can have indiscriminate access to all areas of the system, being able to run programs in this context is the goal that all rootkit authors look at with great interest.</p><p></p><p>If we want to get the list of processes running, the first step is to open the Task Manager. This system application, however, operates in user mode despite running kernel mode code that takes care of retrieving the list of running processes. For this type of activity, the Task Manager invokes a function called NTQuerySystemInformation that is present in the NTDLL.DLL library. A routine operating in kernel mode receives the request and draws on a special kernel structure called System Service Descriptor Table (SSDT).</p><p></p><p>Each time the system interfaces with the kernel to perform operations required by applications or through the use of the shell, you may have to deal with a potential point of attack, exploited by a rootkit with the aim of altering the normal flow of information and then undermine the proper functioning of Windows.</p><p></p><p>Before a function that can interface with the operating system kernel can be invoked, it must first be imported by the application that intends to use it. This means that the library (DLL file) containing the function must be loaded in the memory space used by the application and added to a special table called Import Address Table. This is another opportunity for a rootkit to change the normal flow of information.</p><p></p><p>Another method widely used by attackers, and rootkit developers, to alter the procedure for executing code in user mode is often referred to inline (function) patching or inserting trampolines. The rootkit, in this case, modifies the first bytes that characterize the targeting function. Thus, the rootkit can filter the data output from the function. The possibilities are endless: the rootkit can, for example, remove a file from a list of files in a given folder. So you can hide malicious files from the user, the operating system, and installed applications that are linked to the operation of the rootkit or other malware.</p></blockquote><p></p>
[QUOTE="tim one, post: 737780, member: 25920"] Wow, I've forgotten this great thread! :) Well school times are over for me and if I think about ring, now I think about Tolken's masterpiece :p I remember something but not in depth however we consider that AVs install .sys drivers to analyze what happens at the kernel level. Speaking of rootkits. The information in the memory can be divided into two categories: "data" and "code". Data refers to bytes that are not executed. Examples may be data structures directly related to the operation of the system kernel or data related to a Word document. Data are usually stored in memory regions called heaps, stacks or pools. The Code, on the other hand, refers to the executable "instructions" that the processor must handle to perform its job. Rootkits manage to gain invisibility by altering memory content with the aim of changing the behavior of the operating system or the way in which data is presented to the user. Rootkits work on code, data, or both categories of information stored in memory. The operation aimed at manipulating the contents of the memory is usually identified with the expression "memory patching". When referring to the level of privileges with which an application is executed we use the term "ring". Ring 0 identifies processes running in kernel mode, ring 3 identifies applications running in user mode, such as the browser. When the processor is operating in kernel mode, it has access to all system logs and memory. When the CPU Unit is operating in user mode (level 3), only those areas of memory that are usable in user mode are allowed to access. Since the code that runs in kernel mode can have indiscriminate access to all areas of the system, being able to run programs in this context is the goal that all rootkit authors look at with great interest. If we want to get the list of processes running, the first step is to open the Task Manager. This system application, however, operates in user mode despite running kernel mode code that takes care of retrieving the list of running processes. For this type of activity, the Task Manager invokes a function called NTQuerySystemInformation that is present in the NTDLL.DLL library. A routine operating in kernel mode receives the request and draws on a special kernel structure called System Service Descriptor Table (SSDT). Each time the system interfaces with the kernel to perform operations required by applications or through the use of the shell, you may have to deal with a potential point of attack, exploited by a rootkit with the aim of altering the normal flow of information and then undermine the proper functioning of Windows. Before a function that can interface with the operating system kernel can be invoked, it must first be imported by the application that intends to use it. This means that the library (DLL file) containing the function must be loaded in the memory space used by the application and added to a special table called Import Address Table. This is another opportunity for a rootkit to change the normal flow of information. Another method widely used by attackers, and rootkit developers, to alter the procedure for executing code in user mode is often referred to inline (function) patching or inserting trampolines. The rootkit, in this case, modifies the first bytes that characterize the targeting function. Thus, the rootkit can filter the data output from the function. The possibilities are endless: the rootkit can, for example, remove a file from a list of files in a given folder. So you can hide malicious files from the user, the operating system, and installed applications that are linked to the operation of the rootkit or other malware. [/QUOTE]
Insert quotes…
Verification
Post reply
Top