Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
What is a rootkit?
Message
<blockquote data-quote="tim one" data-source="post: 704264" data-attributes="member: 25920"><p>Long ago there were 32-bit rootkits that exploited the SSDT table to interface directly with the kernel, using this method: Application -> Native API -> NT Kernel.</p><p>Then the rootkit tried to find the address of the SSDT table by importing the structure of KeServiceDescriptorTable, by reading out the address of the native API and invoking it, and then having, according to the limits of the API itself, the highest privilege on the system.</p><p></p><p>Then with 64-bit technology a 32-bit rootkit has real difficulties exploiting SSDT Hooking, because MS has patched the kernel (of course it is still vulnerable <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite119" alt=":rolleyes:" title="Roll eyes :rolleyes:" loading="lazy" data-shortname=":rolleyes:" />), and now the SSDT consists of an array of pointers.</p><p>This "protection" is bypassable thanks to a driver where it is implemented an algorithm for the analysis of KeSystemServiceStart.</p><p></p><p>The technologies may change, but the malware adapts itself to them, and the danger of the new malcodes is huge, that's why we have to implement solid security layers.</p></blockquote><p></p>
[QUOTE="tim one, post: 704264, member: 25920"] Long ago there were 32-bit rootkits that exploited the SSDT table to interface directly with the kernel, using this method: Application -> Native API -> NT Kernel. Then the rootkit tried to find the address of the SSDT table by importing the structure of KeServiceDescriptorTable, by reading out the address of the native API and invoking it, and then having, according to the limits of the API itself, the highest privilege on the system. Then with 64-bit technology a 32-bit rootkit has real difficulties exploiting SSDT Hooking, because MS has patched the kernel (of course it is still vulnerable :rolleyes:), and now the SSDT consists of an array of pointers. This "protection" is bypassable thanks to a driver where it is implemented an algorithm for the analysis of KeSystemServiceStart. The technologies may change, but the malware adapts itself to them, and the danger of the new malcodes is huge, that's why we have to implement solid security layers. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
