![]() ![]() ![]() This switch is needed as the core functionality that lists files is NOT present in user mode, but in kernel mode. The FindFirstFile will call another function in user mode, following which a switch needs to be made to kernel mode. The user wants to do a directory listing as usual, which results in the FindFirstFile being called in user mode. The UserMode function call executes an internal switch is made to Kernel Mode, the Kernel Mode API is then called and executed. That is because it cannot directly call a kernel function that’s how the Windows OS is built. A function call made by an application, is always a user mode function call. ![]() The Windows API consists of numerous functions in user mode as well as kernel mode. The Windows OS architecture is divided into 2 major parts(in the context of this article) – User Mode and Kernel Mode. It does so using a mechanism called “hooking” where in it creates a new path for itself to the final destination, bypassing any protections there are, on its way there. If you map that analogy to a rootkit’s behavior, it would translate to – A rootkit must hide itself from the OS, do its dirty work, but allow (in most cases) the OS to function totally normally. Hence a way needs to be found around X, but still getting to D in the process. So it looks like this: A – B – C – X – D. Say the startingpoint of a puzzle is A and the ending point is D, with a guard at X.midway along the path. Lets take a very small example to understand the basic principle of a rootkit. A rootkit follows precisely the same philosophy. So you’d try and find out all the ways in which you can be detected, and develop techniques to counter those detection mechanisms. If you wanted to do something bad and continue to do so for a long time you’d want to remain hidden. Note though that the scope of the article is limited to rootkits in a Windows environment only. As we go along we’ll also briefly check whether 2 freely available rootkit detectors – Tuluka and Gmer have the features necessary to combat rootkits. In this article, what we’ll do is look at how a rootkit functions. This being the case, security vendors and helpful open source developers have created software which will try their hardest to detect the presence of a hidden rootkit and hence help users keep their systems clean. A rootkit could infect a user’s system in any number of ways from clicking on an Email attachment to visiting a malicious web page to running executables from untrusted sources. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |