Rootkits Part 2 - Windows kernel Overview
Now I know I said I was going to write about how rootkits work for this post, but I figured it would be better to get an understanding of the Windows Kernel and then just get right to it and write a simple rootkit.
Through writing the rootkit you will gain an understanding of how they work, which is better than just reading about it. But first things first, you must have a understanding of the Windows kernel first.
Im sure most of you have an idea of what the kernel is from previous posts, but just to re-iterate. The Kernel is the core of an OS whether it be Windows, Linux or Mac OSX and even mobile OSs.
In the above image we can see that there is the User Mode and then the Kernel Mode.
From Microsoft Technet:
A Pentium microprocessor has four privilege levels, also known as rings, that control such things as memory access and access to certain sensitive CPU instructions (such as those related to security). Every thread executes at one of these privilege levels. Ring 0 is the most privileged level, with complete access to all memory and CPU instructions. Ring 3 is the least privileged level.In order to maintain compatibility with non-Intel systems, the Windows operating systems support only two levels of privilege--Ring 0 and Ring 3. When a thread is running in Ring 0, it is said to be in kernel mode. When a thread is running in Ring 3, it is said to be in user mode. Low-level operating system code executes in kernel mode, whereas, in general, user application code runs in user mode.Note that an application thread will switch from user mode to kernel mode when making certain API function calls that require a higher privilege level, such as those that involve accessing files or performing graphics-related functions. In fact, some user threads can spend more time in kernel mode than in user mode!However, when the kernel mode code is completed, the user thread is automatically switched back to user mode. This prevents the programmer from being able to write instructions that run in kernel mode--the programmer can call only system functions that run in kernel mode.
some of the core services provided by the kernel include process management, memory management, I/O managers,Cache manager, Scheduler, Security reference monitor, Lightweight Procedure Call and others. So what exactly do these services do?
Process management as you might imagine manages process and thread creation.
Memory manager deals with virtual address's, pagefaults, physical frame, and pagefile management.
I/O manager deals with plug & Play as well as power, it also maps user requests into IRP requests, implements services for drivers and configures and manages I/O devices.
The Cache manager deals with file-based chaching for the buffer file system I/O and is built over the memory manager.
The Scheduler Schedules thread execution on each processor.
Security reference monitor handles token management and access checks
Lightweight Procedure Call deals with user mode system services and RPC (Native)
The Kernel is organized into roughly three main things
NTOS (Kernel mode services) - which include runtime library, Scheduling, service execution, object management, I/O services, memory and processes. There is more to it than that but it is overwhelming.
Hardware Adaptation Layer (HAL) - provides insulation of NTOS and drivers from hardware dependencies IT also provides device access, timers, interrupt servicing, clocks and spinlocks.
Drivers - These are Kernel extensions and are mainly for device access.
Ok so that will be it for this post... I hope it gave you a decent understanding of the kernel and a little knowledge on organization and some services. We will learn more about the kernel and what we can do with it as we progress and start building rootkits.
If you want to read up on the Windows kernel, just Google search or check out some of the links below.