Windows Rootkits (and Bootkits) Guide v2

MalBot · July 1, 2024, 8:30pm

The picture from the movie Elysium

Hello folks and have a good day. If u follow my blog, u might know that my two previous blog posts discussed km malware - rootkits and bootkits - focusing on the Ring 0 tricks they employ and the timeline of their appearance. I'm excited to share version two of my research paper "Windows Rootkits Guide", now titled "Windows Rootkits and Bootkits Guide," which includes even more information than the first version. The biggest addition is a deep dive into bootkit families and the techniques they use (TTPs), alongside more details about rootkit techniques.

https://artemonsecurity.com/rootkits_bootkits_v2.pdf

The document is intended to be a comprehensive guide to Windows km malware, with some exceptions and remarks as noted in it. Just like the first version, this guide includes direct document references to the researches, from which the information was taken. It has the structure of a reference book, which allows you to easily navigate from a specific malware family to its rootkit TTPs (Windows kernel tricks).

The new document covers information about:

More than 70 rootkit techniques and km tricks
More than 90 rootkit and bootkit families
Contains about 250 web links to malware researches

The following techniques are included:

Intercepting system services with 6 sub-techniques
Direct Kernel Object Manipulation (DKOM) with 15 sub-techniques
Inline patching kernel mode code with 9 sub-techniques
Intercepting driver object major functions and 10 sub-techniques
Intercepting IDT/ISR
Setting up itself as a filter driver and 4 sub-techniques
Using Windows kernel callbacks
Using and hiding NTFS Alternate Data Streams (ADS)
Keylogger
Windows IP Filtering
Disabling Windows kernel callbacks
The subject of bootkit infection with 4 sub-techniques
Defeating Driver Signature Enforcement (DSE) with 6 sub-techniques
14 other not categorized sub-techniques, including, disabling/bypassing PatchGuard

The following web resources made this document possible:

Malpedia | https://malpedia.caad.fkie.fraunhofer.de
MITRE ATT&CK® | https://attack.mitre.org/
KernelModeInfo forum | https://www.kernelmode.info/forum/
rootkit_com site mirror | https://github.com/claudiouzelac/rootkit.com/tree/master/
Virus Bulletin | https://www.virusbulletin.com/virusbulletin/

Also, the following studies are dedicated to the same purpose, i e summarizing information about Ring 0 malware:

An In-Depth Look at Windows Kernel Threats by Trend | https://documents.trendmicro.com/assets/white_papers/wp-an-in-depth-look-at-windows-kernel-threats.pdf
«Nice Boots!» - A Large-Scale Analysis of Bootkits and New Ways to Stop Them | https://publications.sba-research.org/publications/bootcamp_dimva_2015.pdf
Bootkit's development overview and trend | http://www.vxjump.net/files/seccon/bktrend.pdf
Bootkits: Past, Present & Future | https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-RodionovMatrosov.pdf
Positive Technologies | Bootkits: evolution and detection methods

The research details the following malware families.

Clickable

Article Link: A blog about rootkits research and the Windows kernel: Windows Rootkits (and Bootkits) Guide v2