Introducing the Rootkit Techniques Matrix and updates to the Guide

11 minute read

Introduction

Hello

Last year, I published a white paper called “Windows Rootkits and Bootkits Guide”. The idea behind this document was to summarize kernel-mode techniques used by malware (rootkits and bootkits) to hide their presence in a compromised system. The guide also contains information about publicly known kernel-mode malware that utilize rootkit modules, with almost three hundred links to the research materials the information was taken from.

This paper and its new version v2.1, which adds two new rootkit families, can be used as a reference to find information about existing rootkit families. However, the guide can’t provide an interactive experience to navigate through rootkit techniques online. The Rootkit Techniques Matrix provides this experience, allowing to easily navigate all techniques and create a vector to refer to them. All information for the matrix was taken from the guide.

The idea for this matrix was inspired by the format of MITRE ATT&CK, but the number of TTPs in my case is much smaller. The text items in the matrix don’t contain their full descriptions like in ATT&CK; instead, I opted for tooltips. The text in the items is the technique ID, and the tooltips provide the description of the techniques. You need to hover the cursor over an item to see its description. To create a vector of techniques, a list of them with descriptions can be used for quicker reference. A vector can be copied into the input field, and the tooltips provide information about the appropriate already highlighted techniques.

In this post, you can also find the matrices of rootkit and bootkit families and the techniques they use. All links to the materials used can be found in the paper.

How To

The Rootkit Techniques

Rootkit techniques (Click to Expand)
- T1 Intercepting system services to control calls of basic Windows kernel functions
  - T1.a Modifying SSDT (KiServiceTable)
  - T1.b Modifying MSR_SYSENTER (IA32_SYSENTER_EIP, CS) for sysenter on x86
  - T1.c Modifying KTHREAD.ServiceTable
  - T1.d Modifying IDT[0x2E] system service interrupt
  - T1.e Inline patching of KiSystemService or KiFastCallEntry (x86)
  - T1.f Inline patching of Nt* functions from SSDT
- T2 Direct Kernel Object Manipulation (DKOM) to manipulate Windows kernel structures
  - T2.a Unlinking drivers from PsLoadedModulesList (LDR_DATA_TABLE_ENTRY
  - T2.b Unlinking processes from PsActiveProcessHead
  - T2.c Unlinking threads from KiWaitInListHead, KiWaitOutListHead, KiDispatcherReadyListHead
  - T2.d Modifying access token
  - T2.e Removing objects from Ob object directory
  - T2.f Removing driver objects from the list of driver objects
  - T2.g Removing device objects from the list of device objects
  - T2.h Forging ETHREAD fields
  - T2.i Forging EPROCESS fields
  - T2.j Erasing items in PspCidTable
  - T2.k Erasing handles in the process handle table
  - T2.l Intercepting object type dispatch functions (procedures)
  - T2.m Forging DRIVER_OBJECT fields
  - T2.n Hijacking or spoofing driver object
  - T2.o Hijacking or spoofing device object
- T3 Inline patching kernel mode code (run-time patching, inline hooking, splicing)
  - T3.a Ntoskrnl - * Nt*, IofCallDriver, IofCompleteRequest, IoCreateFile, etc
  - T3.b FSD – Ntfs.sys, Fastfat.sys and attached filter, minifilter drivers (Filter Manager)
  - T3.c TCP/IP, NDIS - Tcpip.sys, Ndis.sys and its related internal structures
  - T3.d IP Filter Driver - Ipfilterdriver.sys
  - T3.e SCSI Class System Dll classpnp.sys
  - T3.f Disk port drivers - atapi.sys, ataport.sys, storport.sys, scsiport.sys
  - T3.g NULL Driver - Null.sys
  - T3.h ACPI Driver for NT – acpi.sys
  - T3.i MS QoS Packet Scheduler - psched.sys
- T4 Intercepting driver object major functions or DriverUnload
  - T4.a FSD – Fastfat.sys, Ntfs.sys to hide files
  - T4.b TDI Tcpip.sys, Ndis.sys, also NDIS_OPEN_BLOCK and NDIS_PROTOCOL_BLOCK handlers
  - T4.c Disk port/miniport drivers - atapi.sys, ataport.sys, storport.sys, scsiport.sys
  - T4.d Fast I/O Dispatch Routine (FastIoDeviceControl) AfdFastIoDeviceControl of Afd.sys
  - T4.e Network Store Interface (NSI) driver nsiproxy.sys to hide TCP ports
  - T4.f NULL Driver - Null.sys to hide rootkit activity
  - T4.g LiveKd debugger driver
  - T4.h FS Filter Manager fltmgr.sys
  - T4.i Disk driver disk.sys
  - T4.j SCSI CD-ROM driver cdrom.sys
- T5.a Intercepting IDT/ISR (excluding the case with hooking int 13h, which is used by almost all bootkits)
- T6 Setting up itself as a filter driver for (attaching to the device stack)
  - T6.a File System Driver (FSD), legacy or minifilter (fltmgr)
  - T6.b Volume Manager (volmgr.sys, volmgrx.sys)
  - T6.c TCP/IP stack, NDIS (tcpip.sys, ndis.sys)
  - T6.d NSI driver nsiproxy.sys
- T7 Using Windows kernel callbacks
  - T7.a CmRegistry, LoadImageNotify, ObRegisterCallbacks
- T8.a Using and hiding NTFS Alternate Data Streams (ADS)
- T9.a "Keylogger (attaching to \\Device\\KeyboardClass0)
- T10.a "Windows IP Filtering
- T11 Disabling Windows kernel callbacks
  - T11.a LoadImageNotify, CreateThreadNotify, CreateProcessNotify, CmRegistry, ObRegisterCallback
- T12 Other tricks
  - T12.a ObMakeTemporaryObject to remove the driver object’s name
  - T12.b Disabling WFP callout drivers (via netio!gwfpGlobal)
  - T12.c Disabling Event Tracing (ETW) (via nt!EtwpHostSiloState)
  - T12.d Disabling System Loggers (via nt!EtwpActiveSystemLoggers)
  - T12.e Disabling FS minifilter drivers (via unlinking the appropriate structures)
  - T12.f Disabling Image Verification Callbacks
  - T12.g Hidden (Encrypted) File System (VFS)
  - T12.h Hiding services by unlinking the corresponding SERVICE_RECORD structure
  - T12.i Preventing writing kernel memory dumps by registering its callback with KeRegisterBugCheckReasonCallback
  - T12.j Replacing HHIVE.GetCellRoutine pointer to get control over system registry operations
  - T12.k Disabling FS minifilter drivers via FltUnregisterFilter
  - T12.l Implements its own private TCP/IP stack
  - T12.m Disables or bypasses PatchGuard
  - T12.n Files signed by a stolen cert (x86) (for x64 refer to [T14.c])
- T13 The subject of bootkit infection (to survive potential OS reinstallation)
  - T13.a Master Boot Record (MBR)
  - T13.b Volume Boot Record (VBR)
  - T13.c UEFI, the EFI System Partition (ESP)
  - T13.d UEFI, SPI flash memory
  - T13.e Legacy BIOS flash (by inserting a malicious ISA module)
- T14 Defeating DSE (for x64 only)
  - T14.a BYOVD to (covertly) load the driver or patch the Windows kernel, DSE variables (g_CiEnabled)
  - T14.b Signing the driver by a self-signed cert + reboot with TESTSIGNING bootloader flag
  - T14.c The driver has a valid digital signature (signed by a stolen cert)
  - T14.d Exploitation of a Windows kernel vulnerability
  - T14.e The bootkit loads the driver manually
  - T14.f The bootkit patches the Windows kernel

The Matrix

Techniques selected: None Expand All

Input techniques vector:

The Rootkit Families Matrix

Controls: Go to list

T1.a

T1.d

T9.a

T2.a

T2.d

T2.b

T2.h

T2.b

T2.c

T2.a

T2.d

T2.j

T2.k

T2.a

T5.a

T1.a

T3.a

T1.b

T1.c

T2.a

T3.a

T4.a

T8.a

T1.b

T1.c

T2.a

T3.a

T4.a

T4.b

T8.a

T1.a

T2.a

T4.a

T1.a

T2.a

T2.e

T2.f

T2.g

T2.h

T6.a

T8.a

T1.e

T2.l

T3.b

T3.c

T1.a

T2.a

T1.a

T1.f

T4.a

T4.b

T12.l

T1.a

T1.f

T2.a

T6.b

T6.c

T1.f

T2.a

T3.a

T6.b

T6.c

T4.c

T2.n

T2.o

T12.g

T2.m

T2.n

T2.o

T12.g

T1.a

T2.l

T6.a

T2.l

T4.a

T1.f

T2.a

T3.a

T1.a

T4.a

T10.a

T1.c

T3.a

T1.a

T6.a

T7.a

T14.b

T12.n

T1.a

T6.a

T3.c

T2.m

T4.c

T12.g

T1.a

T6.a

T1.f

T3.a

T4.b

T12.g

T12.m

T14.a

T6.c

T14.d

T2.m

T12.a

T6.c

T3.d

T1.a

T4.a

T4.b

T4.e

T14.c

T1.a

T12.k

T14.c

T1.c

T3.c

T4.f

T4.g

T12.i

T14.a

T2.b

T4.d

T12.n

T6.a

T7.a

T14.c

T4.e

T4.h

T14.c

T7.a

T2.a

T2.b

T2.d

T4.e

T3.a

T6.a

T7.a

T12.h

T14.a

T2.a

T4.a

T6.a

T12.j

T14.c

T7.a

T14.c

T2.h

T3.b

T11.a

T12.b

T12.c

T12.d

T12.e

T12.f

T14.a

T2.b

T6.a

T6.c

T7.a

T14.c

T6.a

T11.a

T12.b

T12.h

T14.a

T4.b

T12.l

T2.a

T2.f

T2.g

T4.b

T4.f

T12.l

T14.c

T2.b

T6.a

T7.a

T14.c

T6.a

T7.a

T14.c

The Bootkit Families Matrix

Controls: Go to list

T4.i

T13.a

T13.e

T13.a

T2.h

T3.e

T4.b

T4.i

T4.j

T12.l

T13.a

T2.o

T12.g

T13.a

T14.e

T12.g

T13.a

T13.b

T14.e

T13.a

T4.i

T13.a

T13.e

T13.a

T4.c

T5.a

T12.g

T12.l

T13.b

T14.e

T13.b

T14.e

T13.a

T14.f

T3.a

T5.a

T12.m

T13.a

T2.m

T3.f

T3.g

T4.c

T4.f

T12.g

T12.l

T13.a

T13.b

T13.a

T1.a

T3.a

T4.c

T13.a

T1.a

T4.b

T13.a

T2.a

T2.m

T3.a

T3.f

T4.b

T13.b

T1.a

T3.h

T6.a

T13.a

T1.a

T3.c

T3.i

T4.c

T13.c

T12.g

T13.b

T14.a

T4.a

T4.b

T4.e

T13.a

T12.g

T13.b

T13.d

T3.a

T3.f

T13.a

T12.m

T13.c

T14.f

T13.d

T13.a

T13.c

T9.a

T13.a

T13.c

T14.e

T13.d

T14.e

T13.c

T12.m

T13.c

T14.f

Share on

X Facebook LinkedIn Bluesky

Introducing the Rootkit Techniques Matrix and updates to the Guide

Introduction

How To

The Rootkit Techniques

The Matrix

The Rootkit Families Matrix

The Bootkit Families Matrix

Share on

You may also enjoy

Reconstructing Tenet scenes with hand-drawn diagrams

Reading @ the Speed of Thought

Setting up Claude MCP for TI with Kaspersky TIP as a case study

Calculating the size of the Windows kernel subsystems