Malware wants to run. But admins want to delete it. A Rootkit is designed to solve this problem by actively lying to the Operating System. If you ask "List all files", the Rootkit intercepts the question and removes its own files from the answer. It is "Root" level persistence.
Only Paranoia Survived
If your kernel is compromised, you cannot trust `ls`, `ps`, or `netstat`. The only way to find a rootkit is to boot from a trusted external media (Live CD) and inspect the drive offline.
1. The Rings of Power
| Ring | Name | Description |
|---|---|---|
| Ring 3 | User Mode | Normal apps. User-Mode Rootkits hook DLLs (`kernel32.dll`). |
| Ring 0 | Kernel Mode | The OS Core. Kernel Rootkits modify the Syscall Table. |
| Ring -1 | Hypervisor | Virtualization. Blue Pill. The OS is trapped in a Matrix. |
| Ring -2 | SMM / UEFI | System Management Mode. Runs below the OS. Survives OS formatting. |
2. DKOM (Direct Kernel Object Manipulation)
Old rootkits hooked functions. New rootkits touch memory structures directly.
Hiding a Process:
In Windows, processes are a Doubly Linked List (`EPROCESS` structure).
To hide `malware.exe`, the rootkit simply changes the `Flink` (Forward Link) of the previous process to point to the `Blink` (Backward Link) of the next process.
Result: `malware.exe` is still running and getting CPU time, but the Task Manager's list-walking loop skips right over it.
3. Bootkits: Attacking the MBR/GPT
A Rootkit loads with the OS. A Bootkit loads before the OS.
Legacy BIOS: The Master Boot Record (MBR) is the first 512 bytes of the drive. Code here runs before Windows.
Technique: Overwrite the MBR with malicious code. Store the original MBR in Sector 30.
1. BIOS loads Malicious MBR.
2. Malware patches the Windows Kernel in memory as it loads.
3. Malware loads Original MBR to continue boot so the user notices nothing.
4. Unified Extensible Firmware Interface (UEFI) Implants
The MBR is dead. Long live UEFI.
UEFI lives on a flash chip on the Motherboard (SPI Flash), not the hard drive.
LoJax (APT28): The first wild UEFI rootkit. It rewrote the motherboard firmware.
Permanence: If you format the hard drive... the infection is still there. If you replace the hard drive... the infection is still there. The only fix is to re-flash the SPI chip physically or buy a new motherboard.
5. Detection: Hunter Tools
How do you find what cannot be seen?
5.1. Volatility Framework
The standard for Memory Forensics.
1. Dump RAM to a file (`winpmem.exe`).
2. Analyze offline.
5.2. GMER & Rootkit Revealer
These tools try to detect hooks by cross-referencing API calls. "I called `EnumerateFiles` and got 10 files. I read the master file table (NTFS raw) and found 11 files. One is hidden."
Mitigation: Secure Boot
Secure Boot forces the firmware to check the cryptographic signature of the bootloader. If the bootloader (Windows Boot Manager) has been tampered with (hash changed), the PC refuses to boot. This kills 99% of bootkits.