Hypervisor (Ring -1): running on the lowest level, hypervisor, that is basically a firmware. A specific variant of kernelmode rootkit that attacks bootloader is called a bootkit. They live in a kernel space, altering behavior of kernel-mode functions. Kernelmode (Ring 0): the “real” rootkits start from this layer. Usermode (Ring 3): the most common and the easiest to implement, it uses relatively simple techniques, such as IAT and inline hooks, to alter behavior of called functions. In addition, they may register system activity and alter typical behavior in any way desired by the attacker.ĭepending on the layer of activity, rootkits can be divided into the following types: Rootkits are used when the attackers need to backdoor a system and preserve unnoticed access as long as possible. Rootkits modify and intercept typical modules of the environment (OS, or even deeper, bootkits). It is used to describe software that allows for stealthy presence of unauthorized functionality in the system. The term “rootkit” comes from “root kit,” a package giving the highest privileges in the system.
0 Comments
Leave a Reply. |