All Questions
14 questions
7votes
1answer
2kviews
Does CrowdStrike Falcon get validated by the Windows kernel as being crash-free?
With Linux, eBPF programs are validated as not causing crashes. Apparently that validation has had errors previously because of bugs in the Linux kernel. How is CrowdStrike Falcon implemented on ...
- 3,167
1vote
0answers
139views
Is having no driver installed better than having old driver?
How safe are installed & genuine-vendor signed old drivers, specifically when attackers are spoofing Microsoft and other vendor certificates? On older PCs and laptops where some components are no ...
0votes
1answer
1kviews
Is there a difference between a bootkit and a ring-0 rootkit?
I understand the difference between a Ring-0 rootkit and a Ring-3 rootkit, in terms of their hierarchical depth in computational models. That is kernel mode and usermode, respectively. I am confused ...
- 221
1vote
1answer
423views
What physical damage can a user mode windows driver do?
If a driver runs in kernel mode it obviously can manipulate everything (well everything in ring 0), so manipulating the file system or devices is a possibility. Potentially devices can be destroyed, ...
- 582
1vote
0answers
341views
How to go about checking if Windows is running any untrusted drivers (programatically)
I want to enforce a rule that my program start only if, at the time it launches, there are no untrusted kernel drivers running. I'm aware and have already tested file signature verification using ...
- 111
10votes
2answers
1kviews
How effective is Windows KDP for exploit mitigation in practice?
Windows Kernel Data Protection is a kernel security feature which appears to use Extended Page Tables (EPT, a hardware virtualization feature) to enforce read-only pages. How effective is this at ...
- 67.5k
1vote
1answer
918views
Securing IPC between kernel and user-mode application
We are currently developing a security software for Windows. This application consists of a service running in user mode and a driver in kernel mode. These two need to communicate, so that the service ...
3votes
1answer
575views
Injecting data into the Windows entropy pool
On Linux, it is possible for userspace to mix arbitrary data with the kernel entropy pool by writing to the /dev/urandom device. Is there any equivalent on Windows which does not require SYSTEM?
- 67.5k
2votes
1answer
1kviews
Kernel32.dll , Kernelbase.dll and Malware
I noticed that the same malware will export CreateProcessInternalW from kernel32.dll in Windows 7 and KernelBase.dll in Windows 10. Why is it exporting the same function from different DLLs?
4votes
0answers
165views
What is known about the latest vulnerability related to Linux Page Table Isolation patches? [duplicate]
Recently, on Hacker News front page, there was a post mentioning a new vulnerability that seems to affect Intel processors. The post is mostly speculation and there is no PoC or an exploit that I'm ...
- 6,684
3votes
1answer
280views
How does Windows schedule a thread when the thread has no process?
I have heard that some rootkits try to hide themselves by destroying the process object (nt!_EPROCESS ?) but keeping the thread alive (nt!_ETHREAD ?) . That way they are not visible in tools like Task ...
- 3,464
-1votes
1answer
397views
Few questions about kernel attacks
Yesterday I read something about kernel and possible attacks on it. And I have some questions about this attack approach: 1. Kernel is a core for whole OS. So if I take control over kernel can I do ...
28votes
4answers
5kviews
How Do Rootkits & Other Low-Level Malware Still Manage to Load on Systems Protected by Secure Boot (and TB/MB)?
Let me try asking my question this way... Let's say that I'm a offensive cyber Bad Guy working for a foreign state-sponsored Advanced Persistent Threat unit. My unit is charged with, say, stealing ...
- 2,805
2votes
0answers
789views
Did DKOM trigger PatchGuard on x64 Windows?
DKOM can be used to hide processes and drivers. It works well on x86 system. However, there are PatchGuard on x64 system. Can PatchGuard detect DKOM?
- 21
