Beyond User Space: A Deep Dive into Kernel-Level Rootkits, Kernel Drivers, DKOM and Process Access Tokens

In this session we will talk about Kernel level RootKits.

We will start by understanding what a kernel space and user space is, then we will talk about hooks and how security solutions are taking advantage of it. Show the difference between user space hooks and kernel space hooks. Talk about kernel driver and what the difficulties of loading Kernel drivers in windows are (e.g. signed drivers, stolen signed drivers, HVCI for driver integrity).

Next, we will talk about process access tokens and logon sessions, show demos about changing access tokens to demonstrate the concept, and talk about Direct Kernel Object Manipulation DKOM. We'll explain how hackers can use it to hide drivers or processes. Lastly, we will talk about ways to mitigate and defend against these attacks.