home

The Land/Ring Terminology

Operating System (OS) processes requests at different levels. This layered architecture is called a protection ring, which comprises of 4 hierarchical levels. Requests are allocated resources based on the process and priority levels. Ring0 [highest in priority] is the kernel-mode/kernel land, where kernel processes run. Ring 1 and 2 are for various device drivers to run on, though many OS [including Windows] never use these 2 levels of the ring. Ring 3 is the user-mode/user land, where the user processes run.

Figure 1. Protection Ring

Why is protection ring important? Well, let us look at an analogy that explains this architecture in simpler terms. Consider the outer-most ring as your perimeter/fencing around the house. Many can attempt to cross the fencing and a few can succeed depending on the deterrence, detection and prevention techniques used. Warning boards and video surveillance warning messages act as deterrence. Video cameras and [pressure, motion, etc.] sensors could be used for detection. Security guards could help in prevention mechanism. In the protection ring architecture, Ring 3 is the least privilege mode and runs user program. Attackers would target this ring to start with, to enter the system. Client-side exploits such as buffer overflow, ActiveX exploits, and other exploits that run on client system.

Once the attacker has crossed the fence, in the golden days it was more secure. Since the fence was around the village and then the villagers acted as human sensors. Once the attacker crossed the villagers, he would then be facing a swamp of alligators and then forts layer after layer. But then, in the modern days there is no water for swamp or space for alligators. Things have become so small that we use only 2 layers out of the 4, or at least Windows does. Hence, if the attacker crosses the fence, the only other hurdle is the house itself. In the protection ring, this is the kernel. This is where the highest privileged processes run.

It does sound complicated, but it is really simple to understand with the following figure [2] that shows layered interaction from a user process to the hardware:

Figure 2. Interaction between layers - User, Kernel and Hardware

Just like translators in the real world, users need different levels of translation when they would have to interact with the hardware. Hardware understands machine language [1's and 0's], which is not easy for a user to talk. Hence, user codes in languages that is understandable to human [combination of English and system instructions]. This then has to be converted to assembly, and some humans know how to read and write assembly. Assembly language then gets translated to machine code. Even though this could seem like communication between the various layers, the true aspect of protection levels is to run processes of specific privileges at their respective layers, to provide resources based on requirement and for various other security reasons.

Blogs

Socialize with RootkitAnalytics

Links

Rootkits & Enterprise: Enterprise is a major victim to rootkits. What could rootkits do to them?[read more]

Rootkits & Home-users: Do home-users know the seriousness of rootkits? What should a home-user know about rootkits?[read more]

Rootkits & Information Warfare: What does the silent war of intelligence and national security, got to do with rootkit analysis?[read more]

Userland Rootkits: What should one know about userland rootkits?[read more]

Spy DLL Remover: Were you looking for a tool to detect userland rootkits in your Windows box?[read more]

Kernelland Rootkits: What should one know about kernelland rootkits?[read more]

ElfStat: ElfStat is a tool designed for detecting any kernel malware that modifies the text segment of the kernel in memory...[read more]

Syscall/Kernel function interception: This is a more stealth method of syscall hijacking without having to directly modify the syscall table; instead the first several bytes of the syscall are overwritten with a jump to the new code...[read more]

Syscall Interception: What should you know about Syscall interception by directly modifying the Syscall table?[read more]

KsiD [Kernel Symbol Interception Detection]: This tool is designed to detect kernel rootkits and kernel malware which hijack syscalls and kernel functions ...[read more]

IDT /dev/kmem rootkit method: This can be done using several methods including overwriting the first several bytes of the syscall with a jump to other code, or modifying the function pointers.[read more]

Hidden Process Detection: Hidden Process Detection [HPD] using Direct NT System Call Implemenation, PIDB (Process ID Bruteforce) method, CSRSS Process Handle Enumeration and other methods...[read more]

Hidden Registry Detection: Reason for Hiding the Registry Entries, Rootkit techniques to hide, and Detecting Hidden Registry Entries Using Direct NT System Call Method and Directly Reading Hives Method...[read more]

Hidden Service Detection: Hidden Rootkit Services Detection Methods...Enumerating Processes with 'NtControlPipe', Hook Bypass Method through Mapped Image, Services Enumerating Child Processes of Services.exe, Enumerating Services Registry Key...[read more]

Syscall Handler Checker [SHC]: This tool simply verifies whether or not the system call handler system_call() has been patched to call a phony sys_call_table. If a phony sys_call_table appears to be in use, a tool like elfstat can be used for further analysis...[read more]

Firmware Rootkits: Firmware is a small static code that runs on devices ranging from consumer electronics to anything that controls heavy machinery...[read more]

Hypervisor Rootkits: This comes under both firmware and hardware rootkits. The reason being, hypervisor is a virtual environment that runs on the hardware, but basically it is a firmware. Hence, we have drawn the line and dropped this rootkit in the firmware category of rootkits...[read more]

Publications: In this section, we are planning to list all the papers that we have published so far that are rootkit related.

Backdoor Ultimate Defender: In this paper (Backdoor.Win32.UltimateDefender.gtz - Reversing) we analyze install.exe that presents the typical structure of an Medium Evoluted Malware, with basical Obfuscated-Dummy Code...[read more]

Socialize: You could socialize with us by many ways...[read more]

About: Learn about rootkit analytics here...[read more]

Contact us: How can you reach us...[read more]

Our Team: Read more about the rootkit analytics team...[read more]

dwtf v1.0 dwtf is a DLL copying engine ... [read more]

Number of Installations

Spy DLL Remover32264
Elfstat1054
KsiD670
SHC504
dwtf415

Socialize with EvilFingers

Tweets

@EvilFingers yep. on 3. March 2010 19:15:10 CET :)

@EvilFingers np :) could it be that my mail from yesterday is lying in the spam folder again? :)

RT @EvilFingers: Signature Analytics Blog: Detecting Malware infections with Snort DNS Monitoring - http://bit.ly/8ZiI5o #zataz

@EvilFingers NP its also interesting to see various ways of detecting malware, another thing to add to my ToDo list.

RT @sucuri_security: RT @EvilFingers: Signature Analytics Blog: Detecting Malware infections with Snort DNS Monitoring - http://sign.kaffenews.com/?p=104

RT @EvilFingers: Signature Analytics Blog: Detecting Malware infections with Snort DNS Monitoring - http://sign.kaffenews.com/?p=104

RT @EvilFingers: Signature Analytics Blog:Detecting Malware infections with Snort DNS Monitoring - http://sign.kaffenews.com/?p=104

RT @EvilFingers: I am trying to find some really good vbulletin skins/themes/templates, paid & free versions. contact.fingers@gmail.com

@EvilFingers I'm more than a little biased, but I say neither. Both are expensive, have far more features than I need, and are heavy srvr.

@EvilFingers I look short in this way on google. http://bit.ly/9XrPeG

www.spywareanalytics.com has just been released in the wild. Thanks for the service @EvilFingers

@EvilFingers SpywareAnalytics.com looks good...nice job!