none
Kernel mode misuse - possible ? [rookie question] RRS feed

  • Question

  • Is it possible for a crook to write a kernel model (malicious) dll and package it as part of a "normal" software deployment? Like games and utilities. 

    Is this even possible? Or Kernel mode drivers have a separate workflow for packaging and deployment that nobody can misuse. I'm a bit left with surprise how open/easy it is for someone to write and misuse Kernel mode access once the user mistakenly authorizes it for administrative privileges.   


    StackDev

    Saturday, January 2, 2016 8:01 AM

Answers

  • First as you noted a kernel mode driver or kernel mode DLL must be installed with administrative privilege.  Second, a kernel mode software must be signed with a trusted digital certificate, or on 32-bit systems you will get a warning or depending on settings the software will not be installed.   On 64-bit system the software is not installed without a trusted digital certificate.

    This is not perfect but it is reasonably good.  This is why it is encouraged not to use administrative privilege.  Note: with the versions of Windows since Vista a user space component does not really need administrator to install.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    • Marked as answer by StackDev Sunday, January 3, 2016 4:25 AM
    Saturday, January 2, 2016 12:47 PM
  • I'll expand a bit on Don's answer. While it is true that all 64-bit drivers have to be signed by a trusted authority, with admin privileges, ANY certificate can be trusted, thus Don's admonition against giving users admin privileges.

    Hackers will frequently crack the licensing on popular software products, such as Photoshop, and add a malware component to the installer. So, when you install the program and it asks you if it OK to grant admin privileges for the installer, most people will just click on OK and now they've installed malware on their machines.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    • Marked as answer by StackDev Sunday, January 3, 2016 4:25 AM
    Sunday, January 3, 2016 3:10 AM
    Moderator

All replies

  • First as you noted a kernel mode driver or kernel mode DLL must be installed with administrative privilege.  Second, a kernel mode software must be signed with a trusted digital certificate, or on 32-bit systems you will get a warning or depending on settings the software will not be installed.   On 64-bit system the software is not installed without a trusted digital certificate.

    This is not perfect but it is reasonably good.  This is why it is encouraged not to use administrative privilege.  Note: with the versions of Windows since Vista a user space component does not really need administrator to install.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    • Marked as answer by StackDev Sunday, January 3, 2016 4:25 AM
    Saturday, January 2, 2016 12:47 PM
  • I'll expand a bit on Don's answer. While it is true that all 64-bit drivers have to be signed by a trusted authority, with admin privileges, ANY certificate can be trusted, thus Don's admonition against giving users admin privileges.

    Hackers will frequently crack the licensing on popular software products, such as Photoshop, and add a malware component to the installer. So, when you install the program and it asks you if it OK to grant admin privileges for the installer, most people will just click on OK and now they've installed malware on their machines.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    • Marked as answer by StackDev Sunday, January 3, 2016 4:25 AM
    Sunday, January 3, 2016 3:10 AM
    Moderator
  • Thanks for the replies Mr Don. Greatly helps. 

    StackDev

    Sunday, January 3, 2016 4:26 AM
  • Thanks for the replies Mr Brian. Greatly helps!

    Somehow I feel the whole infra for system security looks a bit weakly laid out? Or it could be lay-man in me commenting this. It just feels something better could have been done. 


    StackDev

    Sunday, January 3, 2016 4:30 AM
  • That's because computer security was an after-thought. People learned to use computers without security, and then when security was added they didn't want to change their habits and learn how to do things differently. Every time manufacturers force new security features on people, they complain loudly and frequently disable the features. Fundamentally, the problem is that people are lazy.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Sunday, January 3, 2016 6:02 PM
    Moderator