The security features added in modern 64-bit versions of Windows
raise the bar for kernel mode rootkits. The introduction of Driver Signa-
ture Enforcement prevents malware from loading an unsigned kernel mode
driver. PatchGuard was introduced to protect the integrity of the running
kernel, in order to prevent rootkits from modifying critical structures or
hooking system calls. Although time has shown that these security mea-
sures are not perfect, and may in fact be bypassed while actively running,
an alternative approach is to subvert the system by running code before
any of the security features kick in.
Secure Boot has been introduced to protect the integrity of the boot
process. However, the model only works when booting from signed firmware
(UEFI). Legacy BIOS systems are still vulnerable. The Master Boot
Record, Volume Boot Record, and the bootstrap code all reside in un-
signed sectors on disk, with no security features in place to protect them
from modification.
Using a combination of low level anti-rootkit techniques, emulation,
and heuristic detection logic, we have devised a way to detect anomalies
in the boot sectors for the purpose of detecting the presence of bootkits.
more here............https://www.blackhat.com/docs/us-14/materials/us-14-Haukli-Exposing-Bootkits-With-BIOS-Emulation-WP.pdf
Image may be NSFW.raise the bar for kernel mode rootkits. The introduction of Driver Signa-
ture Enforcement prevents malware from loading an unsigned kernel mode
driver. PatchGuard was introduced to protect the integrity of the running
kernel, in order to prevent rootkits from modifying critical structures or
hooking system calls. Although time has shown that these security mea-
sures are not perfect, and may in fact be bypassed while actively running,
an alternative approach is to subvert the system by running code before
any of the security features kick in.
Secure Boot has been introduced to protect the integrity of the boot
process. However, the model only works when booting from signed firmware
(UEFI). Legacy BIOS systems are still vulnerable. The Master Boot
Record, Volume Boot Record, and the bootstrap code all reside in un-
signed sectors on disk, with no security features in place to protect them
from modification.
Using a combination of low level anti-rootkit techniques, emulation,
and heuristic detection logic, we have devised a way to detect anomalies
in the boot sectors for the purpose of detecting the presence of bootkits.
more here............https://www.blackhat.com/docs/us-14/materials/us-14-Haukli-Exposing-Bootkits-With-BIOS-Emulation-WP.pdf
Clik here to view.