2020. 2. 16. 09:55ㆍ카테고리 없음
On both Windows and Linux (and any other modern OS), the answer is yes if the rootkit is running in kernel mode (as a kernel-mode driver / kernel module). If the rootkit is merely running as Administrator/SYSTEM/root, but hasn't loaded anything into the kernel, it cannot directly write to kernel memory any more than any other user-mode application (which is to say, not at all). It will need to either load a kernel driver (which is trivial on Linux but slightly harder on Windows, mostly because modern Windows running in its default configurations insists that kernnel-mode drivers be signed with a trusted certificate).The other option would be using a security vulnerability that allows writing to kernel memory. For a bug that requires already running as the super user (admin or root or whatever) to exploit it, the developer might not have prioritized the fix because at that point you basically have full control anyhow (and can load code into the kernel if you want to). However, a bug that merely allows writing to arbitrary locations in memory might not be sufficient, because you want to re-write instruction memory and - as in user-space - executable memory pages are mapped RX (Read-Execute, but not Write) by default. You'd need to re-map the page to allow writing, which is harder to find a vulnerability for.If you don't mind forcing (or waiting for) a reboot, there are some more options. On Windows, you can disable the code signing requirement (though it puts visible text on the desktop and disables some DRM-related media functionality when you do so) via 'testsigning' mode, or even configure the computer for kernel debugging (which also has the same effect as testsigning mode).
Rootkit Ntoskrnl Executive Search
Using a kernel debugger, you can directly tamper with the memory of any process, user or kernel mode. However, running a kernel debugger from the machine that is being debugged would be tricky, as if you ever hit a breakpoint you would not be able to continue because the (malicious, in this case) debugger would be halted along with all other code on the system.