DOCSLIB.ORG

Windows Kernel Hijacking Is Not an Option: Memoryranger Comes to the Rescue Again

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Journal of Digital Forensics, Security and Law Volume 16 Article 4 June 2021 Windows Kernel Hijacking Is Not an Option: MemoryRanger Comes to the Rescue Again Igor Korkin Independent Researcher, [email protected] Follow this and additional works at: https://commons.erau.edu/jdfsl Part of the Computer and Systems Architecture Commons, Information Security Commons, OS and Networks Commons, Software Engineering Commons, and the Systems Architecture Commons Recommended Citation Korkin, Igor (2021) "Windows Kernel Hijacking Is Not an Option: MemoryRanger Comes to the Rescue Again," Journal of Digital Forensics, Security and Law: Vol. 16 , Article 4. Available at: https://commons.erau.edu/jdfsl/vol16/iss1/4 This Article is brought to you for free and open access by the Journals at Scholarly Commons. It has been accepted for inclusion in Journal of Digital Forensics, Security and Law by an authorized administrator of (c)ADFSL Scholarly Commons. For more information, please contact [email protected]. Windows Kernel Hijacking Is Not an Option: MemoryRanger Comes to the Rescue Again Cover Page Footnote I would like to thank Benjamin Stein, a teacher of English, Kings Education, London, UK for his invaluable corrections of the paper. I am also extremely grateful to Michael Chaney, ERAU alumni, Cyber-Research Editor, USA, for his time and effort in checking a preliminary version of this paper and providing constructive feedback, which significantly contributed ot improving the quality of this paper. This article is available in Journal of Digital Forensics, Security and Law: https://commons.erau.edu/jdfsl/vol16/iss1/ 4 JDFSL 2021 WINDOWS KERNEL HIJACKING IS NOT AN OPTION: MEMORYRANGER COMES TO THE RESCUE AGAIN Igor Korkin, PhD Independent Researcher Moscow, Russian Federation [email protected] ABSTRACT The security of a computer system depends on OS kernel protection. It is crucial to reveal and inspect new attacks on kernel data, as these are used by hackers. The purpose of this paper is to continue research into attacks on dynamically allocated data in the Windows OS kernel and demonstrate the capacity of MemoryRanger to prevent these attacks. This paper discusses three new hijacking attacks on kernel data, which are based on bypassing OS security mechanisms. The first two hijacking attacks result in illegal access to files open in exclusive access. The third attack escalates process privileges, without applying token swapping. Although Windows security experts have issued new protection features, access attempts to the dynamically allocated data in the kernel are not fully controlled. MemoryRanger hypervisor is designed to fill this security gap. The updated MemoryRanger prevents these new attacks as well as supporting the Windows 10 1903 x64. Keywords: hypervisor-based protection, Windows kernel, hijacking attacks on memory, memory isolation, Kernel Data Protection 1. INTRODUCTION nerabilities. Researchers consider that “ker- nel modules (drivers) introduce additional The security of users’ data and applications attack surface, as they have full access to depends on the security of the OS kernel the kernel’s address space” (Yitbarek and code and data. Modern operating systems Austin, 2019). At the recent DEF CON include millions of lines of code, which makes hacking conference researchers from Eclyp- it impossible to reveal and remediate all vul- sium released a list of more than 40 drivers nerabilities. Attackers can exploit the OS from Microsoft-certified hardware vendors, vulnerabilities to perform malicious actions. which are prone to privilege escalation at- Windows OS kernel remains one of the most tacks (Jesse and Shkatov, 2019). Another vul- desired targets for hackers. Another big chal- nerability in a signed third-party driver was lenge of OS kernel protection is the third- presented at the Blue Hat IL conference by party kernel-mode drivers, which execute at security experts from the Microsoft Defender the same high privilege level as the OS ker- ATP Research Team. The vulnerable driver nel, and they also include a variety of vul- uses a watchdog mechanism based on user © 2021 JDFSL Page 1 JDFSL 2021 APC injection, which can also be exploited access to the kernel memory. All drivers have by attackers to bypass driver signature en- full access to the system and can be used by forcement and gain escalated privileges. (Ra- attackers. Windows security features provide paport, 2019). Recently revealed Banking limited kernel memory protection. trojan “Banload”, which targets bank cus- Threat model Let us assume that using tomers in Brazil and Thailand, applied a various approaches, intruders are able to exe- malicious kernel-mode component to fight cute malicious kernel code. This paper analy- with anti-malware and banking protection ses two types of attacks on kernel data, which programs. This digitally signed malware result in the following, see Figure 1: driver is designed “to remove software drivers and executables belonging to anti-malware • gaining access to the files open in an and banking protection programs”, such as exclusive mode (Handle Hijacking and AVG, Avast, IBM Trusteer Rapport (Bisson, Hijacking NTFS data structures); 2019; Kremez, 2019). Kernel-mode drivers • escalating process privileges without us- were also used during the recent RobbinHood ing the token swapping technique (Token ransomware attack. Hackers installed a le- Hijacking). gitimate driver and exploited its vulnerabil- ity to temporarily disable the Windows OS For the attacks on files, a legal driver cre- driver signature enforcement. Finally, they ates a file via ZwCreateFile with zero flag installed a malicious kernel driver (Cimpanu, ShareAccess, which gives the caller exclusive 2020). Notorious cryptocurrency mining mal- access to the open file. While the file remains ware also applies kernel-mode rootkits to pre- opened all attempts to gain access to this file vent them from being terminated. Windows- via ZwCreateFile are in vain. Windows OS based crypto miner infected more than 50000 detects this illegal access and returns a status servers from 90 countries (Harpaz and Gold- sharing violation code (0xC0000043), which berg, 2019; O’Donnell, 2019). The Microsoft indicates that “a file cannot be opened be- Security team do their best to maintain a cause the share access flags are incompatible” high level of OS kernel protection by issuing (Microsoft, 2019). various security features, for example, Mi- This research reveals two different attacks, crosoft Kernel Patch Protection (KPP) aka which bypass Windows security features and PatchGuard etc. At the same, time secu- successfully gain unauthorized access to the rity researchers and rootkit developers are files opened without shared access by patch- discovering different techniques to bypass ing OS internal data structures, related to PatchGuard. The most notable of them was the Object Manager and NTFS driver com- GhostHook, which abused the Intel Processor ponents. The third attack escalates process Trace (PT) feature to overcome PatchGuard privileges by patching the static and the vari- and patch the kernel. Cimpanu (2019) under- able portions of _TOKEN structure, without lines that two recently published bypassing using token swapping or token stealing tech- techniques InfinityHook and ByePg “estab- niques. This type of attack is mapped to lish a permanent foothold in the kernel itself MITRE ATTCK (2020) under Access Token and open the door for the return of rootkits Manipulation. The type of escalation privi- on Windows 10”. We can see that on the one lege attack based on SeImpersonatePrivilege hand, all drivers and the OS kernel share the function is out of the scope of this paper same memory space, and on the other hand, (Bisht, 2020). All newly proposed attacks are there are no built-in mechanisms to restrict working transparently on Windows 10 1903 Page 2 © 2021 JDFSL JDFSL 2021 64 bit as well as for its security features, such the file opened in an exclusive mode. These as Patch Guard, Device Guard, and Security two hijacking attacks are based on modifying Reference Monitor. the OS internal data structures involved in To prevent all these attacks on Windows file operations. OS kernel data the updated MemoryRanger hypervisor will be presented. MemoryRanger 2.1 Control Flow and Internal prevents attacks on files by running newly Data Structures Involved loaded drivers in separated kernel spaces as in Read and Write File well as restricting access to the correspond- Operations ing sensitive memory areas. The newest key feature of MemoryRanger allows it to run a Windows OS provides four main kernel API special data enclave for sensitive OS kernel routines to create, read/write, and close files: data, such as _TOKEN structures. This en- ZwCreateFile, ZwReadFile, ZwWriteFile, Zw- clave includes these sensitive OS structures, Close. During file operations, several OS ker- OS kernel core, and a limited number of OS nel components are involved (Russinovich, kernel built-in drivers. This new scheme pre- Solomon, and Ionescu, 2012; Tanenbaum and vents illegal access from all drivers whether Bos, 2014). Each time a driver calls ZwCre- loaded before and after MemoryRanger. The ateFile the control goes to the following OS remainder of the paper is as follows. Sec- kernel subsystems: I/O manager, Object tion 2 provides the details of the control flow Manager, Security Reference Monitor, NTFS and corresponding internal data structures driver, and finally, the control goes to the involved during file operations in kernel mode. low-level drivers, such as Disk Filter Driver Two examples of hijacking attacks on files will and Disk Class Driver. These are in charge of be given. Section 3 presents the details of access to the physical disk. The key features access control issues in the Windows OS ker- revealed by Korkin (2019) are that Security nel and shows how attackers can hijack the Reference Monitor checks access rights to the corresponding structure in order to escalate file for ZwCreateFile routine, while routines the process privileges. Section 4 contains the ZwReadFile, ZwWriteFile are uncontrolled details of adapting MemoryRanger to prevent by the Security Reference Monitor.
Recommended publications
  • Win32 API 1.Pdf

    Win32 API 1.Pdf

    Win32 Programming for Microsoft Windows NT Windows NT is designed to address the changing requirements of the computing world. It is written mainly in C and is crafted in such a way as to make its functionality extensible, and to ease the porting of the code from one hardware platform to another. This enables the ability to take advantage of multiprocessor and RISC computers, and to distribute tasks to other computers on the network, transparently. Whilst providing applications and users with the ability to use the power of local and remote machines, Windows NT must offer compatibility to applications and users. Users must feel comfortable with the interface, and be able to run existing high-volume applications. Existing applications have to port simply to the new environment to take advantage of its power. So, the user interface is compatible with existing Microsoft systems and existing programming APIs are supported and have been extended. To be considered a major player in the server arena, Windows NT has to offer reliable, robust support for ‘mission critical’ software. This means the system should be fault tolerant, protecting itself from malfunction and from external tampering. It should behave predictably and applications should not be able to adversely affect the system or each other. It should also have a security policy to protect the use of system resources, and implement resource quotas and auditing. Networking is built in, with high level programming and user interfaces available. Remote access to other machines on various networks is almost transparent. Because applications have to perform to an expected level, the system should be fast and responsive on each hardware platform.
  • Installation and Configuration Guide

    Installation and Configuration Guide

    NetApp SANtricity® SMI-S Provider 11.53 Installation and Configuration Guide December 2019 | 215-13407_C0 [email protected] Table of Contents About This Guide ............................................................................................................................. 1 Overview of the NetApp SANtricity SMI-S Provider ...................................................................... 1 What’s New ................................................................................................................................1 Abbreviations, Acronyms, Terms, and Definitions ........................................................................ 1 Supported Profiles and Subprofiles ............................................................................................. 1 Supported Operating Systems for SMI-S .................................................................................... 2 Supported Firmware Versions ........................................................................................................ 3 System Requirements ..................................................................................................................... 3 Installing and Uninstalling SMI-S Provider ..................................................................................... 4 Windows operating system install and uninstall process ............................................................... 4 Installing SMI-S Provider (Windows operating system) .....................................................
  • Windows Kernel Hijacking Is Not an Option: Memoryranger Comes to The

    Windows Kernel Hijacking Is Not an Option: Memoryranger Comes to The

    WINDOWS KERNEL HIJACKING IS NOT AN OPTION: MEMORYRANGER COMES TO THE RESCUE AGAIN Igor Korkin, PhD Independent Researcher Moscow, Russian Federation [email protected] ABSTRACT The security of a computer system depends on OS kernel protection. It is crucial to reveal and inspect new attacks on kernel data, as these are used by hackers. The purpose of this paper is to continue research into attacks on dynamically allocated data in the Windows OS kernel and demonstrate the capacity of MemoryRanger to prevent these attacks. This paper discusses three new hijacking attacks on kernel data, which are based on bypassing OS security mechanisms. The first two hijacking attacks result in illegal access to files open in exclusive access. The third attack escalates process privileges, without applying token swapping. Although Windows security experts have issued new protection features, access attempts to the dynamically allocated data in the kernel are not fully controlled. MemoryRanger hypervisor is designed to fill this security gap. The updated MemoryRanger prevents these new attacks as well as supporting the Windows 10 1903 x64. Keywords: hypervisor-based protection, Windows kernel, hijacking attacks on memory, memory isolation, Kernel Data Protection. 1. INTRODUCTION the same high privilege level as the OS kernel, and they also include a variety The security of users’ data and of vulnerabilities. Researchers applications depends on the security of consider that “kernel modules (drivers) the OS kernel code and data. Modern introduce additional attack surface, as operating systems include millions of they have full access to the kernel’s lines of code, which makes it address space” (Yitbarek and Austin, impossible to reveal and remediate all 2019).
  • Leveraging Forticlient with Microsoft Defender: 6 Use Cases

    Leveraging Forticlient with Microsoft Defender: 6 Use Cases

    SOLUTION BRIEF Leveraging FortiClient with Microsoft Defender: 6 Use Cases Executive Overview A compromised endpoint can quickly infect an entire enterprise network—which FortiClient Features Include: is why endpoint devices are now a favorite target for cyber criminals. More than an endpoint protection platform that provides automated, next-generation threat nnSecurity Fabric Connector. protection, FortiClient connects endpoints with the Security Fabric. It enables Enables endpoint visibility and endpoint visibility and compliance throughout the Security Fabric architecture. compliance throughout the Combining FortiClient with OS-embedded protection, such as Microsoft Security Fabric architecture. Defender or Microsoft Defender ATP, enhances these capabilities, providing nnVulnerability scanning. an integrated endpoint and network security solution that reinforces enterprise Detects and patches endpoint defenses, reduces complexity, and enhances the end-user experience. vulnerabilities. nn Improving Protection of Endpoint Devices Anti-malware protection. Employs machine learning (ML), FortiClient provides automated threat protection and endpoint vulnerability scanning to help artificial intelligence (AI), and maintain endpoint security hygiene and deliver risk-based visibility across the Fortinet Security cloud-based threat detection Fabric architecture. As a result, organizations can identify and remediate vulnerabilities or in addition to pattern-based compromised hosts across the entire attack surface. malware detection. In some cases, customers may wish to take advantage of certain FortiClient features while nnAnti-exploit engine. Uses leaving existing third-party protections in place. For example, in instances where there are signatureless, behavior-based policies in an organization that require two different antivirus (AV) vendors on an endpoint protection against memory and for governance or compliance reasons, the need for FortiClient alongside a third-party AV fileless attacks; detects exploit solution such as Microsoft Defender is necessitated.
  • Guide to Hardening Windows 10 Technical Guide

    Guide to Hardening Windows 10 Technical Guide

    NOVEMBER 2020 Guide to Hardening Windows 10 For Administrators, Developers and Office Workers TABLE OF CONTENTS Introduction .......................................................................................................................... 4 Prerequisites ............................................................................................................................ 4 User roles ................................................................................................................................. 4 EFI (BIOS) Configuration ...................................................................................................... 5 To be enabled: ......................................................................................................................... 5 To be disabled: ......................................................................................................................... 5 Windows Defender Firewall .................................................................................................. 6 Enable logging of dropped packets ............................................................................................. 6 Disable enforcement of local rules and disable notifications .......................................................... 7 Block outbound connections by default ....................................................................................... 8 Secure potentially vulnerable protocols ......................................................................................
  • Microsoft Expands Capabilities and Platforms for Microsoft Defender ATP

    Microsoft Expands Capabilities and Platforms for Microsoft Defender ATP

    REPORT REPRINT Microsoft expands capabilities and platforms for Microsoft Defender ATP JULY 31 2020 By Fernando Montenegro The company has been pouring significant resources into growing its capabilities as a provider of security functionality. It appears to be making significant inroads into the endpoint security space, given its role behind the Windows OS and on account of its Defender ATP offering, which was recently updated. THIS REPORT, LICENSED TO MICROSOFT, DEVELOPED AND AS PROVIDED BY 451 RESEARCH, LLC, WAS PUBLISHED AS PART OF OUR SYNDICATED MARKET INSIGHT SUBSCRIPTION SER- VICE. IT SHALL BE OWNED IN ITS ENTIRETY BY 451 RESEARCH, LLC. THIS REPORT IS SOLELY INTENDED FOR USE BY THE RECIPIENT AND MAY NOT BE REPRODUCED OR RE-POSTED, IN WHOLE OR IN PART, BY THE RECIPIENT WITHOUT EXPRESS PERMISSION FROM 451 RESEARCH. ©2020 451 Research, LLC | WWW.451RESEARCH.COM REPORT REPRINT Introduction Endpoint security had been growing in importance as a key component of security architecture even before the COVID-19 health crisis. Back then, key trends such as user mobility, BYOD and increased use of encryption already meant that properly securing and capturing telemetry from endpoints was crucial for protection, detection and incident response. The COVID-19 crisis merely accelerated this as network connectivity patterns changed and corporate offices sat empty. In recent years the endpoint security market has seen significant change, including the rise in popularity of Microsoft’s offerings, particularly its Microsoft Defender Advanced Threat Protection (MDATP) component. The company has been expanding the capabilities of the product as it adds support for new environments and partners.
  • The Flask Security Architecture: System Support for Diverse Security Policies

    The Flask Security Architecture: System Support for Diverse Security Policies

    The Flask Security Architecture: System Support for Diverse Security Policies Ray Spencer Secure Computing Corporation Stephen Smalley, Peter Loscocco National Security Agency Mike Hibler, David Andersen, Jay Lepreau University of Utah http://www.cs.utah.edu/flux/flask/ Abstract and even many types of policies [1, 43, 48]. To be gen- erally acceptable, any computer security solution must Operating systems must be flexible in their support be flexible enough to support this wide range of security for security policies, providing sufficient mechanisms for policies. Even in the distributed environments of today, supporting the wide variety of real-world security poli- this policy flexibility must be supported by the security cies. Such flexibility requires controlling the propaga- mechanisms of the operating system [32]. tion of access rights, enforcing fine-grained access rights and supporting the revocation of previously granted ac- Supporting policy flexibility in the operating system is cess rights. Previous systems are lacking in at least one a hard problem that goes beyond just supporting multi- of these areas. In this paper we present an operating ple policies. The system must be capable of supporting system security architecture that solves these problems. fine-grained access controls on low-level objects used to Control over propagation is provided by ensuring that perform higher-level functions controlled by the secu- the security policy is consulted for every security deci- rity policy. Additionally, the system must ensure that sion. This control is achieved without significant perfor- the propagation of access rights is in accordance with mance degradation through the use of a security decision the security policy.
  • DAC Vs. MAC Bell-La Padula Model [BL]

    DAC Vs. MAC Bell-La Padula Model [BL]

    DAC vs. MAC Bell-La Padula model [BL] Most people familiar with discretionary access View the system as subjects accessing objects • • control (DAC) - The system input is requests, the output is decisions - Unix permission bits are an example - Objects can be organized in one or more hierarchies, H - Might set a file private so only group friends can read it (a tree enforcing the type of decendents) Discretionary means anyone with access can Four modes of access are possible: • • propagate information: - execute – no observation or alteration - Mail [email protected] < private - read – observation Mandatory access control - append – alteration • - Security administrator can restrict propagation - write – both observation and modification - Abbreviated MAC (NOT to be confused w. Message The current access set, b, is (subj, obj, attr) tripples Authentication Code or Medium Access Control) • An access matrix M encodes permissible access types • (as before, subjects are rows, objects columns) 1/39 2/39 Security levels Security properties A security level is a (c, s) pair: The simple security or ss-property: • • - c = classification – E.g., unclassified, secret, top secret - For any (S, O, A) b, if A includes observation, then level(S) ∈ - s = category-set – E.g., Nuclear, Crypto must dominate level(O) (c , s ) dominates (c , s ) iff c c and s s - E.g., an unclassified user cannot read a top-secret document • 1 1 2 2 1 ≥ 2 1 ⊇ 2 - L dominates L sometimes written L L or L L The star security or ⋆-property: 1 2 1 ⊒ 2 2 ⊑ 1 • - levels then form a lattice (partial order w.
  • What Is Active Directory

    What Is Active Directory

    What is Active Directory Originally created in the year 1996, Active Directory, also referred as an AD, was first used with Windows 2000 Server as a directory service for Windows domain networks. Active Directory is a special purpose database, which serves as a central location for authenticating and authorizing all the users and computers within a network. Active Directory uses the Lightweight Directory Access Protocol (LDAP), an application protocol used for accessing and maintaining directory information services distributed over an IP network. What is Active Directory? The basic internal structure of the Active Directory consists of a hierarchical arrangement of Objects which can be categorized broadly into resources and security principles. Some of the examples of Active Directory objects are users, computers, groups, sites, services, printers, etc. Every Object is considered as a single entity with some specific set of attributes. The attributes of Objects along with the kind of objects that can be stored in the AD are defined by a Schema. The intrinsic framework of Active Directory is divided into a number of levels on the basis of visibility of objects. An AD network can be organized in four types of container structure namely, Forest, Domains, Organizational Units and Sites. y Forests: It is a collection of AD objects, their attributes and set of attribute syntax. y Domain: Domain is a collection of computers objects in the AD which share a common set of policies, a name and a database of their members. y Organizational Units: OUs are containers in which domains are grouped. They are used to create a hierarchy for the domain to resemble the structure of the Active Directory's company in organizational terms.
  • Hypervisor-Based Active Data Protection for Integrity And

    Hypervisor-Based Active Data Protection for Integrity And

    The 13th Annual ADFSL Conference on Digital Forensics, Security and Law, 2018 HYPERVISOR-BASED ACTIVE DATA PROTECTION FOR INTEGRITY AND CONFIDENTIALITY OF DYNAMICALLY ALLOCATED MEMORY IN WINDOWS KERNEL Igor Korkin, PhD Security Researcher Moscow, Russia [email protected] ABSTRACT One of the main issues in the OS security is providing trusted code execution in an untrusted environment. During executing, kernel-mode drivers dynamically allocate memory to store and process their data: Windows core kernel structures, users’ private information, and sensitive data of third-party drivers. All this data can be tampered with by kernel-mode malware. Attacks on Windows-based computers can cause not just hiding a malware driver, process privilege escalation, and stealing private data but also failures of industrial CNC machines. Windows built-in security and existing approaches do not provide the integrity and confidentiality of the allocated memory of third-party drivers. The proposed hypervisor-based system (AllMemPro) protects allocated data from being modified or stolen. AllMemPro prevents access to even 1 byte of allocated data, adapts for newly allocated memory in real time, and protects the driver without its source code. AllMemPro works well on newest Windows 10 1709 x64. Keywords: hypervisor-based protection, Windows kernel, Intel, CNC security, rootkits, dynamic data protection. 1. INTRODUCTION The vulnerable VirtualBox driver (VBoxDrv.sys) Currently, protection of data in computer memory has been exploited by Turla rootkit and allows to is becoming essential. Growing integration of write arbitrary values to any kernel memory (Singh, ubiquitous Windows-based computers into 2015; Kirda, 2015). industrial automation makes this security issue critically important.
  • The Windows Operating System, Such As the Logon Process and the Session Manager

    The Windows Operating System, Such As the Logon Process and the Session Manager

    TTHEHE WWINDOWSINDOWS OOPERATINGPERATING SSYSTEMYSTEM William Stallings This document is an extract from Operating Systems: Internals and Design Principles, Fifth Edition Prentice Hall, 2005, ISBN 0-13-147954-7 Copyright 2005 William Stallings TTABLEABLE OFOF CCONTENTSONTENTS 2.5 MICROSOFT WINDOWS OVERVIEW...........................................................................3 History............................................................................................................................3 Single-User Multitasking...............................................................................................5 Architecture....................................................................................................................7 Operating System Organization.........................................................................7 User-Mode Processes.......................................................................................10 Client/Server Model.....................................................................................................11 Threads and SMP.........................................................................................................13 Windows Objects.........................................................................................................13 4.4 WINDOWS THREAD AND SMP MANAGEMENT.....................................................17 Process and Thread Objects.........................................................................................18
  • Kernel Integrity Analysis

    Kernel Integrity Analysis

    Project CS2 AAVR Kernel Integrity Analysis Major Qualifying Project Submitted to the Faculty of Worcester Polytechnic Institute in partial fulfillment of the requirements for the Degree in Bachelor of Science in Computer Science By Caleb Stepanian [email protected] Submitted On: October 27, 2015 Project Advisor: Professor Craig Shue [email protected] This report represents work of WPI undergraduate students submitted to the faculty as evidence of a degree requirement. WPI routinely publishes these reports on its web site without editorial or peer review. For more information about the projects program at WPI, see http: // www. wpi. edu/ Academics/ Projects . Abstract Rootkits are dangerous and hard to detect. A rootkit is malware specifically de- signed to be stealthy and maintain control of a computer without alerting users or administrators. Existing detection mechanisms are insufficient to reliably detect rootkits, due to fundamental problems with the way they do detection. To gain control of an operating system kernel, a rootkit edits certain parts of the kernel data structures to route execution to its code or to hide files that it has placed on the file system. Each of the existing detector tools only monitors a subset of those data structures. This MQP has two major contributions. The first contribution is a Red Team analysis of WinKIM, a rootkit detection tool. The analysis shows my attempts to find flaws in WinKIM's ability to detect rootkits. WinKIM monitors a particular set of Windows data structures; I attempt to show that this set is insufficient to detect all possible rootkits. The second is the enumeration of data structures in the Windows kernel which can possibly be targeted by a rootkit.