There’s recently been a great deal of talk about Windows for x86-64. One interesting feature of this operating system is that modifying the system structure is forbidden – this includes modifying:
- kernel system tables, such as KeServiceDescriptorTable
- the Interrupt Description Table (IDT)
- the General Description Table (GDT)
The stack cannot be used in kernel mode unless expressly permitted by the kernel. The operating system will also check certain parts of kernel code for integrity, and modifying these parts of code will cause a Blue Screen of Death.
This last check is performed only on native AMD64 systems (but not on Intels’ EM64T clones).
The security measures applied in the new operating system which aim to protect the address space will make developing new rootkits very complicated, since many of them aim to modify the handler execution path (for instance, intercepting KeServiceDescriptorTable) and the system structures.
So the good news is that the majority of today’s rootkits will be unable to function in kernel mode under this new operating system