•First Generation Rootkits
–Replaced / Modified system files on the victim’s harddisk
•Second generation Rootkits
–Modify static OS components / structures loaded in memory
•Table based hooking approaches (IAT, EAT, SSDT, IDT)
•Inline function hooking
•Kernel and user mode rootkits
•Third Generation Rootkits
–Modify dynamic OS objects loaded in memory
•Direct Kernel Object manipulation (DKOM)
•Kernel Objects represent just about everything in the system (processes, threads, drivers, security tokens, etc…) so the possibilities are virtually unlimited.
•Exclusively kernel mode rootkits
•Fourth Generation Rootkits
–Virtual memory subversion
•Modify the page table - ITLB & DTLB e.g. Shadow Walker
•Fifth Generation Virtualization based – Blue pill, SubVirt
–No hooks in system!