The Kernel is the heart of modern operating systems. Code executing in kernel mode has full access to all memory including the kernel itself, all CPU instructions, and all hardware. For this obvious reason only the most trusted software should be allowed to run in kernel mode.
Today, we are facing an emerging threat in the form of kernel-mode malware. By kernel-mode malware we mean malicious software that executes as part of the operating system having full access to the computer's resources. To the end-user this means malware that can bypass software firewalls and can be almost impossible to detect or remove even if the best anti-virus solutions are being used.
This paper will examine the most important malware cases utilizing kernel-mode techniques over the last few years. The research will be limited to malware running on Windows NT and later operating system versions. It will look at the possible motives for the malware authors to move their creations to kernel mode. A detailed analysis of the key techniques making their existence possible will be covered.