Subverting the Witness: Windows Rootkits, Ring 0, and the Trust Problem That Won't Die

A virus wants to reproduce. A rootkit wants to stay.

More precisely: a rootkit wants to become the operating system's memory of what is running. Destruction and exfiltration come later. The first objective is to own the record. To become the source of truth that every monitoring tool, every task manager, every security scanner consults when it asks the question: what is actually happening on this machine?

If you own the answer to that question, you own the machine. The user can look directly at the process list and see a clean system. The administrator can run diagnostics and get reassuring output. The security tool can scan and report nothing. The malware is present, active, and consuming resources — and the OS has simply stopped reporting it.

Greg Hoglund and James Butler documented exactly how this worked in Rootkits: Subverting the Windows Kernel (2005). Two decades later, the technique is still operational. The delivery method has changed. The target has moved deeper. The trust problem has not been solved.

---

Ring 0 and the Hierarchy of Truth

The x86 architecture divides CPU privilege into rings. Ring 3 is where applications run — your browser, your text editor, your terminal. Ring 0 is where the operating system kernel runs. The kernel has access to everything: physical memory, hardware registers, the complete list of every process, thread, file, and network connection on the system.

When your Task Manager asks what processes are running, it does not look directly at the hardware. It asks the kernel. The kernel tells it. The kernel is the witness.

A rootkit that achieves Ring 0 access does not need to hide from the hardware. It needs to modify what the witness reports.

The 2005 technique was the SSDT hook — System Service Descriptor Table. The SSDT is the kernel's index of system calls: a table of function pointers that maps every system call name to its actual implementation. When any application — including security tools — calls ZwQuerySystemInformation to get the process list, the kernel looks up that function in the SSDT and executes it.

A rootkit with kernel access replaces the pointer in that table with a pointer to its own function. The real function still runs — the rootkit calls it to get the genuine data. Then it filters the output before returning it to the caller.

// 2005-era SSDT hook: intercept the process list query
NTSTATUS HookedZwQuerySystemInformation(
    SYSTEM_INFORMATION_CLASS SystemInformationClass,
    PVOID                    SystemInformation,
    ULONG                    SystemInformationLength,
    PULONG                   ReturnLength)
{
    // Get the real answer from the real kernel function
    NTSTATUS status = OriginalZwQuerySystemInformation(
        SystemInformationClass,
        SystemInformation,
        SystemInformationLength,
        ReturnLength
    );

    // If the caller is asking for the process list, edit it
    if (SystemInformationClass == SystemProcessInformation) {
        RemoveProcessFromList(SystemInformation, TARGET_PID);
        // The caller now receives a list that omits the rootkit's process
    }

    return status;
}

The Task Manager calls ZwQuerySystemInformation. It gets back a complete, accurate-looking list. The rootkit's process is not on it. The user sees a clean system. The wolf is in the room reading the newspaper.

---

DKOM: Editing the Kernel's Memory of Itself

The SSDT hook has a detection surface: if you know where the SSDT is and what the legitimate function pointers should be, you can check for modifications. Hoglund and Butler documented the deeper technique — Direct Kernel Object Manipulation.

The kernel maintains its own internal list of running processes in a structure called EPROCESS. Every process has an EPROCESS block. The blocks are linked in a doubly-linked list — each one points to the next and the previous. When the kernel needs to enumerate processes, it walks this list.

DKOM edits the list directly in kernel memory. No hook required. You find your process's EPROCESS block and relink the pointers around it — the previous entry points to the next entry, skipping yours entirely. The entry still exists in memory. The kernel has just stopped walking past it.

Before DKOM:
[svchost] ←→ [malware.exe] ←→ [explorer.exe]

After DKOM:
[svchost] ←→ [explorer.exe]
malware.exe still in memory — the list just no longer includes it

Tools that check for SSDT hooks find nothing because no hooks exist. The kernel consults its own data structures, which have been surgically modified. Even a kernel debugger examining the process list through the official API will not see the hidden process. You have to walk raw physical memory and compare it to the linked list to find the discrepancy.

This is the technique that made administrators distrust their own machines — a discrepancy between what the system reported and what was actually present, with no reliable way to know which one was the truth.

---

PatchGuard, HVCI, Secure Boot — and the Attack Surface Moved Down

Between 2005 and 2026, Microsoft deployed a serious stack of kernel defenses:

Kernel Patch Protection (PatchGuard) — introduced in 64-bit Windows, periodically checks critical kernel structures including the SSDT for unauthorized modifications. If it detects tampering, it issues a BSOD. This killed the naive SSDT hook on 64-bit systems.

Driver Signature Enforcement — kernel-mode drivers must be signed by Microsoft-approved certificates. Loading unsigned code into Ring 0 is blocked by default. This raised the cost of kernel access significantly.

Hypervisor-Protected Code Integrity (HVCI) — uses the CPU's virtualization extensions to place the kernel itself in a protected memory region that even Ring 0 code cannot write to. Code integrity checks run at the hypervisor level, below the OS.

Secure Boot — the UEFI firmware verifies the bootloader signature before executing it, and the bootloader verifies the kernel. An unsigned or tampered kernel should not load.

Each of these is a real defense. None of them solved the trust problem. They moved the attack surface.

---

BYOVD: Walking Through the Front Door

Bring Your Own Vulnerable Driver is the technique that made the 2005 playbook operational in 2026.

Driver Signature Enforcement means you cannot load your own unsigned kernel driver. It does not mean every signed kernel driver is secure. There is a long history of legitimate drivers — written by hardware vendors, signed by Microsoft, shipped in real products — that contain kernel-level vulnerabilities. Buffer overflows. Arbitrary memory read/write primitives. Direct hardware access that can be weaponized.

An attacker who finds one of these drivers does not need to bypass signature enforcement. They load the legitimate signed driver through the normal Windows driver loading mechanism. The OS accepts it — it is signed. Then they exploit the vulnerability in that driver to gain Ring 0 access and perform DKOM-style operations.

The RTCore64.sys driver, shipped with MSI graphics card software and legitimately signed, contains an arbitrary memory read/write vulnerability that has been used by multiple threat actors to kill EDR processes from kernel space. POORTRY and STONESTOP campaigns used signed drivers specifically to terminate security tooling before deploying ransomware. The BlackByte ransomware group used a vulnerable VirtualBox driver. The pattern is consistent: find a signed driver with a kernel primitive, use it as the Ring 0 crowbar.

PatchGuard is watching for unauthorized modifications to kernel structures. The authorized driver modifies them on the attacker's behalf. PatchGuard does not flag the legitimate driver.

---

The AI EDR Problem

Modern endpoint detection and response platforms — CrowdStrike Falcon, Microsoft Defender, SentinelOne — have shifted from signature-based detection to behavioral analysis. Machine learning models trained on process behavior, file access patterns, network activity, and kernel event telemetry. They do not look for known bad signatures. They look for anomalous behavior.

This is a genuine improvement. A novel rootkit that has no known signature will still produce behavioral patterns — suspicious kernel calls, unusual process relationships, timing anomalies in system call sequences — that a well-trained model can flag.

The problem is where the EDR agent lives.

The EDR kernel driver runs at Ring 0. It collects telemetry by hooking kernel callbacks — the same interfaces the OS uses to notify drivers of process creation, file operations, and network events. The AI model analyzing that telemetry runs on top of the kernel.

A firmware rootkit runs below it.

LoJax, attributed to APT28 and first documented in 2018, persists in the UEFI firmware — the software that runs before the OS loads, before Secure Boot runs its checks, before any kernel driver initializes. LoJax survives OS reinstalls, hard drive replacement, and PatchGuard entirely. It reimplants itself on every boot before the EDR agent has started.

BlackLotus, documented in 2023, is a UEFI bootkit that bypasses Secure Boot on fully patched Windows 11 systems by exploiting a vulnerability in the boot process itself. It loads before Secure Boot completes its verification. By the time the EDR agent initializes, the rootkit already controls the boot chain.

The AI model running on the EDR agent is analyzing telemetry collected by a kernel driver. If the rootkit is in firmware, the kernel driver's telemetry is already filtered. The AI is making decisions on a curated dataset. It is the 2005 Task Manager consulting a hooked SSDT — getting clean-looking data from a compromised witness.

The sophistication of the analysis does not matter if the data it analyzes has already been edited.

---

The Witness Moved to Firmware. The Battle Didn't Change.

Hoglund and Butler published Rootkits: Subverting the Windows Kernel in 2005. The core insight — that controlling the kernel means controlling the truth the system tells about itself — has not aged. The implementation has moved: from SSDT hooks to DKOM, from Ring 0 kernel drivers to BYOVD signed certificates, from OS-level persistence to UEFI firmware that survives below the OS entirely.

Microsoft's response has been real and technically serious. PatchGuard, HVCI, Secure Boot, and driver signing are all meaningful defenses. They have moved the attack surface downward, from the OS kernel to the firmware, from the software layer to the hardware trust chain. That is progress. The solution remains open.

The backwards compatibility requirement is the perpetual constraint. Code running on 2026 Windows must coexist with drivers, interfaces, and security models that were designed in 2005. Every legacy interface is a potential BYOVD target. Every signed driver from a vendor who stopped issuing security patches is a crowbar waiting to be picked up.

The lesson Hoglund and Butler wrote is the same lesson the firmware rootkits are still proving: if you control what the witness reports, you control what is true about the machine. Moving the witness deeper — from the kernel to the hypervisor to the firmware — changes where the battle is fought. It does not change what the battle is for.

The witness moves further still in the AI era. The classifier becomes the new ring 0, the prompt becomes the new SSDT hook, and the same architectural question shows up across the six vectors of agentic AI. Different layer, same battle for what counts as ground truth.

---

GhostInThePrompt.com // If the kernel is lying, the truth doesn't matter.

Reference: 'Rootkits: Subverting the Windows Kernel' — Greg Hoglund & James Butler (2005, Addison-Wesley).