The 'HAL' layer is below kernel-level

According to this:

http://silverstr.ufies.org/lotr0/terminology.html

Is this above or below the 'hardware bus driver'?
The 'hardware bus driver' is also very low-level.


Can rootkits/trojans run on the HAL layer?

 

If someone could get their code to run at that level, it would be quite an achievement, Process Guard would most likely block whatever it took to do this. Then to also do anything useful from that level would be an even greater achievement. So I doubt malware authors will ever use this layer.

 

I don't think so, the HAL just provides a nice simple way for programs to communicate with the hardware.

 

The HAL is one DLL, HAL.DLL loaded by the Windows kernel very very early in the boot process. In order to manipulate it in any way, they would need to load a kernel driver for starters which can be blocked by ProcessGuard.

Windows would probably still prevent access to any changes, anything which would be useful for an attacker. The result of any changes would also nearly always result in a hard reboot / bluescreen

 

Interesting stuff, isn't it guys?

Read this: http://www.tuningsoft.com/documents/irql.htm

It's all about super low-level stuff that goes on.