The 'HAL' layer is below kernel-level

Discussion in 'ProcessGuard' started by Tortle, Jun 10, 2004.

Thread Status:
Not open for further replies.
  1. Tortle

    Tortle Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    7
    According to this:

    http://silverstr.ufies.org/lotr0/terminology.html

    Is this above or below the 'hardware bus driver'?
    The 'hardware bus driver' is also very low-level.


    Can rootkits/trojans run on the HAL layer?
     
    Last edited: Jun 10, 2004
  2. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    If someone could get their code to run at that level, it would be quite an achievement, Process Guard would most likely block whatever it took to do this. Then to also do anything useful from that level would be an even greater achievement. So I doubt malware authors will ever use this layer.
     
  3. Khaine

    Khaine Registered Member

    Joined:
    Oct 2, 2002
    Posts:
    127
    I don't think so, the HAL just provides a nice simple way for programs to communicate with the hardware.
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    The HAL is one DLL, HAL.DLL loaded by the Windows kernel very very early in the boot process. In order to manipulate it in any way, they would need to load a kernel driver for starters which can be blocked by ProcessGuard.

    Windows would probably still prevent access to any changes, anything which would be useful for an attacker. The result of any changes would also nearly always result in a hard reboot / bluescreen
     
  5. Tortle

    Tortle Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    7
Thread Status:
Not open for further replies.