What is Kernel and User Mode Attacks

What is Kernel and User Mode Attacks TlGvNtH


To protect user applications from accessing and/or modifying critical operating system data, Windows uses two processor access modes they are called user mode and kernel mode. User application code runs in user mode, whereas operating system code (such as system services and device drivers) runs in kernel mode.


Kernel mode refers to a mode of execution in a processor that grants access to all system memory and all CPU instructions. By providing the operating system software with a higher privilege level than the application software has, the processor provides a necessary foundation for operating system designers to ensure that a misbehaving application can’t disrupt the stability of the system as a whole.

The kernel mode interface is a clearly alluring limit that attackers have truly tried to cross. If someone can insert code of their choosing into kernel mode, the system is utterly compromised. As you might imagine, Windows provides substantial barriers to running arbitrary code in kernel mode, and it is generally quite difficult for low-privileged entities to do so.


Obviously, there are always exceptions. Two primary classes of kernel mode compromises can occur:

  • Physical attacks against kernel-resident device drivers that parse raw input, such as from network connections or inserted media.


  • Logical attacks against critical operating system structures that provide access to kernel mode. These structures include certain protected kernel images (such as ntoskrnl.exe, hal.dll, and ndis.sys), and some internal routines that are used for debugging purposes by the kernel.


Attacks against the kernel typically require great sophistication and are not common. Of course, once an attack is implemented, can raise the prevalence of such attacks significantly.


Rootkits, are malicious applications that run in the kernel of the OS with absolute rights to system resources. Malware running in kernel mode performs all tasks within the kernel layer. Although it might need a little help from the user to get installed, once operational it performs its assigned tasks without further user intervention.  

Semi-kernel mode malware runs in both user mode and kernel mode. One method of deployment consists of placing a .dll or .exe in user mode with access to a kernel mode driver.

The advantage to criminals is that kernel malware is usually undetectable when using standard antivirus and antispyware applications.

Kernel Malware: The Attack from Within

What is a Rootkit


Did you find this tutorial helpful? Don’t forget to share your views with us.
A GeekPolice Security Tutorial