Skip to main content
Technologies operating at the kernel level are extensively used in various cybersecurity, virtualization, system control, and monitoring solutions. At the same time, some projects do not really need a driver solution with its potential complexity – a user mode implementation, e.g. based on various hooks, meets all requirements.
We’d like to generalize and share our experience of building kernel level and user level technologies for advanced attack detection and data management projects and provide you with a list of advantages and disadvantages of both approaches for various tasks.
We’ve chosen various system monitoring and management technologies, which are frequently required e.g. for collecting endpoint data when building advanced threat hunting platforms.
Contents
Introduction: What Is the Kernel/User Mode?
The Windows operating system uses two different CPU modes to run software: user mode and kernel mode. What is the kernel mode and what is the user mode?
The main difference between user mode and kernel mode, from the software development standpoint, lies in the level of access to system resources.
Kernel mode in the operating system management is reserved for the Windows kernel and various hardware drivers. Software running at the kernel level has full access to hardware and system resources. All other software runs at the user level, where applications are isolated within separate processes and don’t have direct access to hardware memory. User mode to kernel mode switching (and vice-versa) occurs as necessary depending on the code that’s running.
Common Pros and Cons
Windows kernel mode development is necessary when you need to create a driver that will run at the kernel level. This approach works great for tasks that require broad access to the system, such as in-depth endpoint system process monitoring applied by next-geneneration antiviruses or APT detection systems.
However, kernel mode programming is very complex: you need to use specific techniques to test your drivers, and errors can be hard to detect. Issues that are detected are often complex and hard to reproduce, localize, and fix. Moreover, any error at the kernel level can result in a complete and unrecoverable crash of the whole system.
User mode, on the other hand, is easier to work with. Software running at the user level has minimal impact on system stability since it runs in isolation – in the worst-case scenario, the software itself crashes without affecting the stability of the system as a whole. This makes it easier to test solutions and find and reproduce issues.
Despite the convenience that user mode provides, however, its capabilities are limited when it comes to certain monitoring and system control tasks that require broad access to system resources.
The choice between kernel mode vs user mode should be informed by these differences, but should also take into consideration the experience and familiarity of the developer with each mode. If a developer has limited experience with driver architecture and has never worked on driver components before, then it can be rather risky to go with a kernel mode implementation, since it may take a lot of time for the developer to learn the ropes, avoid common pitfalls, and create a stable solution.
Process Monitoring / Management
Technologies for monitoring and managing processes are an integral part of many cyber security and system management solutions. A number of advanced attack detection systems use detailed process monitoring as one of the important components.
Process monitoring and management can be implemented by creating a driver or using AppCertDlls and other hooks. The pros and cons of each approach are listed below.
|
|
Kernel-mode implementation See for example Process Monitoring and Management Tips |
User-mode implementation (AppCertDlls, other hooks) |
|
Benefits |
|
(common on any user mode implementation) |
|
Potential Problems |
|
|
File System Monitoring / Management
File system monitoring and management technologies open up a whole slew of possibilities in secure data access, malware file detection, virtualization, data management, and content delivery. Below, you’ll find a comparison of two file system monitoring and management implementations, one using a file system filter driver and the other heavily relying on hooks.
|
|
Kernel-mode implementation (Filters, file systems) See for example File System Virtualization |
User-mode implementation (Heavy use of user-mode hooks with a lot of functions from ntdll.dll and others) |
|
Benefits |
|
|
|
Potential Problems |
(common for any driver implementation) |
|
Network Monitoring and Management
Technology for monitoring and managing network activity has a wide range of applications in data management, network security, and network administration. In the comparison below, we list the major pros and cons of implementing network monitoring and management solutions in Windows using hooks versus using a custom driver.
|
|
Kernel-mode implementation
|
User-mode implementation
|
|
Benefits |
|
|
|
Potential Problems |
|
|
You can find a detailed research and comparison of driver-based and user mode implementation of network management tasks with source code in our article.
Keyboard / Keystroke Monitoring
Keystroke monitoring is a vital feature often employed in DLP and user monitoring solutions. It can be used for the purposes of investigation, compliance, and analysis of user behavior.
One implementation of keystroke monitoring in Windows involves the keyboard filter driver, while another uses the WH_KEYBOARD_LL hook. Check out the advantages and disadvantages of both approaches in the table below.
|
|
Kernel-mode implementation (Keyboard filter) |
User-mode implementation |
|
Benefits |
|
|
|
Potential Problems |
|
|
Looking for a pro kernel programming team? Let us know!
