At Apriorit, kernel and driver development is one of our key competences. We extensively use technologies operating at the kernel level in various security, virtualization, system control, and monitoring solutions that we develop for our clients. At the same time, some projects do not really need a driver solution with its potential complexity – a user mode implementation, e.g. based on various hooks, meets all requirements.

We’d like to generalize and share our experience of building kernel level and user level technologies and provide you with a list of advantages and disadvantages of both approaches for various tasks.

As we specialize first of all on the security-related projects, we’ve chosen various system monitoring and management technologies frequently required for endpoint security solutions.

 

Contents

Introduction: What Is the Kernel/User Mode?

Common Pros and Cons

Network Monitoring and Management

Keyboard / Keystroke Monitoring

File System Monitoring / Management

Process Monitoring / Management

 

Written by:

Apriorit Network Security Team (special thanks to Victor Milokum, Team Leader of Network Security Team)

 

Introduction: What Is the Kernel/User Mode?

 

The Windows operating system uses two different CPU modes to run software: user mode and kernel mode. What is the kernel mode and what is the user mode?

The main difference between user mode and kernel mode, from the software development standpoint, lies in the level of access to system resources.

Kernel mode in the operating system is reserved for the Windows kernel and various hardware drivers. Software running at the kernel level has full access to hardware and system resources. All other software runs at the user level, where applications are isolated within separate processes and don’t have direct access to hardware memory. User mode to kernel mode switching (and vice-versa) occurs as necessary depending on the code that’s running.

 

Common Pros and Cons

Windows kernel mode development is necessary when you need to create a driver that will run at the kernel level. This approach works great for tasks that require broad access to the system, such as system management or enhanced monitoring.

However, kernel mode programming is very complex: you need to use specific techniques to test your drivers, and errors can be hard to detect. Issues that are detected are often complex and hard to reproduce, localize, and fix. Moreover, any error at the kernel level can result in a complete and unrecoverable crash of the whole system.

User mode, on the other hand, is easier to work with. Software running at the user level has minimal impact on system stability since it runs in isolation – in the worst-case scenario, the software itself crashes without affecting the stability of the system as a whole. This makes it easier to test solutions and find and reproduce issues.

Despite the convenience that user mode provides, however, its capabilities are limited when it comes to certain monitoring and system control tasks that require broad access to system resources.

The choice between kernel mode vs user mode should be informed by these differences, but should also take into consideration the experience and familiarity of the developer with each mode. If a developer has limited experience with driver architecture and has never worked on driver components before, then it can be rather risky to go with a kernel mode implementation, since it may take a lot of time for the developer to learn the ropes, avoid common pitfalls, and create a stable solution.

 

Network Monitoring and Management

Technology for monitoring and managing network activity has a wide range of applications in cyber security and network administration. In the comparison below, we list the major pros and cons of implementing network monitoring and management solutions in Windows using hooks versus using a custom driver.

 

 

Kernel-mode implementation

  • WPF monitoring
  • WPF + redirection + service
  • NDIS

User-mode implementation

  • Socket hooks

Benefits

  • Only officially documented features used, which means good compatibility with future OS updates
  • Redirect-2-localhost architecture allows for easy porting to another OS
  • NDIS allows easy implementation of speed throttling or virtual adapters if necessary
  • Full context of a process/user/session call is always available
  • No conflict with other redirects
  • Possibility for performance tuning of separate processes

Potential Problems

  • Can have conflicts with other redirects and internet security software, as well as some network software (for example, Npcap Loopback Adapter)
  • Windows 7 and later requires different implementation than Windows XP or Vista
  • Memory requirements are much higher than in kernel mode
  • Driver is required for injecting in the process address space
  • Harder to implement than in kernel mode
  • Code cannot be ported to another OS
  • Conflicts with other hooks, Device Guard mode, future OS updates, as well as security software, including antivirus software and protection suites
  • Not secure: users can remove hooks without administrator permission

You can find a detailed research and comparison of driver-based and user mode implementation of network management tasks with source code in our article.

 

Keyboard / Keystroke Monitoring

Keystroke monitoring is a vital feature often employed in cyber security and parental control solutions. It can be used for the purposes of investigation, compliance, user action monitoring, and analysis of user behavior.

One implementation of keystroke monitoring in Windows involves the keyboard filter driver, while another uses the WH_KEYBOARD_LL hook. Check out the advantages and disadvantages of both approaches in the table below.

 

 

Kernel-mode implementation

(Keyboard filter)

User-mode implementation

(WH_KEYBOARD_LL)

Benefits

  • More reliable message delivery
  • Easy implementation
  • Message can easily be matched with receiving window

Potential Problems

  • Achieving compatibility with different types of keyboards (RDP, USB, PS/2, etc.) can require additional effort
  • Can be hard to match a message with a receiving window
  • Monitoring is possible only within current session

 

File System Monitoring / Management

File system monitoring and management technologies open up a whole slew of possibilities in security, virtualization, data management, and content delivery. Below, you’ll find a comparison of two file system monitoring and management implementations, one using a file system filter driver and the other heavily relying on hooks.

 

Kernel-mode implementation

(Filters, file systems)

See for example File System Virtualization

User-mode implementation

(Heavy use of user-mode hooks with a lot of functions from ntdll.dll and others)

Benefits

  • Quick implementation
  • MMF support out-of-the-box
  • Paged IO support out-of-the-box
  • Can be used to monitor driver behavior, for example access to shared resources (srv* .sys)
  • Installation doesn’t require administrator permission

Potential Problems

(common for any driver implementation)

  • Very limited virtualization capabilities
  • Weak stability in the face of new OS updates
  • Requires good injection technique for running code within the address space of another process
  • Poor compatibility with antivirus software and protection suites
  • Not secure: users can remove hooks without administrator permission

 

Process Monitoring / Management

Technologies for monitoring and managing processes are an integral part of many cyber security and system management solutions, and are extensively used in virtualization, data management, and many other areas.

Process monitoring and management can be implemented by creating a driver or using AppCertDlls and other hooks. The pros and cons of each approach are listed below.

 

Kernel-mode implementation

See for example Process Monitoring and Management Tips

User-mode implementation

(AppCertDlls, other hooks)

Benefits

  • Reliable, particularly when crossing with FS Filters + Registry Filters + NetFilters

(common on any user mode implementation)

Potential Problems

  • Can be hard to make additional FS checks when process starts
  • Not secure: users can remove hooks without administrator permission
Subscribe to updates