At Apriorit, kernel and driver development is one of our key competences. We extensively use technologies operating at the kernel level in various security, virtualization, system control, and monitoring solutions that we develop for our clients. At the same time, some projects do not really need a driver solution with its potential complexity – a user-mode implementation, e.g. based on various hooks, meets all requirements.
We’d like to generalize and share our experience of building kernel level and user level technologies and provide you with a list of advantages and disadvantages of both approaches for various tasks.
As we specialize first of all on the security-related projects, we’ve chosen various system monitoring and management technologies frequently required for endpoint security solutions.
Introduction: What Is the Kernel/User Mode?
The Windows operating system uses two different CPU modes to run software: user mode and kernel mode. What is the kernel mode and what is the user mode?
The main difference between user mode and kernel mode, from the software development standpoint, lies in the level of access to system resources.
Kernel mode in the operating system is reserved for the Windows kernel and various hardware drivers. Software running at the kernel level has full access to hardware and system resources. All other software runs at the user level, where applications are isolated within separate processes and don’t have direct access to hardware memory. User mode to kernel mode switching (and vice-versa) occurs as necessary depending on the code that’s running.
Common Pros and Cons
Windows kernel mode development is necessary when you need to create a driver that will run at the kernel level. This approach works great for tasks that require broad access to the system, such as system management or enhanced monitoring.
However, kernel mode programming is very complex: you need to use specific techniques to test your drivers, and errors can be hard to detect. Issues that are detected are often complex and hard to reproduce, localize, and fix. Moreover, any error at the kernel level can result in a complete and unrecoverable crash of the whole system.
User mode, on the other hand, is easier to work with. Software running at the user level has minimal impact on system stability since it runs in isolation – in the worst-case scenario, the software itself crashes without affecting the stability of the system as a whole. This makes it easier to test solutions and find and reproduce issues.
Despite the convenience that user mode provides, however, its capabilities are limited when it comes to certain monitoring and system control tasks that require broad access to system resources.
The choice between kernel mode vs user mode should be informed by these differences, but should also take into consideration the experience and familiarity of the developer with each mode. If a developer has limited experience with driver architecture and has never worked on driver components before, then it can be rather risky to go with a kernel mode implementation, since it may take a lot of time for the developer to learn the ropes, avoid common pitfalls, and create a stable solution.
Network Monitoring and Management
Technology for monitoring and managing network activity has a wide range of applications in cyber security and network administration. In the comparison below, we list the major pros and cons of implementing network monitoring and management solutions in Windows using hooks versus using a custom driver.
Keyboard / Keystroke Monitoring
Keystroke monitoring is a vital feature often employed in cyber security and parental control solutions. It can be used for the purposes of investigation, compliance, user action monitoring, and analysis of user behavior.
One implementation of keystroke monitoring in Windows involves the keyboard filter driver, while another uses the WH_KEYBOARD_LL hook. Check out the advantages and disadvantages of both approaches in the table below.
File System Monitoring / Management
File system monitoring and management technologies open up a whole slew of possibilities in security, virtualization, data management, and content delivery. Below, you’ll find a comparison of two file system monitoring and management implementations, one using a file system filter driver and the other heavily relying on hooks.
Process Monitoring / Management
Technologies for monitoring and managing processes are an integral part of many cyber security and system management solutions, and are extensively used in virtualization, data management, and many other areas.
Process monitoring and management can be implemented by creating a driver or using AppCertDlls and other hooks. The pros and cons of each approach are listed below.