Skip to content
This repository has been archived by the owner on May 14, 2022. It is now read-only.

Kernel rootkit, that lives inside the Windows registry values data

Notifications You must be signed in to change notification settings

Cr4sh/WindowsRegistryRootkit

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 

Repository files navigation


Kernel rootkit, that lives inside the Windows registry value data.
By Oleksiuk Dmytro (aka Cr4sh)

http://twitter.com/d_olex
http://blog.cr4.sh
[email protected]


Rootkit uses the zero day vulnerability in win32k.sys (buffer overflow in function win32k!bInitializeEUDC()) to get the execution at the OS startup.

Features:

  • NDIS-based network backdoor (+ meterpreter/bind_tcp).

  • In order to avoid unknown executable code detection it moves itself in the memory over discardable sections of some default Windows drivers.

  • Completely undetectable by public anti-rootkit tools.

  • Working on Windows 7 (SP0, SP1) x86.

diagram

This rootkit was originally presented at the ZeroNights 2012 conference during my talk.
See the slides and videos for more information: https://raw.githubusercontent.com/Cr4sh/blog/master/windows-registry-rootkit/Applied-anti-forensics.pdf