Skip to content
This repository has been archived by the owner on Sep 16, 2024. It is now read-only.

ZeroMemoryEx/URootkit

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

URootkit

  • The user-mode rootkit replaces executables and system libraries and modifies the behavior of application programming interfaces, It alters the security subsystem and displays false information . It can intercept system calls and filter output in order to hide processes, files, system drivers, network ports, registry keys and paths, and system services

  • the purpose of this project is to hide a process by intercepting listing tools system calls and manipulate in its structure .

DETAILS

  • NtQuerySystemInformation API Retrieves the specified system information , it has too many flag each flag represent a structure to be retrieved but we are interersted in SystemProcessInformation this flag Returns an array of SYSTEM_PROCESS_INFORMATION structures, one for each process running in the system These structures contain information about the resource usage of each process, including the number of threads and handles used by the process, the peak page-file usage, and the number of memory pages that the process has allocated.

    image

  • it takes 4 parameters SystemInformationClass , SystemInformation, SystemInformationLength, ReturnLength and returns NTSTATUS , first we patch/hook NtQuerySystemInformation after that we overwrite the address with the original opcodes so we can Retrieve the data structure later .

    image

  • then we check if the specified flag is SystemProcessInformation then go through every item by summing the previous item value and the NextEntryOffset member , when we found our chosen process we sum the current NextEntryOffset with the next one so whenever the listing tool reach the previous item its will jump over the next one (our process ) meaning the process will be invisibe .

    image

    image

VID

URootkit.mp4

lastly

  • although this technique can be detected easily using a program i made while ago Hooks_Hunter and it can be bypassed using any kernel-mode rootkit .