Skip to content

forentfraps/rootkit-userland

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
tests
tests
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
dll_main.c
dll_main.c
 
 
inf.dll
inf.dll
 
 
make_dll.bat
make_dll.bat
 
 
rku.h
rku.h
 
 
win_intern.c
win_intern.c
 
 
winhook.h
winhook.h
 
 
winhook.o
winhook.o
 
 

Repository files navigation

winhook is taken from my repo -> Repo

Compiling with .\make_dll.bat

Current Features:

  • Hook NtQuerySystemInformation to hide the process from process list
  • Hiding the dll from loaded modules via parsing PEB (Sadly VAD tree and EPROCESS could not be altered, due to ring3 limitations)

Current TODO:

  • Hide from the explorer (will not show in the directory). Apparently explorer does not use NtQueryDirectoryFileEx to view files!
    • hook NtQueryDirectoryFileEx
  • Hide the AppInit registry key, and the fact that AppInit is enabled at all
  • Hook opening files to read (ntdll.dll), so that when the buffer is read, altered version is received, with hooks already installed
  • Hide from windows event log - unknown how to approach this currently

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages