Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details

All Projects → Cr4sh → Windowsregistryrootkit

Cr4sh / Windowsregistryrootkit

Kernel rootkit, that lives inside the Windows registry values data

Programming Languages

50402 projects - #5 most used programming language

Kernel rootkit, that lives inside the Windows registry value data.
By Oleksiuk Dmytro (aka Cr4sh)

http://twitter.com/d_olex
http://blog.cr4.sh
[email protected]

Rootkit uses the zero day vulnerability in win32k.sys (buffer overflow in function win32k!bInitializeEUDC()) to get the execution at the OS startup.

Features:

NDIS-based network backdoor (+ meterpreter/bind_tcp).
In order to avoid unknown executable code detection it moves itself in the memory over discardable sections of some default Windows drivers.
Completely undetectable by public anti-rootkit tools.
Working on Windows 7 (SP0, SP1) x86.

This rootkit was originally presented at the ZeroNights 2012 conference during my talk.
See the slides and videos for more information: https://raw.githubusercontent.com/Cr4sh/blog/master/windows-registry-rootkit/Applied-anti-forensics.pdf

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].

Stars: ✭ 401

Visit Git Page 🔗Visit User Page 🔗Visit Issues Page (0) 🔗