{"id":26145976,"url":"https://github.com/0xbekoo/ssdt-hooking","last_synced_at":"2026-04-20T17:30:50.336Z","repository":{"id":279174290,"uuid":"933665603","full_name":"0xbekoo/SSDT-Hooking","owner":"0xbekoo","description":"The project uses SSDT Hooking to bypass security checks during driver loading by hooking NtLoadDriver and modifying the PreviousMode flag.","archived":false,"fork":false,"pushed_at":"2025-02-24T07:19:48.000Z","size":76,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-11T04:57:38.698Z","etag":null,"topics":["kernel","rootkit","ssdt","ssdt-hook","ssdt-hooking","windows-kernel","windows-kernel-exploitation"],"latest_commit_sha":null,"homepage":"https://medium.com/@0xbekoo/loading-driver-from-user-mode-program-via-ssdt-hooking-720eeb08abb9","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xbekoo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-02-16T12:17:39.000Z","updated_at":"2025-03-02T01:53:48.000Z","dependencies_parsed_at":"2025-02-24T07:37:56.317Z","dependency_job_id":"fc790f04-0980-45d8-914d-994ebf306405","html_url":"https://github.com/0xbekoo/SSDT-Hooking","commit_stats":null,"previous_names":["0xbekoo/ssdt-hooking"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/0xbekoo/SSDT-Hooking","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xbekoo%2FSSDT-Hooking","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xbekoo%2FSSDT-Hooking/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xbekoo%2FSSDT-Hooking/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xbekoo%2FSSDT-Hooking/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xbekoo","download_url":"https://codeload.github.com/0xbekoo/SSDT-Hooking/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xbekoo%2FSSDT-Hooking/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32057559,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-20T11:35:06.609Z","status":"ssl_error","status_checked_at":"2026-04-20T11:34:48.899Z","response_time":94,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kernel","rootkit","ssdt","ssdt-hook","ssdt-hooking","windows-kernel","windows-kernel-exploitation"],"created_at":"2025-03-11T04:57:40.302Z","updated_at":"2026-04-20T17:30:50.317Z","avatar_url":"https://github.com/0xbekoo.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"## Overview\n\n\u003cimg src=\"./photos/diagram.png\"\u003e\n\nThis project demonstrates SSDT Hooking on Windows 11 by intercepting calls to NtLoadDriver. Dynamically using the address of the SSDT, the address of the NtLoadDriver is calculated by the rootkit and places a trampoline at the original address. After calling NtLoadDriver, the usermode program is redirected through this trampoline to the rootkit's function.\n\nThen, the rootkit  sets the PreviousMode flag as kernel mode and writes the usermode program parameter to kernel memory and it removes the trampoline it added to NtLoadDriver. Finally loads the driver. \n\nIf you want to take a look at the detailed description of the project, you can check out [this medium article](https://medium.com/@0xbekoo/loading-driver-from-user-mode-program-via-ssdt-hooking-720eeb08abb9).\n\n\u003e [!Warning]\n\u003e Please note that the content of this repository is intended for educational purposes only. I do not endorse or encourage any illegal activities. The techniques and methods demonstrated here should not be used for malicious purposes or in any unauthorized scenarios.\n\n## `🔧:` Running The Project\n\n\u003e [!Note]\n\u003e To test the project, you need to prepare your virtual machine as test mode.\n\nFirst of all, the project has been prepared for the following Windows version:\n\n- **Version: Windows 11 24H2**\n- **OS Build: 26100.2894**\n\nThe latest version of Windows 11 would be better to try this project. When you are ready for debugging, first run the driver and check the results as below:\n\n\u003cdiv align=\"center\"\u003e\n  \u003cimg src=\"./photos/exampleOutput.png\"\u003e\n\u003c/div\u003e\n\u003cbr/\u003e\n\nYou can then run the User-Mode program to see the results.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xbekoo%2Fssdt-hooking","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xbekoo%2Fssdt-hooking","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xbekoo%2Fssdt-hooking/lists"}