https://github.com/0xbekoo/ssdt-hooking

The project uses SSDT Hooking to bypass security checks during driver loading by hooking NtLoadDriver and modifying the PreviousMode flag.
https://github.com/0xbekoo/ssdt-hooking

kernel rootkit ssdt ssdt-hook ssdt-hooking windows-kernel windows-kernel-exploitation

Last synced: 2 months ago
JSON representation

The project uses SSDT Hooking to bypass security checks during driver loading by hooking NtLoadDriver and modifying the PreviousMode flag.

• Host: GitHub
• URL: https://github.com/0xbekoo/ssdt-hooking
• Owner: 0xbekoo
• Created: 2025-02-16T12:17:39.000Z (3 months ago)
• Default Branch: main
• Last Pushed: 2025-02-24T07:19:48.000Z (3 months ago)
• Last Synced: 2025-02-24T07:37:48.926Z (3 months ago)
• Topics: kernel, rootkit, ssdt, ssdt-hook, ssdt-hooking, windows-kernel, windows-kernel-exploitation
• Language: C
• Homepage: https://medium.com/@0xbekoo/loading-driver-from-user-mode-program-via-ssdt-hooking-720eeb08abb9
• Size: 67.4 KB
• Stars: 1
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
## Overview



This project demonstrates SSDT Hooking on Windows 11 by intercepting calls to NtLoadDriver. Dynamically using the address of the SSDT, the address of the NtLoadDriver is calculated by the rootkit and places a trampoline at the original address. After calling NtLoadDriver, the usermode program is redirected through this trampoline to the rootkit's function.

Then, the rootkit  sets the PreviousMode flag as kernel mode and writes the usermode program parameter to kernel memory and it removes the trampoline it added to NtLoadDriver. Finally loads the driver. 

If you want to take a look at the detailed description of the project, you can check out [this medium article](https://medium.com/@0xbekoo/loading-driver-from-user-mode-program-via-ssdt-hooking-720eeb08abb9).

> [!Warning]

> Please note that the content of this repository is intended for educational purposes only. I do not endorse or encourage any illegal activities. The techniques and methods demonstrated here should not be used for malicious purposes or in any unauthorized scenarios.

## `🔧:` Running The Project

> [!Note]

> To test the project, you need to prepare your virtual machine as test mode.

First of all, the project has been prepared for the following Windows version:

- **Version: Windows 11 24H2**

- **OS Build: 26100.2894**

The latest version of Windows 11 would be better to try this project. When you are ready for debugging, first run the driver and check the results as below:



  






You can then run the User-Mode program to see the results.