Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/forentfraps/rootkit-userland
https://github.com/forentfraps/rootkit-userland
Last synced: 25 days ago
JSON representation
- Host: GitHub
- URL: https://github.com/forentfraps/rootkit-userland
- Owner: forentfraps
- License: mit
- Created: 2023-12-17T04:59:58.000Z (about 1 year ago)
- Default Branch: main
- Last Pushed: 2024-01-21T01:51:20.000Z (11 months ago)
- Last Synced: 2024-01-21T05:35:28.424Z (11 months ago)
- Language: C
- Size: 1.28 MB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
winhook is taken from my repo -> [Repo](https://github.com/forentfraps/winhook)
Compiling with ```.\make_dll.bat```
Current Features:
- Hook NtQuerySystemInformation to hide the process from process list
- Hiding the dll from loaded modules via parsing PEB (Sadly VAD tree and EPROCESS could not be altered, due to ring3 limitations)Current TODO:
- Hide from the explorer (will not show in the directory). Apparently explorer does not use NtQueryDirectoryFileEx to view files!
- hook NtQueryDirectoryFileEx
- Hide the AppInit registry key, and the fact that AppInit is enabled at all
- Hook opening files to read (ntdll.dll), so that when the buffer is read, altered version is received, with hooks already installed
- Hide from windows event log - unknown how to approach this currently