https://github.com/kkent030315/ntsymbol
Resolve DOS MZ executable symbols at runtime
https://github.com/kkent030315/ntsymbol
kernel ntsymbol rootkit rootkits symbol symbols windows
Last synced: 7 months ago
JSON representation
Resolve DOS MZ executable symbols at runtime
- Host: GitHub
- URL: https://github.com/kkent030315/ntsymbol
- Owner: kkent030315
- License: mit
- Created: 2021-11-11T06:12:39.000Z (almost 4 years ago)
- Default Branch: main
- Last Pushed: 2021-11-12T04:07:12.000Z (almost 4 years ago)
- Last Synced: 2025-03-09T05:43:09.479Z (7 months ago)
- Topics: kernel, ntsymbol, rootkit, rootkits, symbol, symbols, windows
- Language: C++
- Homepage:
- Size: 32.2 KB
- Stars: 96
- Watchers: 5
- Forks: 25
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# NtSymbol
Resolve DOS MZ executable symbols at runtime
# Example
You no longer have not have to use memory pattern scan inside your sneaky rootkit. Pass the RVAs into your kernel payloads!
```cpp
int main()
{
ntsymbol ntoskrnl("%SYSTEMROOT%\\system32\\ntoskrnl.exe");
ntoskrnl.init();
/* Useful for retriving NTOS image base without any calls */
const auto RvaPsNtosImageBase = ntoskrnl.resolve(L"PsNtosImageBase");
ntsymbol cidll("%SYSTEMROOT%\\system32\\CI.dll");
cidll.init();
/* DSE Bypass! */
const auto RvaCiOptions = cidll.resolve(L"g_CiOptions");
}
```