-
The user-mode rootkit replaces executables and system libraries and modifies the behavior of application programming interfaces, It alters the security subsystem and displays false information . It can intercept system calls and filter output in order to hide processes, files, system drivers, network ports, registry keys and paths, and system services
-
the purpose of this project is to hide a process by intercepting listing tools system calls and manipulate in its structure .
-
NtQuerySystemInformationAPI Retrieves the specified system information , it has too many flag each flag represent a structure to be retrieved but we are interersted inSystemProcessInformationthis flag Returns an array ofSYSTEM_PROCESS_INFORMATIONstructures, one for each process running in the system These structures contain information about the resource usage of each process, including the number of threads and handles used by the process, the peak page-file usage, and the number of memory pages that the process has allocated.
-
it takes 4 parameters
SystemInformationClass,SystemInformation,SystemInformationLength,ReturnLengthand returnsNTSTATUS, first we patch/hookNtQuerySystemInformationafter that we overwrite the address with the original opcodes so we can Retrieve the data structure later .
-
then we check if the specified flag is
SystemProcessInformationthen go through every item by summing the previous item value and theNextEntryOffsetmember , when we found our chosen process we sum the currentNextEntryOffsetwith the next one so whenever the listing tool reach the previous item its will jump over the next one (our process ) meaning the process will be invisibe .
URootkit.mp4
- although this technique can be detected easily using a program i made while ago Hooks_Hunter and it can be bypassed using any kernel-mode rootkit .