465dc7a1068d0c7d31b4ffb0a013a59ddd0320dde4389748eed99f41ee0f51ae

Metadata

SHA256: 465dc7a1068d0c7d31b4ffb0a013a59ddd0320dde4389748eed99f41ee0f51ae
Difficulty: medium
Platform: Windows
Tags: kernel mode rootkit
Likes: 0
Views: 693
Submitter: struppigel

Analysis

Goal

How does this rootkit hide loaded modules of a process? Locate the function that is responsible for that. What's necessary to trigger the module hiding?

Description

This is a kernel mode driver without any obfuscation. It belongs to an unknown rootkit family. It has more features than just hiding modules and is worth exploring.

Flagged medium difficulty because kernel mode is a special environment and specific knowledge about Windows internals is required for understanding the code.

Recommended Tools

Ghidra IDA

Solutions

No solutions available yet.

Sample