![]() ![]() > checks keyboard patch and if failed then repatches keyboard driver object Payload.c -> attempts to open or creates keylogger log file > removes old driver file and creates file with randomized file name > runs callback routines which install various registry and directory callbacks > makes payload.c patch keyboard driver object (IRP hook on pKbdDrvObj->MajorFunction) > sets up global structures for starting system threads and runs the init threadĬloak.c -> waits for keyboard device to exist > allocates readable-writeable-executable memory and copies the driver image in it Main.c -> allocates non-pagable kernel memory and sets up global variables such as strings = Information regarding the source code parts = Rewriting serves for randomizing the file name in order to hinder offline analysis by tools such as FRST64 (Farbar Recovery Scan Tool). With the new concept the file is only rewritten at boot time and then kept at disk in undocumented C:$Extend$RmMetadata directory. The old concept was about entirely deleting the driver file upon machine boot, keeping it in system memory during runtime and rewriting it during machine shutdown. Unfortunately the comments were never adapted when implementing a new concept in the driver allowing for persistence when killing off the machine. The source code appears to be commented but EXCEPT MARKING USAGE OF FOREIGN CODE (KLOG rootkit code parts by Clandestiny in payload.c) those comments are merely wrong and misleading. = IMPORTANT INFORMATION REGARDING THE SOURCE CODE COMMENTS = In this example the payload consists of a local keylogger which stores key presses into an NTFS special file hidden by Windows itself. Normally, rootkits are used by attackers in order to conceal both various malware as well as its activity. It is a small Windows kernel driver that serves as a non-malicious Proof of Concept (PoC) for demo purposes on the subject of rootkit techniques. Drvtricks kernel driver for Windows 7 SP1 and 8.1 圆4, that tricks around in your system.
0 Comments
Leave a Reply. |