Never Ending Security

It starts all here

WindowsRegistryRootkit – Kernel rootkit, that lives inside the Windows registry values data

Kernel rootkit, that lives inside the Windows registry value data.
https://github.com/Cr4sh/WindowsRegistryRootkit


Rootkit uses the zero day vulnerability in win32k.sys (buffer overflow in function win32k!bInitializeEUDC()) to get the execution at the OS startup.

Features:

  • NDIS-based network backdoor (+ meterpreter/bind_tcp).
  • In order to avoid unknown executable code detection it moves itself in the memory over discardable sections of some default Windows drivers.
  • Completely undetectable by public anti-rootkit tools.
  • Working on Windows 7 (SP0, SP1) x86.

    foo

This rootkit was originally presented at the ZeroNights 2012 conference during my talk.
See the slides and videos for more information: http://dl.dropbox.com/u/22903093/Applied-anti-forensics.pdf

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s