A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about user-mode development.
 #13082  by MindfreaK
 Mon May 07, 2012 3:03 pm
This is an ring3 rootkit sample made by me for testing only that injects an thread into explorer which hooks NtQueryDirectoryFile.
It will hide every file with $sys$ in the beginning of the name.
Succesfully tested with Windows 7 x64.
This is only a bin.

http://r.virscan.org/report/0b0c3036092 ... fee5b.html

~Mind
Attachments
(19.44 KiB) Downloaded 100 times
 #13118  by ArkKup
 Wed May 09, 2012 11:35 am
MindfreaK wrote:What OS are you running and is it x64 ?
~Mind
and can you run 64-bit files on 32 bit system ? of course it was 64-bit
Win 7 Pro sp1
 #13135  by MindfreaK
 Thu May 10, 2012 2:32 pm
Mhhh.
Sure i can't run x64 bins on x86 , i just talked shit ...
however , that is really interesting :/ but not good.
 #13498  by secObs
 Tue May 29, 2012 7:19 am
To build your rootkit did you used the mhook library ?