View Full Version : Windows Registry Rootkit

07-05-2016, 04:56 PM
Rootkit uses the zero day vulnerability in win32k.sys (buffer overflow in function win32k!bInitializeEUDC()) to get the execution at the OS startup.


NDIS-based network backdoor (+ meterpreter/bind_tcp).

In order to avoid unknown executable code detection it moves itself in the memory over discardable sections of some default Windows drivers.

Completely undetectable by public anti-rootkit tools.

Working on Windows 7 (SP0, SP1) x86.

More Details : http://dl.dropbox.com/u/22903093/Applied-anti-forensics.pdf

Download : https://github.com/Cr4sh/WindowsRegistryRootkit