NtQuerySystemInformation: a simple way to bypass rootkits which hide processes by hooking

You’ve probably seen code like this: NTSTATUS MyRootkitNtQuerySystemInformation( ULONG SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength ) if (SystemInformationClass == 5) // SystemProcessInformation { // do some pointer manipulation to hide our rootkit process … } else { return OriginalNtQuerySystemInformation(…); } } For example, this is what Hacker Defender does to hide itself. What most […]

Continue reading →