I am looking for rootkits that will work on Windows 8 , try to put together a pool of those . I tried testing some but they didnt seem to work, so i thought i would ask here if anyone has gone down that road before ?
A forum for reverse engineering, OS internals and malware analysis
I dont think any of them will work fine on Windows 8 even if this is just third remake of the same Vista. Most of r0 rootkits (not driver agents like Necurs for example) rely on undocumented API/opaque system structures that are subjects of change between Windows versions. They using hardcoding and other sings of bad programming. I expecting some rootkits to be updated for Windows 8, like for example Sinowal and MaxSS. However r3 rootkits should work fine. Except maybe some real mad skills crapware.
Ring0 - the source of inspiration
Yea that what i thought as well but wasn't sure. I am looking for specially r0 rootkits , didn't know that Necurs works on Win8 ! When i even tried some ark's tools they failed to work also. Guess have to wait .
dphrag wrote:didn't know that Necurs works on Win8 ! When i even tried some ark's tools they failed to work also. Guess have to wait .Have no idea will it work or no. But more likely will. Well better chance than any other because Necurs is not rootkit. Also forget about ARK software as class. Its useless piece of junk code.
Ring0 - the source of inspiration
perhaps from interest
http://www.itsec.it/2012/09/18/uefi-tec ... 8-bootkit/
http://www.itsec.it/2012/09/18/uefi-tec ... 8-bootkit/
Ring3 rootkits will work like they did before , but in windows 8 you can't inject into the new taskmanager, so you need to use AppInit_Dlls or the way ZeroAccess for x64 did it.
http://www.codeproject.com/Articles/493 ... -API-hooks
This could be interesting for ring3 rootkits, for both x86 and x64.
http://stoned-vienna.com/
There are allready bootkits for Windows 8 the first i saw was that from Peter Kleisner.
http://www.codeproject.com/Articles/493 ... -API-hooks
This could be interesting for ring3 rootkits, for both x86 and x64.
http://stoned-vienna.com/
There are allready bootkits for Windows 8 the first i saw was that from Peter Kleisner.
markusg wrote:perhaps from interestYes, that project builds a Windows 8 EFI Bootkit POC able to disable Driver Signing Enforcement and Patchguard... Hope that can help security analyst and, perhaps, normal people, to understand how UEFI technology operates...
http://www.itsec.it/2012/09/18/uefi-tec ... 8-bootkit/
Andrea
http://www.itsec.it/2012/09/18/uefi-tec ... 8-bootkit/
interesting,but why uefi bootkit not talk about TPM from UEFI?in malcon ,has infected win8 bootkit base mbr ,more and more interesting.
interesting,but why uefi bootkit not talk about TPM from UEFI?in malcon ,has infected win8 bootkit base mbr ,more and more interesting.