x64 Ring3 Rootkit Sample

#13082 by MindfreaK
Mon May 07, 2012 3:03 pm

This is an ring3 rootkit sample made by me for testing only that injects an thread into explorer which hooks NtQueryDirectoryFile.
It will hide every file with $sys$ in the beginning of the name.
Succesfully tested with Windows 7 x64.
This is only a bin.

http://r.virscan.org/report/0b0c3036092 ... fee5b.html

~Mind

Attachments

rootkit64.rar

(19.44 KiB) Downloaded 99 times

Username

MindfreaK

Posts

15

Joined

Wed Mar 14, 2012 3:33 pm

Location

Germany

Re: x64 Ring3 Rootkit Sample

#13105 by ArkKup
Tue May 08, 2012 1:49 pm

nice but its crashing explorer when go to My Computer

Username

ArkKup

Posts

16

Joined

Sat Mar 20, 2010 10:29 am

Re: x64 Ring3 Rootkit Sample

#13110 by MindfreaK
Tue May 08, 2012 6:25 pm

What OS are you running and is it x64 ?
~Mind

Username

MindfreaK

Posts

15

Joined

Wed Mar 14, 2012 3:33 pm

Location

Germany

Re: x64 Ring3 Rootkit Sample

#13118 by ArkKup
Wed May 09, 2012 11:35 am

MindfreaK wrote:What OS are you running and is it x64 ?
~Mind

and can you run 64-bit files on 32 bit system ? of course it was 64-bit
Win 7 Pro sp1

Username

ArkKup

Posts

16

Joined

Sat Mar 20, 2010 10:29 am

Re: x64 Ring3 Rootkit Sample

#13135 by MindfreaK
Thu May 10, 2012 2:32 pm

Mhhh.
Sure i can't run x64 bins on x86 , i just talked shit ...
however , that is really interesting :/ but not good.

Username

MindfreaK

Posts

15

Joined

Wed Mar 14, 2012 3:33 pm

Location

Germany

Re: x64 Ring3 Rootkit Sample

#13498 by secObs
Tue May 29, 2012 7:19 am

To build your rootkit did you used the mhook library ?

Username

secObs

Posts

25

Joined

Sun Mar 04, 2012 10:53 pm

Location

here, there and everywhere

Contact