user-mode Rootkit
The user-mode rootkit replaces executables and system libraries and modifies the behavior of application programming interfaces, It alters the security subsystem and displays false information . It can intercept system calls and filter output in order to hide processes, files, system drivers, network ports, registry keys and paths, and system services
the purpose of this project is to hide a process by intercepting listing tools system calls and manipulate in its structure .
NtQuerySystemInformation
API Retrieves the specified system information , it has too many flag each flag represent a structure to be retrieved but we are interersted in SystemProcessInformation
this flag Returns an array of SYSTEM_PROCESS_INFORMATION
structures, one for each process running in the system These structures contain information about the resource usage of each process, including the number of threads and handles used by the process, the peak page-file usage, and the number of memory pages that the process has allocated.
it takes 4 parameters SystemInformationClass
, SystemInformation
, SystemInformationLength
, ReturnLength
and returns NTSTATUS
, first we patch/hook NtQuerySystemInformation
after that we overwrite the address with the original opcodes so we can Retrieve the data structure later .
then we check if the specified flag is SystemProcessInformation
then go through every item by summing the previous item value and the NextEntryOffset
member , when we found our chosen process we sum the current NextEntryOffset
with the next one so whenever the listing tool reach the previous item its will jump over the next one (our process ) meaning the process will be invisibe .