Skip to content

The project is a demo solution for one of the anti-rootkit techniques aimed on overcoming splicers

License

Notifications You must be signed in to change notification settings

apriorit/antirootkit-anti-splicer

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 

Repository files navigation

Simple Anti-Splicer

About

This solution is created as a demonstration of one of the anti-rootkit techniques, and in particular it illustrates the detection and remediation against malware hooks set up by the splicing method.

Splicing is a method of API function hooking by changing the code of the target function. Usually it is used to hide some files and/or processes in the system. Typically, the malware changes the first 5 bytes of the target function inserting a jump to the custom function. This article explains and illustrates this approach.

Implementation

The implemented approach is based on the verification of the entire ntoskernel image, similar to the way it is performed in the windbg !chkimg extention. Verification algorithm repeats some actions of the PE loader.

After verification, all detected hooks are removed.

You can find step-by-step code explanations and approach details in the related article.

License

Licensed under the MIT license. © Apriorit.

About

The project is a demo solution for one of the anti-rootkit techniques aimed on overcoming splicers

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages