Hi!

as the title suggests

Results in

Which makes me make this issue; can you update or include the article in file-mode ? (paper -> pdf) or something?

Wishes from Sweden!

over n out. //Will.

after 30 min win10 1511

Hi,
I have a strange problem, when I try to use loader I get the following error:
C:\Users\Rahimi\Desktop>Loader.exe "test.exe"

 Basic DKOM Rootkit to Hide a Process
 Usage : loader.exe [process name]
 Author: Bradley Landherr


[+] Discovered PID of process test.exe: 4792
[*] Grabbing driver device handle...
[*] Loading driver.
[-] Error loading driver: The system cannot find the path specified.

[-] Error creating handle: The system cannot find the path specified.

I put the Rootkit.sys and loader.exe in desktop and here is some part of my loader code:

#define SERVICE "Rootkit"
#define DEVICE "\\\\.\\Rootkit"
#define DRIVER "c:\\\\Users\\Masoud\\Desktop\\Rootkit.sys"
//#define DRIVER "c:\\\\Users\\IEUser\\Desktop\\Rootkit.sys"
//#define DRIVER "C:\\\\WINDOWS\\Rootkit.sys"

It seems that loader cannot find the driver, but don't know why.
Thanks.

hello, I want to know how to compile the loader with MinGW I already setup it on my windows 7 x64 and I don't have any idea what I write on cmd to extract the dkom.exe file I put the makefile in dir C:\MinGW\bin and loader folder and tools also, what next?
please help <3 or someone give me a tutorial

As the title says, I have been testing this and after 2 minutes of hiding your process the system just freezes.

Is it because of this windows build maybe ?

Compiling and running the driver was very easy, it worked like a charm.

Hi @landhb, i compiled the driver and the loader. Copied Rootkit.sys to C:\Windows\System32\drivers\

In the loader.c file i got #define DRIVER "C:\\Windows\\System32\\drivers\\Rootkit.sys" when i compile.

When i try to hide a process this is the STDOUT i get:

C:\Windows>dkom.exe Ditto_deleted.exe

 Basic DKOM Rootkit to Hide a Process
 Usage : loader.exe [process name]
 Author: Bradley Landherr


[+] Discovered PID of process Ditto_deleted.exe: 1208
[*] Grabbing driver device handle...
[*] Loading driver.
[-] Error loading driver: The system cannot find the path specified.

LALA: 3
[-] Error creating handle: The system cannot find the path specified.

Ignore LALA: 3 :D I think the error happens at StartService(svcHandle, 0, NULL) == 0 it is like the loader cannot find the driver

any ideas?

OFF: on win 10 ver 1703 (rs2) build 15063 enterprise it only works for you about ~30minutes before BSOD?

Hi, i'm trying to build a dkom following your guide and using your code.
I followed all step, but when i use the .exe, and error occurred.

I used Visual studio 2017, latest version of SDK (version 1809) and WDK (version 1809). The building in Visual Studio not give me problem and create the Rootkit.sys. Then, thinking that the problem is the path, i copy this in every position of my computer, and try to modify the path in loader.c many times, but the error is unresolved. I try to build it as 64bit or 32bit, but nothing has changed. I'm seeing the code in loader.c, and i think that the problem is the starting of service. Do you have any idea? What are blocking the createservice?
I'm trying it in VM windows 7, 64bit.
Thanks in advance.

I use visual studio 2017 to build this project, but has a error that is lost ndis_debug.h and tcphook.h

Hi! We have are BSOD on loading driver in 7x64.
Dump:
dmp file

Error loading driver: 系统找不到指定的路径。
Doesn't exist, installing new SCM entry...

Hi Bro,
Pleased to see you!
64 bit operating system
Add driver signature, can you use ?
Thank you!

I built this project under win10 and vs2015, but the setting's target platform only win10. I want to run it under win7 x86.
So I want to know, which VERSION OF Visual Studio you use? And which platform that you use VS?
Thanks!!!

Thanks for uploading this mate, I was wondering where do you obtain the loader irp code 0x815 from , driver compiles perfect though

I know it's a POC, but I thought it would be good to fix this anyway -

1. There is a stack buffer overflow reading the 'pid' from user mode. Replace inBufferLength with sizeof(pid).
   

   HideProcess/driver/irphandlers.c

   Line 60 in 99d7a72

   strcpy_s(pid, inBufferLength, inBuf);

2. The output buffer's length is not checked
   

   HideProcess/driver/irphandlers.c

   Line 92 in 99d7a72

   RtlCopyBytes(buffer, data, outBufferLength);

3. This memory is not freed anywhere
   

   HideProcess/driver/hideprocess.c

   Line 7 in 99d7a72

   LPSTR result = ExAllocatePool(NonPagedPool, sizeof(ULONG) + 20);;

4. This buffer was allocated with length=(sizeof(ULONG) + 20), why is the param to sprintf_s longer?
   

   HideProcess/driver/hideprocess.c

   Line 29 in 99d7a72

   sprintf_s(result, 2 * sizeof(ULONG) + 30, "Found offsets: %lu & %lu", PID_OFFSET, LIST_OFFSET);

5. This string is not used anywhere (copied from the microsoft ioctl sample:) )
   

   HideProcess/driver/irphandlers.c

   Line 43 in 99d7a72

   PCHAR data = "This String is from Device Driver !!!";

6. Here, you use 'datalen' which is the length of the string from the sample instead of the real result string:
   

   HideProcess/driver/irphandlers.c

   Line 95 in 99d7a72

   Irp->IoStatus.Information = (outBufferLength<datalen ? outBufferLength : datalen);

I followed the steps you posted here:

Here's a gif I just made performing it on build 17763:

Originally posted by @landhb in #10 (comment)

But I receive The handle is invalid error. What could be causing this? I have everything compiled correctly and have tried many different configurations.

I try to use it in a win 7 64 bit installation with Driver Signing check and Patchguard disabled.

When I try to hide a process I obtain this output:

I have compiled the driver in Visual Studio 2017 runned in Win10, and I checked the follow option:

• Driver Setting:
  Target OS Version = Windows 7
  Target Platform = Desktop
  Platform = x64

• Configuration Manager
  Active Solution Platform = x64
  Platform = x64

About the loader, have compiled it use the command "make 64bit"

Thanks