Kernel rootkit, that lives inside the Windows registry values data
Switch branches/tags
Nothing to show
Clone or download
Latest commit 41a7725 Oct 8, 2017
Failed to load latest commit information.
bin Recommit Jun 8, 2013
src Recommit Jun 8, 2013 fix broken links Oct 8, 2017

Kernel rootkit, that lives inside the Windows registry value data.
By Oleksiuk Dmytro (aka Cr4sh)

Rootkit uses the zero day vulnerability in win32k.sys (buffer overflow in function win32k!bInitializeEUDC()) to get the execution at the OS startup.


  • NDIS-based network backdoor (+ meterpreter/bind_tcp).

  • In order to avoid unknown executable code detection it moves itself in the memory over discardable sections of some default Windows drivers.

  • Completely undetectable by public anti-rootkit tools.

  • Working on Windows 7 (SP0, SP1) x86.


This rootkit was originally presented at the ZeroNights 2012 conference during my talk.
See the slides and videos for more information: