Skip to content
Windows kernel backdoor via registering a malicious SMB handler
Branch: master
Clone or download
Latest commit 6d94611 Apr 15, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
smbdoor NPP-NX pool Apr 15, 2019
.gitignore Initial commit Apr 14, 2019
LICENSE Initial commit Apr 14, 2019 Update Apr 15, 2019 add test script Apr 14, 2019
extrapulsar.png slop together a graphic Apr 14, 2019



The proof-of-concept smbdoor.sys driver is a silent remote backdoor that does not bind new sockets or perform function modification hooking. Instead it abuses undocumented APIs in srvnet.sys to register itself as a valid SMB handler. It then listens on the already-bound ports 139/445 for special packets in which to execute secondary shellcode. In several ways, it has similarities with DoublePulsar and DarkPulsar, as well as ToxicSerpent.

Of course, it comes with practical limitations that make it mostly an academic exploration, but I thought it might be interesting to share, and is possibly something EDR products should monitor.


You can’t perform that action at this time.