Skip to content
/ DKOM Public

Direct Kernel Object Manipulation _EPROCESS

Notifications You must be signed in to change notification settings

YuriFA/DKOM

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 

Repository files navigation

               _   _   _ _
  _ _ ___  ___| |_| |_(_) |_
 | '_/ _ \/ _ \  _| / / |  _|
 |_| \___/\___/\__|_\_\_|\__|DKOM

 Direct Kernel Object Manipulationon _EPROCESS internal structure
 Toufik Airane @tfairane
  • x64 require signing
  • I didn't try to bypass PatchGuard :)
  • Tested on : win7sp1
lkd> lm v m nt
start             end                 module name
fffff800`02e4d000 fffff800`03432000   nt         (export symbols)       ntkrnlmp.exe
    Loaded symbol image file: ntkrnlmp.exe
    Image path: ntkrnlmp.exe
    Image name: ntkrnlmp.exe
    Timestamp:        Tue Mar 04 09:38:19 2014 (531590FB)
    CheckSum:         00554C03
    ImageSize:        005E5000
    File version:     6.1.7601.18409
    Product version:  6.1.7601.18409
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     ntkrnlmp.exe
    OriginalFilename: ntkrnlmp.exe
    ProductVersion:   6.1.7601.18409
    FileVersion:      6.1.7601.18409 (win7sp1_gdr.140303-2144)
    FileDescription:  NT Kernel & System
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

Alt text

Alt text

Alt text

Alt text

About

Direct Kernel Object Manipulation _EPROCESS

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages