Home

Awesome

unKover

Windows anti-rootkit driver that can detect drivers mapped to kernel memory. Think Moneta, but for the kernel (obviously this is a simplified comparison). Additionally detects hidden threads as of the latest version.

The idea is to have a small & concise anti-rootkit to aid you (the rootkit dev) in honing your rootkits evasion abilities while also showcasing detection vectors with minimal FP rate that can detect many of the openly available driver mapper + rootkit combinations.

For more information see the following blogposts:

While some open source anti-cheats with capabilities far beyond this tool's exist (such as donnaskiez ac), I wanted something that I can easily tweak according to my needs. Maybe it will be useful for you too.

Techniques implemented:

<p align="center"> <img src="./img/detect.jpg" alt="unKover output"/> </p>

Installation

You need to enable testsigning to load the driver. I also recommend to enable debugging for the kernel.

Run the following from an administrative prompt and reboot afterwards:

bcdedit /set testsigning on
bcdedit /debug on

Then you can load the driver with sc.exe or use OSR DriverLoader:

sc.exe create Unkover binPath= "C:\path\to\Unkover.sys" type= kernel start= demand
sc.exe start Unkover

Afterwards, output will appear in the debug logs (view with e.g. WinDbg or DebugView)

Credits