Windows Rootkit Driver (KMDF)

Windows Kernel Rootkit — KMDF Driver

Kernel driver for Windows 10/11 implementing classic rootkit techniques at the kernel level:

• Process Hiding — Manipulates the EPROCESS doubly-linked list to unlink the target process from the ActiveProcessLinks, making it invisible to Task Manager and process enumeration APIs.
• File Hiding — Hooks IRP_MJ_DIRECTORY_CONTROL in NTFS driver to filter directory entries, hiding specified files and folders from user-mode directory listings.
• Registry Hiding — Hooks registry enumeration callbacks (CmRegisterCallbackEx) to filter specific keys and values from tools like regedit and reg.exe.
• Network Hiding — Hooks NSI (Network Store Interface) to hide active connections from netstat, TCPView, and similar network monitoring tools.
• Keylogger — Kernel-level keyboard hook via IoRegisterDeviceInterface capturing keystrokes before any user-mode protection can intercept them.
• Anti-Detection — Bypasses PatchGuard (KPP) using documented timing windows. Includes driver signature enforcement bypass via test signing or leaked certificates.