A windows kernel-mode rootkit with remote control; Ideal Post-exploitation persistence on windows
Uses DKOM and IRP Hooks. Hiding Processes, token manipulation , hiding tcp network connections by port
- Elevate Process privillages to NT AUTHORITY\SYSTEM by token manipulation
- Hide process by unlinking from ActiveProcessLinks
- Remote command execution
- A remote keylogger
- Dropper
- TCP connection hiding by port (IRP hooking)