RegPhantom a signed Windows kernel rootkit that turns the registry into a covert execution channe...
RegPhantom is a signed Windows kernel rootkit that exploits the registry as a covert execution channel, allowing unprivileged usermode processes to reflectively load arbitrary PE files into kernel memory while evading standard driver enumeration and PsLoadedModuleList detection. This sophisticated persistence mechanism demonstrates a novel evasion technique that bypasses traditional kernel monitoring approaches.
Summary
RegPhantom is a signed Windows kernel rootkit that exploits the registry as a covert execution channel, allowing unprivileged usermode processes to reflectively load arbitrary PE files into kernel memory while evading standard driver enumeration and PsLoadedModuleList detection. This sophisticated persistence mechanism demonstrates a novel evasion technique that bypasses traditional kernel monitoring approaches.
Indicators of Compromise
- malware — RegPhantom