One of our customers recently asked us to take a look at the inner workings of the Zero Access rootkit. After analyzing it in Responder Pro, I decided to blog about a few of the interesting pieces. I'll start with its use of a known but not often used method of loading a kernel driver from kernel mode. The core of this method is to use the ZwSetSystemInformation function with SYSTEM_INFORMATION_CLASS number 0x36 (SystemLoadGdiDriverInSystemSpaceInformation). As the name implies, this allows a driver to load and map a PE file into system space (instead of session space). Essentially, it just calls MmLoadSystemImage and MmPageEntireDriver.

By Martin Pillion