load ntoskrnl

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: load ntoskrnl
    namespace: exploitation/gadgets
    authors:
      - zdw@google.com
    description: look for calls to LoadLibrary* for ntoskrnl.exe, which can be indicative of kernel gadgets being resolved in user-mode for LPEs
    scopes:
      static: basic block
      dynamic: call
    examples:
      - cb0ce85efef94a4f7eacb4571ebf71b12ebbf9fb9faba96e853552822668aa22.exe_:0x1400013E0
  features:
    - and:
      - os: windows
      - string: "ntoskrnl.exe"
      - or:
        - api: LoadLibrary
        - api: LoadLibraryEx

last edited: 2025-05-22 18:53:30