PoCs for Kernelmode rootkit techniques research or education. Currently focusing on Windows OS. All modules support 64bit OS only.
> NOTE
>
> Some modules use ExAllocatePool2
API to allocate kernel pool memory. ExAllocatePool2
API is not supported in OSes older than Windows 10 Version 2004. If you want to test the modules in old OSes, replace ExAllocatePool2
API with ExAllocatePoolWithTag
API.
All modules are tested in Windows 11 x64. To test drivers, following options can be used for the testing machine:
debugging-in-windbgβcdbβor-ntsd">Setting Up Kernel-Mode Debugging
Each options require to disable secure boot.
Detailed information is given in README.md in each projectβs directories. All modules are tested in Windows 11.
Module Name | Description |
---|---|
BlockImageLoad | PoCs to block driver loading with Load Image Notify Callback method. |
BlockNewProc | PoCs to block new process with Process Notify Callback method. |
CreateToken | PoCs to get full privileged SYSTEM token with ZwCreateToken() API. |
DropProcAccess | PoCs to drop process handle access with Object Notify Callback. |
GetFullPrivs | PoCs to get full privileges with DKOM method. |
GetProcHandle | PoCs to get full access process handle from kernelmode. |
InjectLibrary | PoCs to perform DLL injection with Kernel APC Injection method. |
ModHide | PoCs to hide loaded kernel drivers with DKOM method. |
ProcHide | PoCs to hide process with DKOM method. |
ProcProtect | PoCs to manipulate Protected Process. |
QueryModule | PoCs to perform retrieving kernel driver loaded address information. |
StealToken | PoCs to perform token stealing from kernelmode. |
More PoCs especially about following things will be added later:
Pavel Yosifovich, Windows Kernel Programming, 2nd Edition (Independently published, 2023)
Reversing-<a href=" https:=ββ title=βObfuscationβ>Obfuscation/dp/1502489309">Bruce Dang, Alexandre Gazet, Elias Bachaalany, and SΓ©bastien Josse, Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation (Wiley Publishing, 2014)
Evasion-Corners/dp/144962636X">Bill Blunden, The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd Edition (Jones & Bartlett Learning, 2012)
github.com/daem0nc0re/BlockImageLoad/
github.com/daem0nc0re/BlockNewProc/
github.com/daem0nc0re/CreateToken/
github.com/daem0nc0re/DropProcAccess/
github.com/daem0nc0re/GetFullPrivs/
github.com/daem0nc0re/GetProcHandle/
github.com/daem0nc0re/InjectLibrary/
github.com/daem0nc0re/ModHide/
github.com/daem0nc0re/ProcHide/
github.com/daem0nc0re/ProcProtect/
github.com/daem0nc0re/QueryModule/
github.com/daem0nc0re/StealToken/
github.com/daem0nc0re/VectorKernel