This project implements a Windows kernel-mode rootkit compatible with Windows XP, 7, 10, and 11. It provides five core features for process and driver manipulation. Use this only in controlled, ethical penetration-testing environments (e.g., virtual machines).
- Windows Driver Kit (WDK)
- Visual Studio 2022
- Administrator privileges on the target system
- User-mode client application (provided in
RootkitClient)
-
Kernel Patch Protection (KPP / PatchGuard):
- On 64-bit Windows XP and later, PatchGuard may detect modifications to SSDT, DKOM, MSRs, GDT/IDT, etc., and trigger a bug check (blue screen).
- Detection timing is nondeterministic; you may have a window of opportunity to establish persistence before a crash occurs.
- For sustained stealth, you must patch PatchGuard and disable Driver Signature Enforcement (DSE). This repository does not include KPP or DSE patches.
-
Install WDK & Visual Studio
- Download and install the latest Windows Driver Kit from Microsoft.
- Install Visual Studio 2022 with C++ development tools.
-
Open Solution
- Launch Visual Studio and open
RootkitDriver.sln.
- Launch Visual Studio and open
-
Configure Driver-Loading Mode
- By default, the driver loads via a service.
- To enable reflective loading (in-memory), uncomment
#define DRLinmain.cpp.
-
Build
- Select the target architecture (x86 or x64) and build the solution.
- The driver binary (
.sys) and client executable will be generated.
- Install & Start Driver
Note: To use the service version of the driver, comment #define DRL in main.cpp or use the binary RootkitService.sys.
sc create RootkitDriver type= kernel binPath= "<path>\RootkitService.sys" start= system
sc start RootkitDriver-
Run User-Mode Client
-
Build the client in the
RootkitClientfolder. -
Use its command-line interface to send IOCTL codes and target process IDs:
RootkitClient.exe > Choose from The Menu.
-
Removes the driver from the PsLoadedModuleList by patching the doubly linked list pointers (FLINK/BLINK) to skip the driver entry.
Replaces the token of a target process with the token of the SYSTEM process (PID 4), granting NT AUTHORITY\SYSTEM privileges.
- Token offset: 0x4B8 (may vary across Windows versions - accounted for that in code).
Traverses the active process list and unlinks the target process from the __EPROCESS list, making it invisible to enumeration.
- EPROCESS list offset: 0x448. (varies across Windows versions - accounted for that in code)
Sets the BreakOnTermination flag in the target process’s __EPROCESS structure.
-
If the protected process exits or is terminated, the system will bug check with CRITICAL_PROCESS_DIED.
-
You may also unprotect a process using the menu.
-
You may also protect a process with Access Denied protection (termination will cause in Access Denied), and it will also protect from reading and writing to it's memory. This is implemented using Kernel Callbacks.
Traverses through the PEB structure of the process that is given, attempts to find the requested DLL, and unlinks it from the list.
Hooks the IRP_MJ_CREATE on the NTFS FileSystem driver, to deny file modification, as well deletion (basically "locks" the file).
FEATURE IS ONLY AVAILABLE TO SERVICE DRIVERS.
The kernel driver has been updated to have the option to message the client via a shared memory region.
The client is notified via an event that the kernel driver sends.
-
Service Loading (default): Loads driver via SCM (Service Control Manager).
-
Reflective Loading: Loads driver into memory without SCM. -- Used with BYOVD (Bring Your Own Vulnerable Driver) attacks, (The vulnerable driver MUST HAVE Kernel Memory Read/Write in order to map your kernel driver)
- Enable by uncommenting
#define DRLinmain.cpp.
- Enable by uncommenting
- Port Hiding: Conceal network ports using IRP hooks. -- Hooking the NSI Driver, will only hide ports and IP's from the netstat command, wireshark uses it's own device driver (well it uses the NpCap Driver to be more precise - I will not perform hooks on it).
- APC Shellcode Injection: Inject shellcode VIA APC to processes.
- Callbacks: Register callbacks to deny process and thread killing, hiding registry keys and values, and even deny file deletion. (PROCESS - DONE, FILE DELETION - Done (via IRP Hooking))
- Extended DKOM: Modify additional kernel structures for enhanced stealth. - Might do PspCidTable to fully hide the process.
Use this rootkit code responsibly. Always ensure you have explicit authorization before testing on any system.