A simple Windows kernel rootkit.

Overview

Venom RootKit

A simple windows rootkit that I have wrote, In order to explore a bit about the world of rootkits and windows kernel in general. The Venom rootkit uses a few well known methods that are commonly being used by other famous rootkits. Some of the main features are listed in the "Features" section below.

Flow

The flow of the rootkit is as follows: We start by dropping the rootkit .sys file and the UM .dll file to disk. Then, we load the rootkit driver, we can do so using some exploit or projects like DSEFix and KDMapper. Once the rootkit is loaded, it creates a device and a sym link, so that the UM client will be able to talk with it. Then it performs the IRP hook over the nsiproxy driver. And then it performs an APC injection of the UM dll to an arbitriry thread within "explorer.exe" (It can easily be changed). The APC injection is first queening a kernel APC and then a user APC, so we can avoid Microsoft ETW event on user mode APC created from kernel, as described here.

Demo

Here is a little demo of the port hiding feature - Port Hiding

  • My C&C is only for the POC, my main goal was the rootkit so I invested the minimum I needed for the demo.

Features

  • Dynamic APC injection to load the UM dll.
  • Process Hiding.
  • Token elevation to "NT AUTHORITY\SYSTEM".
  • Command execution.
  • TCP port hiding by irp hooking nsiproxy driver.
  • C&C server communication.
  • Logging.
  • File hiding.
  • Anti VM/Debug (Maybe implement through TLS callbacks).
  • Dynamic config for UM client.

Some other projects I have taken inspiration from

Thanks

I want to thanks @omerk2511 for helping and guiding.

Disclaimer

This project is for educational purposes only, I am not responsible for any kind of abuse.

You might also like...
the checkra1n set of tools targeting bare metal, Linux and Windows

Universal toolchain Low-effort cross-compiling for the masses. What's Universal toolchain? It's a collection of sysroots and shell scripts in such a w

Play Doh Windows ACL Tools

PDAcl 是一个支持Windows活动目录扩展权限设置、Windows活动目录常规权限设置、Windows服务权限设置的命令工具。

Exploit for the RpcEptMapper registry key permissions vulnerability (Windows 7 / 2088R2 / 8 / 2012)
Exploit for the RpcEptMapper registry key permissions vulnerability (Windows 7 / 2088R2 / 8 / 2012)

Perfusion On Windows 7, Windows Server 2008R2, Windows 8, and Windows Server 2012, the registry key of the RpcEptMapper and DnsCache (7/2008R2 only) s

CVE-­2021­-1732 Microsoft Windows 10 本地提权漏 研究及Poc/Exploit开发
CVE-­2021­-1732 Microsoft Windows 10 本地提权漏 研究及Poc/Exploit开发

CVE-2021-1732 CVE-2021-1732 Microsoft Windows 10 本地提权漏 研究及Poc/Exploit开发 受影响系统及应用版本 Windows Server, version 20H2 (Server Core Installation) Windows 10

Windows user-land hooks manipulation tool.
Windows user-land hooks manipulation tool.

MineSweeper Windows user-land hooks manipulation tool. Highlights Supports any x64/x86 Windows DLL (actually, any x64/x86 Windows PE for that matter)

Orbit, the Open Runtime Binary Instrumentation Tool, is a standalone C/C++ profiler for Windows and Linux
Orbit, the Open Runtime Binary Instrumentation Tool, is a standalone C/C++ profiler for Windows and Linux

Orbit, the Open Runtime Binary Instrumentation Tool, is a standalone C/C++ profiler for Windows and Linux. Its main purpose is to help developers visualize the execution flow of a complex application.

AlleyWind is an advanced Win32-based and open-sourced utility that helps you to manage system's windows
AlleyWind is an advanced Win32-based and open-sourced utility that helps you to manage system's windows

AlleyWind AlleyWind is an advanced Win32-based and open-sourced utility that helps you to manage system's windows. AlleyWind could: Displays a graphic

WinMerge is an Open Source differencing and merging tool for Windows.
WinMerge is an Open Source differencing and merging tool for Windows.

WinMerge is an Open Source differencing and merging tool for Windows. WinMerge can compare both folders and files, presenting differences in a visual text format that is easy to understand and handle.

x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code
x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code

NoPatchGuardCallback x64 Windows PatchGuard bypass, register process-creation callbacks from unsigned code Read: https://www.godeye.club/2021/05/22/00

Comments
  • Installation details

    Installation details

    Good day,

    Once the solution is compiled (x64) in VScode, we get the dll, the .sys file(2x), but no inf or cat files to install the driver. In addition, the .dll does not seem to have an entrypoint. Could you clarify the installation process please?

    Also, do you need the coc to use the rootkit, or can run it locally?

    Thank you! This is a cool project!

    opened by flyingmath776 0
Owner
Amit Schendel
Amit Schendel
Windows x64 rootkit

P4tch3r Windows x64 rootkit (tested on Windows 7) It's PoC of patching NtTerminateProcess function by just overwriting instructions catching arguments

null 7 Jul 22, 2022
An attempt to restore and adapt to modern Win10 version the Rootkit Arsenal original code samples

rootkit-arsenal-guacamole An attempt to restore and adapt to modern Win10 version the Rootkit Arsenal original code samples All projects have been por

Matteo Malvica 51 Jul 25, 2022
yark - Yet Another RootKit

yark - Yet Another RootKit How to Build Requirements In order to build the kernel module, you need to install the kernel-headers package corresponding

imlk 17 Sep 8, 2022
This project aims to facilitate debugging a kernel driver in windows by adding support for a code change on the fly without reboot/unload, and more!

BSOD Survivor Tired of always telling yourself when you got a BSOD that what if I could just return to the caller function which caused the BSOD, and

Ido Westler 155 Aug 23, 2022
Windows kernel hacking framework, driver template, hypervisor and API written on C++

Windows kernel hacking framework, driver template, hypervisor and API written on C++

Александр 1.3k Sep 23, 2022
simple and efficient screen recording utility for Windows

wcap Simple and efficient screen recording utility for Windows. Get latest binary here: wcap.exe press Ctrl + PrintScreen to start recording monitor (

Mārtiņš Možeiko 444 Sep 22, 2022
UClamp backports and custom tunings for different kernel versions/devices

Linux kernel ============ This file was moved to Documentation/admin-guide/README.rst Please notice that there are several guides for kernel develop

null 25 Jan 14, 2022
A WIP "Vulnerable by Design" kext for iOS/macOS to play & learn *OS kernel exploitation

Vulnerable Kext A WIP (work-in progress) "Vulnerable by Design" kext for iOS/macOS to play/learn with *OS kernel exploitation Usage Documentation can

Chaithu 219 Sep 3, 2022
Linux Kernel module-less implant (backdoor)

0 KOPYCAT - Linux Kernel module-less implant (backdoor) Usage $ make $ sudo insmod kopycat.ko insmod: ERROR: could not insert module kopycat.ko: Inapp

Ilya V. Matveychikov 50 Sep 5, 2022
Quick check of NT kernel exported&unexported functions/global variable offset

NT内核导出以及未导出函数-全局变量偏移速查 Quick check of NT kernel exported&unexported functions/global variable offset System目录下有已经完成的偏移 可以在线速查 There are already comple

不想加班劉 67 Sep 15, 2022