/Black-Angel-Rootkit

Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality.

Primary LanguageC++GNU General Public License v3.0GPL-3.0

Black Angel Rootkit


Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality.

Designed for Red Teams.


Rootkit Features

Rootkit can be loaded with kdmapper to bypass DSE, Black Angel Loader may not be working properly yet. Project driver-hijack is used to maintain full driver functionality such as callback support.

  • DSE Bypass (No need to turn test signing on)
  • KPP Bypass
  • Hide processes
  • Hide ports (TCP/UDP)
  • Process permission elevation
  • Process protection
  • Shellcode injector (Unkillable shellcode. Even if process dies, shellcode can still run)
  • (TODO) Hide files/directories
  • (TODO) Hide registry keys

Implementation

You can easily implement rootkit calls by copying and pasting BlackAngel header file into your project.

Demonstration

You can find rootkit demonstration on my channel

Additional Info

  • Remember to change ACTIVE_PROCESS_LINKS offset corresponding to your Windows versions. Current offset has been tested on Windows 10/11 Pro 21H2.
  • There may still be stability issues!
  • KM shellcode injector is OP. If you inject shellcode into protected process, no antivirus will remove it >:D Simple shellcodes such as Metasploit shell_reverse_tcp are able to work even if process is terminated.

Resources: