- Notice
- Legal notice
- Overview
- Features
- Misc
- Build Instructions
- Setup Instructions
- Upcoming Features
- Credits & References
Warning
This project is under development.
Warning
This project is for educational and research purposes. Malicious use of the software is strictly prohibited and discouraged. I am not responsible for any damage caused by improper use of the software.
This project, called shadow-rs, is designed to create a rootkit in the Windows kernel using the Rust language. The aim is to demonstrate advanced techniques for developing rootkits, taking advantage of the security and performance features of the Rust language.
- Process (Hide / Unhide) ✅
- Process Signature (PP / PPL) ✅
- Process Protection (Anti-Kill / Dumping) ✅
- Elevate Process to System ✅
- Terminate Process ✅
- Lists protected and hidden processes currently on the system ✅
- Thread (Hide / Unhide) ✅
- Thread Protection (Anti-Kill) ✅
- Lists protected and hidden threads currently on the system ✅
- Driver (Hide / Unhide) ✅
- Enumerate Driver ✅
- Support for mapping the driver in memory ✅
- DSE (Enable / Disable) ✅
- Keylogger (Start / Stop) ✅
- List / Remove / Restore Callbacks
- PsSetCreateProcessNotifyRoutine ✅
- PsSetCreateThreadNotifyRoutine ✅
- PsSetLoadImageNotifyRoutine ✅
- CmRegisterCallbackEx ✅
- ObRegisterCallbacks (PsProcessType / PsThreadType) ✅
- Listing currently removed callbacks ✅
- Enumerate Module ✅
- Hide Key and Values ✅
- Registry Protection (Anti-Deletion e Overwriting) ✅
- Process Injection - Shellcode (ZwCreateThreadEx) ✅
- APC Injection - Shellcode ✅
- DLL Injection (ZwCreateThreadEx) ✅
The following functionalities are not "features", they are basically techniques that may be of interest to you to explore, understand and apply in the development of your driver.
- Searching for a "Zw" api not exported from
ntoskrnl.exeat runtime. - Reflective Loading.
To build the project, ensure you have the Rust toolchain installed.
To build the driver, first go to the driver folder and then run the following command (When you do the first build you have to be as administrator, but after that you won't need to):
cargo make default --releaseThis driver can be mapped using kdmapper among other exploit tools, for example, to put mapping support, use the command:
cargo make default --release --features mapperTo build the client, first go into the client folder, then run the following command:
cargo build --releaseSince some features of the rootkit are not supported due to the controller mapping, use the following command to build the client with only the commands that can be executed with the mapping:
cargo build --release --features mapperbcdedit /set testsigning on
bcdedit /debug on
bcdedit /dbgsettings net hostip:<IP> port:<PORT>
You can use Service Control Manager or OSR Driver Loader to load your driver.
These are some of the features that will be added, but there are many more on the way
- Hide Module ❌
- Hide port ❌
- Hide File / Directory ❌
- Anti-Deletion e Overwriting ❌
- Minifilters ❌
- WFP ❌
- APC Injection - DLL ❌
- Removing mapped drivers from PiDDBCacheTable ❌
- Removing mapped drivers from MmUnloadedDrivers ❌
- https://leanpub.com/windowskernelprogrammingsecondedition
- https://www.youtube.com/watch?v=t7Rx3crobZU&pp=ugMICgJwdBABGAHKBRBibGFja2hhdCByb290a2l0
- https://github.com/memN0ps/eagle-rs
- https://www.amazon.com/Rootkits-Bootkits-Reversing-Malware-Generation/dp/1593277164
- https://github.com/Idov31/Nidhogg
- https://www.unknowncheats.me/
- https://www.amazon.com.br/Rootkit-Arsenal-Escape-Evasion-Corners/dp/144962636X
- https://github.com/eversinc33/Banshee
- https://synzack.github.io/Blinding-EDR-On-Windows/
- https://github.com/JKornev/hidden
- https://www.amazon.com.br/Rootkits-Subverting-Windows-Greg-Hoglund/dp/0321294319
- https://github.com/mirror/reactos
- https://github.com/Kharos102/ReadWriteDriverSample