/S12URootkit

User Mode Windows Rootkit

Primary LanguageC++

S12URootkit

User Mode Windows Rootkit able to hide Processes, Files, Directories, Registry Key, Registry Value.

Undetectable at the moment in Windows Defender and BitDefender Free Version Antivirus s

[ ! ] You need Administrator Privileges!

[ ! ] Before execute commands to hide some values, if in this victim machine never is executed this binary execute first the UserModeR00tkit.exe without arguments of the command

Usage

To use this tool, if it's the first time executed in this machine automatically created the persistence and all the needed for following scenarios, but before start hiding values using the rootkit commands, you need to execute first the UserModeR00tkit.exe without arguments of the command

Commands (as Administrator):

  • UserModeR00tkit.exe

  • UserModeR00tkit.exe ... hide ...

(replace the ...) with the values that you want)

Article

https://medium.com/@s12deff/user-mode-windows-rootkit-98e4eada4949

Hide Files & Directories Video

https://youtu.be/CJ7oBdPjSvQ

Hide Process Video

[ ! ] In the video only one process can be hided, this was for a bug, now is fixed and you can hide all you want!

https://youtu.be/6yCC_IIjWTI

Hide Registry Video

https://www.youtube.com/watch?v=AhS1ofR_pJc

Features

Process:

  • Hide Processes in Task Manager

Files & Directories:

  • Hide Files & Directories in File Explorer (explorer.exe)

Registry:

  • Registries and Values in regedit.exe

image

Commands

Process:

  • rootkit.exe process hide processname.exe

Path:

  • rootkit.exe path hide C:\Users\Public\Music

Registry:

  • rootkit.exe registry hide valuetohide

image

Detection

Evade Windows Defender:

  • Static Analysis:

image

  • Execution/Dynamic Analysis:

Not detected in Execution Time! (4/1/2024)

Detected After restart!

image

Evade Classic AV (BitDefender Free Version):

  • Static Analysis:

image

  • Execution/Dynamic Analysis:

Not detected in Execution Time! (4/1/2024)