Lucene search

KitPloitKITPLOIT:4750298956007211211

HistoryApr 18, 2024 - 12:30 p.m.

VectorKernel - PoCs For Kernelmode Rootkit Techniques Research

2024-04-1812:30:00

www.kitploit.com

windows

kernelmode

rootkit

research

windows 11

poc

driver loading

process blocking

privilege escalation

process manipulation

dll injection

driver hiding

token stealing

windows kernel programming

reverse engineering

7.6 High

AI Score

Confidence

Low

JSON

PoCs for Kernelmode rootkit techniques research or education. Currently focusing on Windows OS. All modules support 64bit OS only.

> NOTE
>
> Some modules use ExAllocatePool2 API to allocate kernel pool memory. ExAllocatePool2 API is not supported in OSes older than Windows 10 Version 2004. If you want to test the modules in old OSes, replace ExAllocatePool2 API with ExAllocatePoolWithTag API.

Environment

All modules are tested in Windows 11 x64. To test drivers, following options can be used for the testing machine:

Enable Loading of Test Signed Drivers
debugging-in-windbg–cdb–or-ntsd">Setting Up Kernel-Mode Debugging

Each options require to disable secure boot.

Modules

Detailed information is given in README.md in each project’s directories. All modules are tested in Windows 11.

Module Name	Description
BlockImageLoad	PoCs to block driver loading with Load Image Notify Callback method.
BlockNewProc	PoCs to block new process with Process Notify Callback method.
CreateToken	PoCs to get full privileged SYSTEM token with `ZwCreateToken()` API.
DropProcAccess	PoCs to drop process handle access with Object Notify Callback.
GetFullPrivs	PoCs to get full privileges with DKOM method.
GetProcHandle	PoCs to get full access process handle from kernelmode.
InjectLibrary	PoCs to perform DLL injection with Kernel APC Injection method.
ModHide	PoCs to hide loaded kernel drivers with DKOM method.
ProcHide	PoCs to hide process with DKOM method.
ProcProtect	PoCs to manipulate Protected Process.
QueryModule	PoCs to perform retrieving kernel driver loaded address information.
StealToken	PoCs to perform token stealing from kernelmode.

TODO

More PoCs especially about following things will be added later:

Notify callback
Filesystem mini-filter
Network mini-filter

Recommended References

Pavel Yosifovich, Windows Kernel Programming, 2nd Edition (Independently published, 2023)
Reversing-<a href=" https:=“” title=“Obfuscation”>Obfuscation/dp/1502489309">Bruce Dang, Alexandre Gazet, Elias Bachaalany, and Sébastien Josse, Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation (Wiley Publishing, 2014)
Greg Hoglund, and Jamie Butler, Rootkits : Subverting the Windows Kernel (Addison-Wesley Professional, 2005)
Evasion-Corners/dp/144962636X">Bill Blunden, The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd Edition (Jones & Bartlett Learning, 2012)
Pavel Yosifovich, Mark E. Russinovich, Alex Ionescu, and David A. Solomon, Windows Internals, Part 1: System architecture, processes, threads, memory management, and more, 7th Edition (Microsoft Press, 2017)
Andrea Allievi, Mark E. Russinovich, Alex Ionescu, and David A. Solomon, Windows Internals, Part 2, 7th Edition (Microsoft Press, 2021)
Matt Hand, Evading EDR - The Definitive Guide to Defeating Endpoint Detection Systems (No Starch Press, 2023)

Download VectorKernel

References

github.com/daem0nc0re/BlockImageLoad/

github.com/daem0nc0re/BlockNewProc/

github.com/daem0nc0re/CreateToken/

github.com/daem0nc0re/DropProcAccess/

github.com/daem0nc0re/GetFullPrivs/

github.com/daem0nc0re/GetProcHandle/

github.com/daem0nc0re/InjectLibrary/

github.com/daem0nc0re/ModHide/

github.com/daem0nc0re/ProcHide/

github.com/daem0nc0re/ProcProtect/

github.com/daem0nc0re/QueryModule/

github.com/daem0nc0re/StealToken/

github.com/daem0nc0re/VectorKernel

7.6 High

AI Score

Confidence

Low

JSON