Giters

drotha2 / Banshee

Experimental Windows x64 Kernel Driver/Rootkit.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Banshee

Banshee

Learning about Windows rootkits lately, so here is my own implementation of some techniques. For an overview, see Features below.

This is not ready to use as the code is bad and I am just learning about kernel driver development, so this is for educational purposes mainly.

What is a Rootkit?

http://phrack.org/issues/55/5.html

Usage

You can integrate Banshee into your tooling, by including the Banshee.hpp file in your project, e.g.:

Banshee banshee = Banshee();
banshee.Install(driverPath);
banshee.Initialize();

int targetPid = GetDefenderPID();    // this would be your implementation
banshee.IoCtlKillProcess(targetPid); // instruct banshee to kill the targetprocess

An example implementation of all the features in a command line client is found in ./BansheeClient/BansheeClient.cpp.

Testing & debugging the driver

You need to enable testsigning to load the driver. I also recommend to enable debugging for the kernel.

Run the following from an administrative prompt and reboot afterwards:

bcdedit /set testsigning on
bcdedit /debug on

Afterwards you can run the client, after compiling the solution, with e.g.:

.\x64\Debug\BansheeClient.exe C:\Users\eversinc33\source\repos\Banshee\x64\Debug\Banshee.sys

Run this in a VM and create a snapshot. You will probably Bluescreen a lot when developing and can corrupt your system. Be warned.

Features

Get in everyone, we're going to Kernel Land!

Kill any process by PID

ZwTerminateProcess is simply called from kernel land to terminate any process.

"Bury" a Process

Terminating processes, but they come back alive? Bury a process to avoid it to restart by setting a kernel callback to process creation.

If the target process is created, Banshee will set the CreationStatus of the target process to STATUS_ACCESS_DENIED.

The match is case insensitive on a substring - e.g. to block defender, run bury with defender, then kill <defender pid> and it won't come back anymore, since all process creation events with defender in the image full path will be blocked.

For this feature, INTEGRITYCHECK has to be specified when linking (https://learn.microsoft.com/en-us/cpp/build/reference/integritycheck-require-signature-check?view=msvc-170).

Change protection level of any process by PID

This is done by modifying the EPROCESS structur, which is an kernel object that describes a processes attributes. It also holds a value that specifies the protection level of the process.

On my machine, that value can be found at offset 0x87a. Since that offset is dynamic, we can dynamically parse it from PspIsProtectedProcessLight instead of hardcoding it (thanks @never_unsealed for the trick):

We can directly modify this value (aka Direct Kernel Object Modification or DKOM), since we are operating in Ring 0.

The values for the different protection levels can be found e.g. in Windows Internals Part 1 (page 115 in the 7th edition (english)).

Elevate any process token to SYSTEM

EPROCESS also holds a pointer to the current access token, so we can just make it point to e.g. the token of process 4 (SYSTEM) to elevate any process to SYSTEM.

Hide Process by PID

Again, EPROCESS comes to help here - it contains a LIST_ENTRY of a doubly linked list called ActiveProcessLink which is queried by Windows to enumerate running processes. If we simply unlink an entry here, we can hide our process from tools like Process Monitor or Task Manager.

  • This can cause Bluescreens, e.g. when the process is closed while being hidden or due to patchguard scanning the kernel memory.

Enumerating kernel callbacks

For now, only Process-Creation kernel callbacks are enumerated, by parsing the PsSetCreateNotifyProcess routine to reach the private Psp* routine and then parsing the address of the array, where kernel callbacks are stored. This is WIP code.

TODO

Credits

About

Experimental Windows x64 Kernel Driver/Rootkit.

Languages

Language:C++ 100.0%