- Notice
- Legal notice
- Overview
- Features
- Build Instructions
- Setup Instructions
- Upcoming Features
- Credits & References
Warning
This project is under development.
Warning
This project is for educational and research purposes. Malicious use of the software is strictly prohibited and discouraged. I am not responsible for any damage caused by improper use of the software.
This project, called shadow-rs, is designed to create a rootkit in the Windows kernel using the Rust language. The aim is to demonstrate advanced techniques for developing rootkits, taking advantage of the security and performance features of the Rust language.
- Process (Hide / Unhide) β
- Process Signature (PP / PPL) β
- Process Protection (Anti-Kill / Dumping) β
- Elevate Process to System β
- Terminate Process β
- Lists protected and hidden processes currently on the system β
- Thread (Hide / Unhide) β
- Thread Protection (Anti-Kill) β
- Lists protected and hidden threads currently on the system β
- Driver (Hide / Unhide) β
- Enumerate Driver β
- DSE (Enable / Disable) β
- Keylogger (Start / Stop) β
- List / Remove / Restore Callbacks
- PsSetCreateProcessNotifyRoutine β
- PsSetCreateThreadNotifyRoutine β
- PsSetLoadImageNotifyRoutine β
- Enumerate Module β
- Registry Protection (Anti-Deletion e Overwriting) β
- Process Injection (ZwCreateThreadEx) β
- APC Injection β
To build the project, ensure you have the Rust toolchain installed.
To build the driver, first go into the driver
folder, then run the following command:
cargo make default --release
This driver can be manually mapped using kdmapper
, for example, to put the mapping support, use the command:
cargo make default --release --features mapper
To build the client, first go into the client
folder, then run the following command:
cargo build --release
Since some rootkit features are not supported due to manual driver mapping, use the following command to build the client with only the commands that can be performed with manual mapping:
cargo build --release --features mapper
bcdedit /set testsigning on
bcdedit /debug on
bcdedit /dbgsettings net hostip:<IP> port:<PORT>
You can use Service Control Manager or OSR Driver Loader to load your driver.
These are some of the features that will be added, but there are many more on the way
- CmRegisterCallbackEx β
- ObRegisterCallbacks β
- Hide Key and Values β
- Hide Module β
- Hide port β
- Hide File / Directory β
- Anti-Deletion e Overwriting β
- https://leanpub.com/windowskernelprogrammingsecondedition
- https://www.youtube.com/watch?v=t7Rx3crobZU&pp=ugMICgJwdBABGAHKBRBibGFja2hhdCByb290a2l0
- https://github.com/memN0ps/eagle-rs
- https://www.amazon.com/Rootkits-Bootkits-Reversing-Malware-Generation/dp/1593277164
- https://github.com/Idov31/Nidhogg
- https://www.unknowncheats.me/
- https://www.amazon.com.br/Rootkit-Arsenal-Escape-Evasion-Corners/dp/144962636X
- https://github.com/eversinc33/Banshee
- https://synzack.github.io/Blinding-EDR-On-Windows/
- https://github.com/JKornev/hidden
- https://www.amazon.com.br/Rootkits-Subverting-Windows-Greg-Hoglund/dp/0321294319
- https://github.com/mirror/reactos
- https://github.com/Kharos102/ReadWriteDriverSample