PoCs for Kernel-mode rootkit techniques research or education. Currently focusing on Windows OS. All modules support 64bit OS only.

NOTE

Some modules use ExAllocatePool2 API to allocate kernel pool memory. ExAllocatePool2 API is not supported in OSes older than Windows 10 Version 2004. If you want to test the modules in old OSes, replace ExAllocatePool2 API with ExAllocatePoolWithTag API.

Detailed information is given in README.md in each project's directories. All modules are tested in Windows 11.

More PoCs especially about following things will be added later:

• Notify callback
• Filesystem mini-filter
• Network mini-filter

• Pavel Yosifovich, Windows Kernel Programming, 2nd Edition (Independently published, 2023)

• Bruce Dang, Alexandre Gazet, Elias Bachaalany, and Sébastien Josse, Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation (Wiley Publishing, 2014)

• Greg Hoglund, and Jamie Butler, Rootkits : Subverting the Windows Kernel (Addison-Wesley Professional, 2005)

• Bill Blunden, The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd Edition (Jones & Bartlett Learning, 2012)

• Pavel Yosifovich, Mark E. Russinovich, Alex Ionescu, and David A. Solomon, Windows Internals, Part 1: System architecture, processes, threads, memory management, and more, 7th Edition (Microsoft Press, 2017)

• Andrea Allievi, Mark E. Russinovich, Alex Ionescu, and David A. Solomon, Windows Internals, Part 2, 7th Edition (Microsoft Press, 2021)