{"id":15043203,"url":"https://github.com/0xbekoo/malware-resurrection","last_synced_at":"2025-06-17T03:07:11.327Z","repository":{"id":256040028,"uuid":"853965852","full_name":"0xbekoo/Malware-Resurrection","owner":"0xbekoo","description":"This project enables malware to resurrect and remain hidden even after termination, using a User-Mode Program and Kernel-Mode Driver as part of the Malware Resurrection technique.","archived":false,"fork":false,"pushed_at":"2025-01-07T12:31:05.000Z","size":124,"stargazers_count":9,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-17T03:07:08.603Z","etag":null,"topics":["executable","kernel","kernel-driver","malware","malware-resurrection","resurrection","windows"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xbekoo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-09-08T03:08:29.000Z","updated_at":"2025-03-06T08:41:04.000Z","dependencies_parsed_at":"2024-09-08T18:00:22.766Z","dependency_job_id":"6b5d7029-0cb2-40a8-adaa-c83f8e0085bf","html_url":"https://github.com/0xbekoo/Malware-Resurrection","commit_stats":{"total_commits":13,"total_committers":2,"mean_commits":6.5,"dds":"0.46153846153846156","last_synced_commit":"ee58c3f5668b9c37a6656f991a976c134c40975b"},"previous_names":["0xbekoo/malware-resurrection"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/0xbekoo/Malware-Resurrection","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xbekoo%2FMalware-Resurrection","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xbekoo%2FMalware-Resurrection/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xbekoo%2FMalware-Resurrection/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xbekoo%2FMalware-Resurrection/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xbekoo","download_url":"https://codeload.github.com/0xbekoo/Malware-Resurrection/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xbekoo%2FMalware-Resurrection/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260281568,"owners_count":22985629,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["executable","kernel","kernel-driver","malware","malware-resurrection","resurrection","windows"],"created_at":"2024-09-24T20:48:41.764Z","updated_at":"2025-06-17T03:07:11.290Z","avatar_url":"https://github.com/0xbekoo.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"## Malware Resurrection\n\nIn this project, we will take a look at the technique used to resurrect a malware in case it is deleted or removed from the system. This approach focuses on ensuring the persistence of malware by applying methods that allow the malware to automatically resurrect and re-establish itself even after it has been terminated.\n\n\u003e [!Warning]\n\u003e Please note that the content of this repository is intended for educational purposes only. I do not endorse or encourage any illegal activities. The techniques and methods demonstrated here should not be used for malicious purposes or in any unauthorized scenarios. \n\n## 📁Project\n\nThe application I've developed is designed to ensure that malware remains active and concealed within a system, utilizing both user-mode and kernel-mode components. This dual approach enables the application to persistently hide and relaunch malware, while evading detection from standard system tools.\n\n### 1. Usermode Program\n\nThe primary function of the user-mode program is to monitor and maintain the presence of the malware. If it detects that the malware has been terminated or removed, it springs into action. The user-mode program communicates with the kernel-mode driver to facilitate the reinstallation and concealment of the malware.\n\n### 2. Kernel-Mode Driver\n\nUpon instruction from the user-mode program, the driver creates a hidden directory on the system, typically within a critical location such as C:\\Windows\\System32. This directory is used to store the malware executable in a manner that is difficult for standard file explorers or system administrators to detect.\n\n### Workflow\n- **Monitoring and Recovery:** The user-mode program continuously listens for the presence of the malware process. If the process is terminated for any reason, the program alerts the driver.\n\n- **Hidden File Creation:** The kernel-mode driver responds by creating a hidden file path within the specified directory. This ensures that the new malware file is hidden at the OS level before it is even downloaded.\n\n- **Malware Restoration:** Once the file path is in place, the user-mode program downloads the malware to the hidden directory and immediately spawns a new process for it.\n\n- **Process Concealment (DKOM Attack):** To ensure that the malware runs undetected, the user-mode program passes the Process ID (PID) of the newly created malware process to the driver. The driver then uses Direct Kernel Object Manipulation (DKOM) to remove the malware’s PID from the system’s process list, making it invisible to tools like Task Manager and other process monitoring utilities.\n\n- **Restricting Permissions:** Restricting Permissions involves changing the permissions of a hidden file via the driver to prevent any interference after the file has been established as hidden. Once these permissions are modified:\n  -  File Deletion: Users will encounter an \"Access Denied\" error if they attempt to delete the hidden file.\n  - Executable Execution: Users will also receive an \"Access Denied\" error if they try to run the executable contained within the file.\n\n## :heavy_exclamation_mark:Important Considerations Before Running the Project\n\n\u003e [!Important]\n\u003e To run this project successfully, you need to execute it on a Windows system in Test Mode. This mode allows the system to load unsigned drivers, which is necessary for the kernel-mode components of the application. Additionally, it is highly recommended to use WinDbg for debugging and closely inspecting the results.\n\nAssuming you have access to development tools such as Visual Studio and the Windows Driver Kit (WDK), you will need to compile the driver and user-mode program yourself. Note that I will not be providing any files with .exe or .sys extensions.\n\nTake a look at both the driver code and the project code and you will find variables that are important:\n\n### User-mode Program\n\nIn the user-mode program code, you will find the following important variables:\n\n```c\nCHAR ExecutablePath[0x80] = \"C:\\\\Windows\\\\System32\";\nCHAR ExecutableName[0x80] = \"malwarename.exe\";\nCHAR ExecutableUrl[0x80] = \"https://url\";\n```\n\n### Kernel-mode Driver:\n\nIn the kernel-mode driver code, you will encounter:\n\n```c\nUNICODE_STRING G_ExecutablePath = RTL_CONSTANT_STRING(L\"\\\\??\\\\C:\\\\Windows\\\\System32\\\\\");\n```\n\n### Editing and Compiling Instructions\n\n#### User-Mode Program\n\n- **ExecutablePath:** Ensure that you do not add a trailing backslash (\\\\) at the end of the path.\n- **ExecutableName:** Specify the name of the executable file you intend to use.\n- **ExecutableUrl:** Provide the URL from which the executable will be downloaded.\n\n#### Kernel-Mode Driver\n\n- **ExecutablePath:** Maintain the \\\\??\\\\ prefix and avoid adding a trailing backslash (\\) at the end of the path.\n  \nFeel free to modify these values according to your needs. Ensure that paths and URLs are correctly formatted to avoid any issues during compilation and execution.\n\n\u003cbr/\u003e\n\nOnce you have everything set up, follow these steps to install and run the driver within a virtual machine:\n\n- **Install the Driver:** Open a command prompt with administrative privileges and execute the following commands:\n\n```\nsc create resurrection type=kernel binPath=\"C:\\path\\to\\sys\" start=demand\nsc start resurrection\n```\n\nThis will create and start the driver service. The driver will remain inactive and wait for IOCTL codes sent by the user-mode program.\n\n- **Run the User-Mode Program:** Execute the user-mode program with a PID value to test its functionality. For example, you can use the PID of applications like paint or notepad. Use the following command to run the user-mode program:\n\n```\n.\\program.exe \u003cPID\u003e\n```\nReplace \u003cPID\u003e with the actual process ID of the target application.\n\n- **Observe the Output:** After starting the user-mode program, close the application you used as an example (e.g., paint or notepad). Check the output of the user-mode program to observe the results of the interaction with the driver.\n\n## 💝 Acknowledgements\n\nA special thank you to \u003ca href=\"https://github.com/S12cybersecurity\"\u003eS12 H4CK\u003c/a\u003e, whose remarkable work in the field of malware development has been a tremendous source of knowledge and inspiration. His article on Malware Resurrection laid the foundation for my understanding of this technique, and without the information he shared, this project would not have been realized.\n\nHe has also written an \u003ca href=\"https://medium.com/@s12deff/kernel-land-malware-resurrection-279b84b033ba\"\u003earticle about this project\u003c/a\u003e. For this I am very grateful and thank him very much.\n\nYou can check out \u003ca href=\"https://medium.com/@s12deff/malware-resurrection-cf5de2f27034\"\u003ehis article\u003c/a\u003e on this technique to explore it further and deepen your understanding.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xbekoo%2Fmalware-resurrection","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xbekoo%2Fmalware-resurrection","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xbekoo%2Fmalware-resurrection/lists"}