{"id":49519122,"url":"https://github.com/XaFF-XaFF/Black-Angel-Rootkit","last_synced_at":"2026-06-20T19:00:47.433Z","repository":{"id":144620597,"uuid":"615739360","full_name":"XaFF-XaFF/Black-Angel-Rootkit","owner":"XaFF-XaFF","description":"Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality.","archived":false,"fork":false,"pushed_at":"2023-11-09T14:16:24.000Z","size":177,"stargazers_count":640,"open_issues_count":1,"forks_count":110,"subscribers_count":10,"default_branch":"master","last_synced_at":"2025-05-24T14:22:54.231Z","etag":null,"topics":["ring0","rootkit","windows","x64"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/XaFF-XaFF.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"License","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-03-18T14:42:13.000Z","updated_at":"2025-05-23T07:36:16.000Z","dependencies_parsed_at":"2023-11-09T15:29:20.627Z","dependency_job_id":"a654c769-738c-46d4-9e7c-08a08ef3b98c","html_url":"https://github.com/XaFF-XaFF/Black-Angel-Rootkit","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/XaFF-XaFF/Black-Angel-Rootkit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XaFF-XaFF%2FBlack-Angel-Rootkit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XaFF-XaFF%2FBlack-Angel-Rootkit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XaFF-XaFF%2FBlack-Angel-Rootkit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XaFF-XaFF%2FBlack-Angel-Rootkit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/XaFF-XaFF","download_url":"https://codeload.github.com/XaFF-XaFF/Black-Angel-Rootkit/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XaFF-XaFF%2FBlack-Angel-Rootkit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34581934,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-20T02:00:06.407Z","response_time":98,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ring0","rootkit","windows","x64"],"created_at":"2026-05-01T23:01:10.348Z","updated_at":"2026-06-20T19:00:47.424Z","avatar_url":"https://github.com/XaFF-XaFF.png","language":"C++","funding_links":[],"categories":["***Rootkits***"],"sub_categories":["***Source Code***"],"readme":"\u003cdiv align=\"center\"\u003e\n  \u003ch1\u003eBlack Angel Rootkit\u003c/h1\u003e\n  \u003cbr/\u003e\n\n  \u003cp\u003eBlack Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality.\u003c/p\u003e\n  \u003cp\u003eDesigned for Red Teams.\u003c/p\u003e\n  \u003cbr /\u003e\n\u003c/div\u003e\n\n\n## Rootkit Features\nRootkit can be loaded with [kdmapper](https://github.com/TheCruZ/kdmapper) to bypass DSE, Black Angel Loader may not be working properly yet. Project [driver-hijack](https://github.com/not-wlan/driver-hijack) is used to maintain full driver functionality such as callback support.\n- DSE Bypass (No need to turn test signing on)\n- ~~KPP Bypass~~ \n- Hide processes\n- Hide ports (TCP/UDP)\n- Process permission elevation\n- Process protection\n- Shellcode injector (Unkillable shellcode. Even if process dies, shellcode can still run)\n- (TODO) Hide files/directories\n- (TODO) Hide registry keys\n\n## Implementation\nYou can easily implement rootkit calls by copying and pasting [BlackAngel header](https://github.com/XaFF-XaFF/Black-Angel-Rootkit/blob/master/Black%20Angel%20Client/BlackAngel.hpp) file into your project.\n\n## Demonstration\nYou can find rootkit demonstration on my [channel](https://www.youtube.com/watch?v=YN5A-d0iljI)\n\n## Additional Info\n- Remember to change [ACTIVE_PROCESS_LINKS](https://github.com/XaFF-XaFF/Black-Angel-Rootkit/blob/f4a5c762ae864b7395a6a03b8d46fdeda6a8bb25/Black%20Angel%20Rootkit/rootkit.hpp#L7) offset corresponding to your Windows versions. Current offset has been tested on Windows 10/11 Pro 21H2.\n- There may still be stability issues!\n- KM shellcode injector is OP. If you inject shellcode into protected process, no antivirus will remove it \u003e:D Simple shellcodes such as Metasploit shell_reverse_tcp are able to work even if process is terminated.\n\n## Resources:\n- [kdmapper](https://github.com/TheCruZ/kdmapper)\n- [driver-hijack](https://github.com/not-wlan/driver-hijack)\n- [Cronos-Rootkit](https://github.com/XaFF-XaFF/Cronos-Rootkit)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FXaFF-XaFF%2FBlack-Angel-Rootkit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FXaFF-XaFF%2FBlack-Angel-Rootkit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FXaFF-XaFF%2FBlack-Angel-Rootkit/lists"}