{"id":21301786,"url":"https://github.com/daem0nc0re/vectorkernel","last_synced_at":"2025-05-16T10:06:46.682Z","repository":{"id":210827231,"uuid":"722569631","full_name":"daem0nc0re/VectorKernel","owner":"daem0nc0re","description":"PoCs for Kernelmode rootkit techniques research.","archived":false,"fork":false,"pushed_at":"2025-01-21T08:22:42.000Z","size":18323,"stargazers_count":374,"open_issues_count":1,"forks_count":61,"subscribers_count":11,"default_branch":"main","last_synced_at":"2025-05-13T10:52:25.020Z","etag":null,"topics":["kernel","rootkit","windows"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/daem0nc0re.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-11-23T12:36:31.000Z","updated_at":"2025-05-07T05:08:40.000Z","dependencies_parsed_at":"2025-02-24T11:17:53.927Z","dependency_job_id":null,"html_url":"https://github.com/daem0nc0re/VectorKernel","commit_stats":null,"previous_names":["daem0nc0re/vectorkernel"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daem0nc0re%2FVectorKernel","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daem0nc0re%2FVectorKernel/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daem0nc0re%2FVectorKernel/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/daem0nc0re%2FVectorKernel/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/daem0nc0re","download_url":"https://codeload.github.com/daem0nc0re/VectorKernel/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254509476,"owners_count":22082891,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kernel","rootkit","windows"],"created_at":"2024-11-21T15:51:30.027Z","updated_at":"2025-05-16T10:06:41.673Z","avatar_url":"https://github.com/daem0nc0re.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# VectorKernel\n\nPoCs for Kernelmode rootkit techniques research or education.\nCurrently focusing on Windows OS.\nAll modules support x64 family 64bit OS only.\n\n\n## Environment\n\nAll modules are tested in Windows 11 x64.\nTo test drivers, following options can be used for the testing machine:\n\n1. [Enable Loading of Test Signed Drivers](https://learn.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option)\n\n2. [Setting Up Kernel-Mode Debugging](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-kernel-mode-debugging-in-windbg--cdb--or-ntsd)\n\nEach options require to disable secure boot.\n\n\n## Modules\n\nDetailed information is given in README.md in each project's directories.\nAll modules are tested in Windows 11.\n\n| Module Name | Description |\n| :--- | :--- |\n| [BlockImageLoad](./BlockImageLoad/) | PoCs to block driver loading with Load Image Notify Callback method. |\n| [BlockNewProc](./BlockNewProc/) | PoCs to block new process with Process Notify Callback method. |\n| [CreateToken](./CreateToken/) | PoCs to get full privileged SYSTEM token with `ZwCreateToken()` API. |\n| [DropProcAccess](./DropProcAccess/) | PoCs to drop process handle access with Object Notify Callback. |\n| [ElevateHandle](./ElevateHandle/) | PoCs to elevate handle access with DKOM method. |\n| [GetFullPrivs](./GetFullPrivs/) | PoCs to get full privileges with DKOM method. |\n| [GetKeyStroke](./GetKeyStroke/) | PoCs to log keyboard action with kernel driver. |\n| [GetProcHandle](./GetProcHandle/) | PoCs to get full access process handle from kernelmode. |\n| [InjectLibrary](./InjectLibrary/) | PoCs to perform DLL injection with Kernel APC Injection method. |\n| [ModHide](./ModHide/) | PoCs to hide loaded kernel drivers with DKOM method. |\n| [ProcHide](./ProcHide/) | PoCs to hide process with DKOM method. |\n| [ProcProtect](./ProcProtect/) | PoCs to manipulate Protected Process. |\n| [QueryModule](./QueryModule/) | PoCs to perform retrieving kernel driver loaded address information. |\n| [StealToken](./StealToken/) | PoCs to perform token stealing from kernelmode. |\n\n\n## TODO\n\nMore PoCs especially about following things will be added later:\n\n* Notify callback\n* Filesystem mini-filter\n* Network mini-filter\n\n## Recommended References\n\n* [Pavel Yosifovich, **_Windows Kernel Programming, 2nd Edition_** (Independently published, 2023)](https://leanpub.com/windowskernelprogrammingsecondedition)\n\n* [Bruce Dang, Alexandre Gazet, Elias Bachaalany, and Sébastien Josse, **_Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation_** (Wiley Publishing, 2014)](https://www.amazon.com/Practical-Reverse-Engineering-Reversing-Obfuscation/dp/1502489309)\n\n* [Greg Hoglund, and Jamie Butler, **_Rootkits : Subverting the Windows Kernel_** (Addison-Wesley Professional, 2005)](https://www.amazon.com/Rootkits-Subverting-Windows-Greg-Hoglund/dp/0321294319)\n\n* [Bill Blunden, **_The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd Edition_** (Jones \u0026 Bartlett Learning, 2012)](https://www.amazon.com/Rootkit-Arsenal-Escape-Evasion-Corners/dp/144962636X)\n\n* [Pavel Yosifovich, Mark E. Russinovich, Alex Ionescu, and David A. Solomon, **_Windows Internals, Part 1: System architecture, processes, threads, memory management, and more, 7th Edition_** (Microsoft Press, 2017)](https://www.microsoftpressstore.com/store/windows-internals-part-1-system-architecture-processes-9780735684188)\n\n* [Andrea Allievi, Mark E. Russinovich, Alex Ionescu, and David A. Solomon, **_Windows Internals, Part 2, 7th Edition_** (Microsoft Press, 2021)](https://www.microsoftpressstore.com/store/windows-internals-part-2-9780135462409)\n\n* [Matt Hand, **_Evading EDR - The Definitive Guide to Defeating Endpoint Detection Systems_** (No Starch Press, 2023)](https://nostarch.com/evading-edr)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdaem0nc0re%2Fvectorkernel","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdaem0nc0re%2Fvectorkernel","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdaem0nc0re%2Fvectorkernel/lists"}