Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/ZeroMemoryEx/Chaos-Rootkit
Now You See Me, Now You Don't
https://github.com/ZeroMemoryEx/Chaos-Rootkit
driver kernel malware-development rootkit
Last synced: 3 months ago
JSON representation
Now You See Me, Now You Don't
- Host: GitHub
- URL: https://github.com/ZeroMemoryEx/Chaos-Rootkit
- Owner: ZeroMemoryEx
- Created: 2023-03-24T17:22:00.000Z (over 1 year ago)
- Default Branch: master
- Last Pushed: 2024-03-03T15:32:50.000Z (9 months ago)
- Last Synced: 2024-03-03T16:38:08.666Z (9 months ago)
- Topics: driver, kernel, malware-development, rootkit
- Language: C++
- Homepage:
- Size: 2.3 MB
- Stars: 630
- Watchers: 19
- Forks: 108
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - ZeroMemoryEx/Chaos-Rootkit - Now You See Me, Now You Don't (C++)
README
# Chaos-Rootkit
* Chaos-Rootkit is a x64 Ring 0 rootkit with capabilities for process hiding, privilege escalation, protecting and unprotecting processes, and restricting access to files except for whitelisted processes. It can bypass file integrity checks and protect it against anti-malware, working seamlessly on the latest Windows versions.
* Gui version
# Features
* Hide process: This feature allows you to hide processes from listing tools via DKOM.
* Elevate specific process privileges : This feature enables you to elevate specific processes privilege .
* Restrict file access for user-mode applications except for the provided process ID
* Spawn elevated process: launch command prompt with elevated privileges .
* Bypass the file integrity check and protect it against anti-malware : this work by redirecting file operations to a legitimate file, making our file appear authentic and signed with a valid certificate also if an anti-malware attempting to scan it, the rootkit will immediately kill the anti-malware process.
* Unprotect all processes
* Protect a specific process with any given protection level (WinSystem, WinTcb, Windows, Authenticode, Lsa, Antimalware) .
# Note
* The console client is no longer maintained. Use the GUI instead.
# to-do
* More code cleaning
* handling data races.
* a check for critical process before shutting it down
# Technical Details
* First, we locate the `ActiveProcessLinks`, which is a pointer to the `PLIST_ENTRY` structure. In our case, the `ActiveProcessLinks` pointer is located at offset `0x448` within the `EPROCESS` structure. It is important to note that this offset may vary across different windows versions .
| x64 | | x86 | |
| --- | --- | --- | --- |
| 0xE0 | (late 5.2) | 0xB4 | (3.10) |
| 0xE8 | (6.0) | 0x98 | (3.50 to 4.0) |
| 0x0188 | (6.1) | 0xA0 | (5.0) |
| 0x02E8 | (6.2 to 6.3) | 0x88 | (5.1 to early 5.2) |
| 0x02F0 | (10.0 to 1607)| 0x98 | (late 5.2) |
| 0x02E8 | (1703 to 1809)| 0xA0 | (6.0) |
| 0x02F0 | (1903) | 0xB8 | (6.1 to 1903) |
| 0x0448 | | 0xE8 | |
* The `PLIST_ENTRY` structure is a doubly linked list structure . It contains two members, `Blink` and `Flink`, which are pointers to the previous and next entries in the list, respectively, These pointers allow for efficient traversal of the linked list in both directions.
* The flink member resides in offset `0x0` and the blink member resides in offset `0x8`. The flink address `0xffff9c8b\071e3488` points to the next process node, while the blink address `0xfffff805\5121e0a0` points to the previous process node
* a diagram represents the `PLIST_ENTRY` structure.
* To hide our chosen process in a listing tool, we can use a technique where we modify the flink and blink pointers of the adjacent process nodes to point to each other, effectively removing our process from the linked list. Specifically, we make the next process node's blink pointer point to the previous node, and the previous process node's flink pointer point to the next node. This makes our process appear invisible in the listing tool's view of the linked list of processes
* Note: After removing the node from `PLIST_ENTRY` structure, it is important to set the corresponding pointer to NULL, Otherwise, when attempting to close the process, the PLIST_ENTRY structure will get sent to the `PspDeleteProcess` API to free all its resources, after the API does not find the process in the structure, it will suspect that the process has already been freed, resulting in a Blue Screen of Death (BSOD), as shown below .
## Elevate process privileges
* When a process is created, it inherits the token of the user who created it, The token is used by the system to determine what actions the process can perform, The token contains information about the user's security identifier (SID), group memberships, and privileges.
* The Token member resides at offset `0x4b8` in the `_EPROCESS` structure, which is a data structure that represents a process object. The Token member is defined in `EX_FAST_REF` structure, which is a union type that can store either a pointer to a kernel object or a reference count, depending on the size of the pointer , The offset of the `_EX_FAST_REF` structure within `_EPROCESS` depends on the specific version of Windows being used, but it is typically located at an offset of `0x4b8` in recent versions of Windows..
* Windows Build Number token Offsets for x64 and x86 Architectures
| x64 offsets | x86 offsets |
| --------------| ------------------ |
| 0x0160 (late 5.2) | 0x0150 (3.10) |
| 0x0168 (6.0) | 0x0108 (3.50 to 4.0) |
| 0x0208 (6.1) | 0x012C (5.0) |
| 0x0348 (6.2 to 6.3) | 0xC8 (5.1 to early 5.2) |
| 0x0358 (10.0 to 1809) | 0xD8 (late 5.2) |
| 0x0360 (1903) | 0xE0 (6.0) |
| 0x04B8 | 0xF8 (6.1) |
| | 0xEC (6.2 to 6.3) |
| | 0xF4 (10.0 to 1607) |
| | 0xFC (1703 to 1903) |
| | 0x012C |
* The `_EX_FAST_REF` structure in Windows contains three members: `Object` and `RefCount` and `Value`
* You can either spawn a privileged process or elevate an already existing process ID.
* For the sake of this explanation, we will focus on the second option and use CMD as an example
* CMD inherited Token
* we send the Process ID to the driver through an IOCTL
* after the driver receives the PID from the user mode application, it uses it to obtain a pointer to the `_EPROCESS` structure for the target process. The driver then accesses the Token member of the `_EPROCESS` structure to obtain a pointer to the process token, which it replaces with the system token, effectively changing the security context of the process to that of the system. However, if the driver does not correctly locate the Token member within the `_EPROCESS` structure or if the offset of the Token is other than `0x4b8` , the driver may crash the system or the target process ,this problem will be fixed in the next updates .
* cmd token after
* the process privileges, groups, rights
