Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/x0prc/glowrk

A Proof-of-Concept Project prepared for Rootkit Analysis
https://github.com/x0prc/glowrk

analysis rootkit rootkit-kernel rootkits

Last synced: about 20 hours ago
JSON representation

A Proof-of-Concept Project prepared for Rootkit Analysis

Host: GitHub
URL: https://github.com/x0prc/glowrk
Owner: x0prc
License: gpl-3.0
Created: 2024-10-10T16:34:42.000Z (about 1 month ago)
Default Branch: main
Last Pushed: 2024-10-17T09:12:15.000Z (about 1 month ago)
Last Synced: 2024-10-19T12:15:19.734Z (about 1 month ago)
Topics: analysis, rootkit, rootkit-kernel, rootkits
Language: Python
Homepage:
Size: 229 KB
Stars: 0
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

![A](https://github.com/user-attachments/assets/f90e7e50-df29-48be-8f8b-c2bdf93585bc)
# GlowRK - x64 Rootkit Analysis - PoC

## Motivation
This Proof-of-Concept Project is prepared to explain the working of a Rootkit and Detecting it on a system. There are various methods and tools used along with a comfortable interface to test out various situations.
It detects potential rootkits by examining various system components such as the Interrupt Descriptor Table (IDT), System Service Descriptor Table (SSDT), Import Address Table (IAT), and performs integrity checks on critical system files.

## Features
- Upload memory dump files for analysis.
- Detect modifications in IDT, SSDT, and IAT.
- Perform integrity checks on system files.
- View detailed analysis results in an intuitive dashboard.

## Prerequisites
Before you begin, ensure you have met the following requirements:
- [Node.js](https://nodejs.org/) (LTS version recommended)
- [Python](https://www.python.org/) (for running the analysis engine)
- [Volatility Framework](https://github.com/volatilityfoundation/volatility) (installed and accessible)

## Methods
- Memory Dumps
- Crash Dumps
- Raw Dumps
- vmem. (Created by VMWare)
- hiberfil.sys (During Hibernation)
- Signature Based
- Interception Detection
- IDT (Interrupt Descriptor Table)
- SSDT (System Service Descriptor Table)
- IAT (Import Address Table)
- Integrity Check
- Via WinDbg (Debugger)

## Tools Used
- [chkrootkit](https://www.chkrootkit.org/)
- [rkhunter](https://rkhunter.sourceforge.net/)
- [AIDE](https://aide.github.io/doc/)
- Unusual .pcapng files

## Replacement Notes
- In [src/memory_analysis.py](https://github.com/x0prc/GlowRK/src/memory_analysis.py) `path/to/memdump.mem` and `Win7SP1x64` with your actual memory dump file path and operating system profile.

## Installation
`pip install flask`
`npm install`

## Usage
- Python `main.py`
- `npm start`
- `npm run build`
- Upload Memory Dump:
- Once the application is running, you will see the dashboard.
- Click on Upload Memory Dump to select and upload a memory dump file from your system.

- Analyze Results:
- After uploading, the application will analyze the memory dump for potential rootkits.
- Navigate to Analysis Results to view detailed results of the analysis.

- Review Logs:
- You can check logs in the reports/logs directory for any errors or actions taken during analysis.

## Contributing
- Contributions are welcome! If you have suggestions or improvements, please fork the repository and submit a pull request.
- Fork the project.
- Create your feature branch (git checkout -b feature/AmazingFeature).
- Commit your changes (git commit -m 'Add some AmazingFeature').
- Push to the branch (git push origin feature/AmazingFeature).
- Open a pull request.

## License
This project is licensed under the MIT License - see the LICENSE file for details.