A kernel rootkit with remote command and control interface for windows

The project is set of tools that help to achive remote control on compromised machines while staying undetectable, stealthy and persistent.

For the courios that want to take a journey into: Intel X86, WinodowsNT, PE Executables, WinAPI, NativeAPI and Windows Kernel Drivers

Dropper, Client and Rootkit are compiled separately.

What things you need

Windows 10 (Main Working Station - Development)
Visual Studio 2017 Community (Platform Toolset - Visual Studio 2015 - Windows XP (v140_xp))
Visual Studio 2008 Pro (SDK & DDK & WDK 7.1.0 (7600.16385.1))
Sysinternals Suite
WinDBG
IDA-Pro
Oracle VM VirtualBox
Windows 7 SP1 (VM | Physical)
Windows XP SP3 (VM | Physical)

A step by step series of examples that tell you have to get a development env running

Download VS 2017 Community + VS 2008 Pro

https://www.visualstudio.com/downloads/
http://download.microsoft.com/download/8/1/d/81d3f35e-fa03-485b-953b-ff952e402520/VS2008ProEdition90dayTrialENUX1435622.iso

Download DDK + WDK 7.1.0

http://visualddk.sysprogs.org/download/
https://www.microsoft.com/en-us/download/details.aspx?id=11800

Download Sysinternals Suite + WinDbg

https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
https://developer.microsoft.com/en-us/windows/hardware/download-windbg

Download Oracle VM VirtualBox + iso + IDA-Pro

https://www.virtualbox.org/wiki/Downloads
http://windowsiso.net/
https://www.hex-rays.com/products/ida/support/download.shtml

The project is currently splitted to three main components:

Client - The tool used by the intruder, class Parser to parse user input to requested operations, class Manual help the user to use the tool, class Server to manage victims information and handle a "ping" from every victim to check is alive and class Client generates and send request to specified victim.

Dropper - The executable that runs in the victim machine, the dropper stores inside it the payload (kernel rootkit) and handle the loading procedures. class ClientHandler responsible to register the machine in the intruder server and send "ping" request as long as it runs, class DriverHandler take take of communication between user mode and kernel mode (rootkit), class RatHandler is responsible of receiving requests from the intruder and executing them, class RegistryHandler is responsible to set keys in the registry, class ResourceHandler take take of encapsulating and decapsulating resources (rootkit), class ServicesHandler is responsible to communicate with scm and register and load the kernel driver (rootkit).

Rootkit - Handle the responsiblity of stealth by hooking and directly changing objects in the kernel.

Also there is config.json for the Dropper, specified the intruder server ip, name of the dropper file and name of the kernel driver.

• Tomer Eyzenberg - Initial work - eLoopWoo