This repository contains a variety of Windows kernel-mode drivers developed to demonstrate rootkit basic functionalities.
Each proof-of-concept is designed to illustrate specific kernel-level behaviors (thread creation, DKOM, process callbacks, filesystem filtering, WFP interception, network operations, etc.) and serves as a modular step toward more advanced Windows rootkits such as Benthic. While all source code is included, newcomers are encouraged to first understand the build workflow, driver signing requirements, and the fundamentals of Windows kernel development.
If this is your first time working with kernel-mode code, start by setting up your environment, enabling Test Signing Mode, and compiling your first driver. You will find below both manual instructions for Windows driver compilation, as well as references to automation scripts in the "Development Environment/" folder.
- First Time?
- Security Measures
- WindowsKernel
- Building a Windows Kernel Mode Driver
- Proof of Concepts (Malicious Kernel Mode Drivers)
📂
Building your first rootkit isn't just about writing stealthy code, it's about reshaping how the system sees itself. This isn't malware in userspace. It's kernel-level manipulation, where processes vanish, files become ghosts, and network traffic bends to your control. You're not playing by the OS rules anymore. You're rewriting them. But before you can hide in plain sight, you need to understand the very internals you're about to subvert.
- Secure Boot (Anti-Bootkit Installation): Secure Boot is a security feature that ensures a device boots using software trusted by the manufacturer. It verifies the digital signature of the boot loaders to prevent unauthorized applications from running during the boot process. Secure Boot uses a set of keys (PK, KEK, db, dbx) to manage this verification process, allowing only signed software to execute.
- Early Launch AntiMalware - ELAM (Anti-Rootkit Installation): The Early Launch AntiMalware feature allows anti-malware software to start before all other drivers. This early start ensures that the anti-malware software can check and verify the integrity of startup drivers and services, helping to prevent malware from executing at the earliest possible point in the boot process.
- Driver Signature Enforcement - DSE (Anti-Rootkit Installation): Driver Signature Enforcement is a security feature that ensures only drivers signed by a trusted authority can be loaded into the Windows operating system. This helps prevent the installation of drivers that could be malicious or unstable, thereby maintaining system integrity and stability.
- Driver Blocklist for Vulnerable Drivers - (Anti-Rootkit Installation via BYOVD) - Driver Blocklist prevents the loading of known vulnerable drivers exploited in BYOVD (Bring Your Own Vulnerable Driver) attacks. This feature ensures system integrity by blocking outdated or compromised drivers, even if signed, using technologies like HVCI and WDAC, providing an additional layer of kernel-level security.
- Kernel Patch Protection - Patchguard (Anti-Rootkit Deep Funcionalities): Kernel Patch Protection, also known as Patchguard, is a feature in 64-bit versions of Windows that prevents unauthorized modification of the Windows kernel. This security measure helps protect the kernel from rootkits and other forms of malware that attempt to insert malicious code into the kernel space.
- Virtualization Based Security - VBS (Global) - Virtualization Based Security uses hardware virtualization features to create and isolate a secure region of memory from the normal operating system. VBS can help protect Windows from vulnerabilities in the operating system and from malicious software that attempts to tamper with the kernel and system processes. This secure environment is used to host several security solutions, such as Credential Guard, providing enhanced protection against advanced security threats.
The Windows Kernel is the core of the Windows operating system, responsible for managing hardware, memory, processes, and security at the lowest level. It operates in Ring 0 (privileged mode), allowing direct interaction with system resources.
- Process and Thread Management: Handles process scheduling, thread execution, and synchronization mechanisms.
- Memory Management: Manages virtual memory, paging, and address translation.
- Device and Driver Communication: Provides APIs for Kernel Mode Drivers (KMDF/UMDF) to interact with hardware.
- Security and Access Control: Implements User Mode vs Kernel Mode separation to enforce system integrity.
- I/O Management: Handles file systems, networking, and system services.
| Feature | User Mode | Kernel Mode |
|---|---|---|
| Access Level | Restricted (Ring 3) | Full System Access (Ring 0) |
| Performance | Lower (API abstraction) | Higher (Direct hardware access) |
| Security | Isolated from the OS core | Runs with full privileges |
| Crash Impact | Affects only the process | Can crash the entire system |
Kernel Mode development is essential for:
- Developing custom drivers for new hardware or virtualization.
- Implementing security tools such as anti-cheat engines, endpoint security solutions, and forensic tools.
- Manipulating system behavior for research or rootkit development.
To set up the necessary environment for Kernel Mode drivers development using WDK on Windows, the following virtual machines (VMs), tools, and packages are essential:
- Machines: Download a Windows 10 or Windows 11 ISO image and set up a virtual machine using VirtualBox or VMware Workstation, configuring it with 70 GB of storage and 8 gigabytes of RAM.
- Visual Studio 2022 Community: Download Visual Studio 2022 Community and, before installing, make sure to select the "Desktop development with C++" workload and the 'MSVC v143 - VS 2022 C++ x64/x86 Spectre-mitigated libs (latest)' + the 'Windows Driver Kit' individual components.
- Git: Install Git by downloading the appropriate binary.
- Windows Software Development Kit (SDK): Install SDK.
- Windows Driver Kit (WDK): Install WDK and select 'Windows Driver Kit Visual Studio extension' to complete the integration with Visual Studio (if available, in newer versions this step is not required).
To simplify the process of establishing a Rootkit development environment on Windows, a corresponding PowerShell script Setup_Development_Environment.ps1 has been created. This script is designed to walk you through the necessary downloads and installations.
To start developing a Kernel Mode Driver, follow these steps to create your project and workspace:
- Open Visual Studio and click on 'Create a new project'.
- Search for and select the 'Kernel Mode Driver, Empty (KMDF)' template.
- Name your project (e.g., MyKernelDriver) and specify the location for your workspace.
- Once the project is created, configure your build environment by setting the appropriate dependencies and include paths for the Windows Driver Kit (WDK). Ensure that your target platform and configurations (e.g., Debug/Release, x64/x86) are correctly selected.
This folder contains a variety of Windows kernel-mode drivers developed to demonstrate rootkit basic functionalities:
-
KernelRootkit001_HelloWorld
- KMDFDriver_HelloWorld is a Windows kernel-mode driver that serves as a demonstration of basic rootkit functionality. The driver's primary purpose is to load into the kernel and print a "Hello World" debug message as part of its initialization process. It also includes a DriverUnload routine to handle the unloading and cleanup of the driver.
-
KernelRootkit002_Threading
- KMDFDriver_Threading is a Windows kernel-mode driver that serves as a demonstration of basic rootkit functionality. The driver's primary purpose is to create and manage a persistent system thread that periodically logs messages to the kernel debugger. The driver initializes by spawning a system thread that executes at regular intervals, printing a timestamped "Hello World" message. It also includes a DriverUnload routine to properly terminate the thread and clean up resources before unloading the driver from the system.
-
KernelRootkit003_ZwFunctions
- KMDFDriver_ZwFunctions is a Windows kernel-mode driver that serves as a demonstration of basic rootkit functionality. The driver's primary purpose is to interact with the Windows kernel using Zw (NTAPI) functions to perform file operations and retrieve system information. Specifically, the driver creates a file, logs OS version details into it, and appends data using ZwCreateFile and ZwWriteFile. It also includes a DriverUnload routine to clean up and delete the file upon removal.
-
KernelRootkit004_IOCTLs
- ConsoleApp_IOCTLs is a user-mode application that interacts with a kernel-mode driver by sending IOCTL (Input/Output Control) requests and processing its responses. It serves as the interface for executing rootkit functionalities from user space.
- KMDFDriver_IOCTLs is a Windows kernel-mode driver that serves as a demonstration of a basic rootkit functionality. This driver is responsible for handling IOCTL requests initiated by a user-level application. It defines IOCTL command codes and implements corresponding functionality for each one.
-
KernelRootkit005_Callbacks
- KMDFDriver_Callbacks is a Windows kernel-mode driver that serves as a demonstration of a basic rootkit functionality. This driver registers kernel event callbacks to monitor system activity, specifically tracking process creation and termination in real time. By leveraging PsSetCreateProcessNotifyRoutine and PsSetCreateProcessNotifyRoutineEx, it captures parent-child process relationships while enforcing restrictions on specific executables, actively blocking the execution of certain processes to prevent the launch of debugging and monitoring tools.
-
KernelRootkit006_DKOM
- ConsoleApp_DKOM is a user-mode application that interacts with a kernel-mode driver to manipulate process structures in memory.
- KMDFDriver_DKOM is a Windows kernel-mode driver that serves as a demonstration of a basic rootkit functionality. It manipulates kernel structures using Direct Kernel Object Manipulation (DKOM) to hide processes by unlinking them from the ActiveProcessLinks list, bypassing standard process enumeration methods.
-
KernelRootkit007_KeyboardFilter
- KMDFDriver_KeyboardFilter is a Windows kernel-mode driver that serves as a demonstration of a basic rootkit functionality. This driver operates as a keyboard filter by attaching itself to the keyboard device stack and intercepting keystroke events at the kernel level. It includes a completion routine that inspects key events and logs them, effectively demonstrating how a keylogger can be implemented at the kernel level.
-
KernelRootkit008_Minifilter
- ConsoleApp_MinifilterInstallation is a user-mode application responsible for creating the necessary registry keys required for the minifilter driver to load. Unlike standard kernel drivers that can be installed using sc.exe create, minifilter drivers require additional registry modifications to be properly registered and loaded by the Windows Filter Manager.
- KMDFDriver_Minifilter is a Windows kernel-mode driver that serves as a demonstration of a basic rootkit functionality. This driver intercepts file system operations at the minifilter level to block access to specific files and directories.
-
KernelRootkit009_FilterCommunicationPort
- ConsoleApp_FilterCommunicationPort is a user-mode application that communicates with a kernel-mode minifilter driver via Filter Communication Ports. This application serves as an interface to send commands and receive responses from the minifilter driver, enabling interaction with the rootkit's functionalities from user space.
- KMDFDriver_FilterCommunicationPort is a Windows kernel-mode driver that serves as a demonstration of a basic rootkit functionality. This driver establishes a Filter Communication Port to facilitate controlled interactions between user-mode applications and the kernel. By intercepting file system operations, it enables the modification, blocking, or monitoring of file access dynamically.
-
KernelRootkit010_WindowsFilteringPlatform
- KMDFDriver_WindowsFilteringPlatform is a Windows kernel-mode driver that serves as a demonstration of a basic rootkit functionality. This driver intercepts and blocks network connections directed to specific IP addresses by integrating with the Windows Filtering Platform (WFP).
-
KernelRootkit011_WinSockKernel
- KMDFDriver_WinSockKernel is a Windows kernel-mode driver that serves as a demonstration of a basic rootkit functionality. This driver establishes network connections and performs data transmission directly from the kernel. By leveraging the WinSock Kernel (WSK) API, it can send and receive data over TCP and UDP without requiring interaction with user-space applications.