aljaz/shadow-rs
1
1
Fork 0
mirror of https://github.com/joaoviictorti/shadow-rs.git synced 2026-01-15 05:24:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

docs: Moving documentation to the Github wiki

Browse Source
This commit is contained in:
joaoviictorti
2024-11-01 17:23:13 -03:00
parent a96bea04fb
commit 1593f5d8b4
8 changed files with 0 additions and 270 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
docs/README.md
View File

@@ -1,47 +0,0 @@
## Windows Kernel Rootkit in Rust (shadow-rs) Documentation 🦀
This document presents an overview of the `shadow-rs` project, describing its features, instructions for use and details of the development process. `shadow-rs` is designed to provide an advanced set of tools for manipulating processes, threads, drivers and much more in the Windows kernel.
### Table of contents
* [Process](/docs/process.md)
* [Process (Hide / Unhide)](/docs/process.md#hide--unhide-process)
* [Elevate Process to System](/docs/process.md#elevate-process-to-system)
* [Process Signature (PP / PPL)](/docs/process.md#process-signature-pp--ppl)
* [Process Protection (Anti-Kill / Dumping)](/docs/process.md#process-protection-anti-kill--dumping)
* [Terminate Process](/docs/process.md#terminate-process)
* [Lists protected and hidden processes currently on the system](/docs/process.md#lists-protected-and-hidden-processes-currently-on-the-system)
* [Thread](/docs/thread.md)
* [Thread (Hide / Unhide)](/docs/thread.md)
* [Thread Protection (Anti-Kill)](/docs/thread.md)
* [Lists protected and hidden threads currently on the system](/docs/thread.md)
* [Driver](/docs/driver.md)
* [Driver (Hide / Unhide)](/docs/driver.md)
* [Enumerate Driver](/docs/driver.md)
* [Misc](/docs/misc.md)
* [Driver Signature Enforcement (DSE) (Enable / Disable)](/docs/misc.md)
* [Enable Keylogger](/docs/misc.md)
* [ETWTI (Enable / Disable)](/docs/misc.md)
* [Port](/docs/port.md)
* [Port (Hide / Unhide)](/docs/port.md)
* [Callbacks](/docs/callback.md)
* [List / Remove / Restore Callbacks](/docs/callback.md)
* [Listing currently removed callbacks](/docs/callback.md)
* [Module](/docs/module.md)
* [Hide Module](docs/module.md)
* [Enumerate Module](/docs/module.md)
* [Registry](/docs/registry.md)
* [Key and Values (Hide / Unhide)](/docs/registry.md)
* [Registry Protection (Anti-Deletion e Overwriting)](/docs/registry.md)
* [Injection](/docs/registry.md)
* [Process Injection - Shellcode (ZwCreateThreadEx)](/docs/injection.md)
* [Process Injection - DLL (ZwCreateThreadEx)](/docs/injection.md)
* [APC Injection - Shellcode](/docs/injection.md)

1
docs/callback.md
View File

@@ -1 +0,0 @@
## Callback

1
docs/driver.md
View File

@@ -1 +0,0 @@
## Driver

1
docs/injection.md
View File

@@ -1 +0,0 @@
## Injection

1
docs/misc.md
View File

@@ -1 +0,0 @@
## Misc

149
docs/process.md
View File

@@ -1,149 +0,0 @@
## Process
## Hide / Unhide Process
Description:
This command allows you to hide or reveal specific processes on the system.
```cmd
shadow.exe process [hide | unhide] --pid <pid>
```
* `hide`: Hide the specified process.
* `unhide`: Unhide the specified process.
* `pid`: The PID of the process you want to hide or reveal.
Example of use:
```cmd
shadow.exe process hide --pid 1234
```
This command will hide the process with PID 1234.
## Elevate Process to System
Description:
This command allows you to raise the process to system.
```cmd
shadow.exe process elevate --pid <pid>
```
* `elevate`: Elevate the process.
* `pid`: The PID of the process you want to escalate to system.
Example of use:
```cmd
shadow.exe process elevate --pid 1234
```
This command will elevate the process with PID 1234.
## Process Signature (PP / PPL)
Description:
This command allows you to protect / unprotect a process using Process Protection (PP) or Protected Process Light (PPL).
```cmd
shadow.exe process signature --pt <protection> --sg <signature> --pid <pid>
```
* `signature`: Signature the process.
* `pt`: The protection type.
* Possible values:
- `none`: No protection
- `protected-light`: Light protection
- `protected`: Full protection
* `sg`: The protection signer.
* Possible values:
- `none`: No signer
- `authenticode`: Authenticode signer
- `code-gen`: Code generation signer
- `antimalware`: Antimalware signer
- `lsa`: LSA signer
- `windows`: Windows signer
- `win-tcb`: WinTcb signer
- `win-system`: WinSystem signer
- `app`: Application signer
- `max`: Maximum value for signers
* `pid`: The PID of the process you want to modify PP / PPL.
Example of use:
```cmd
shadow.exe process signature --pid 1234 --pt protected --sg win-tcb
```
This command changes the protection of the process with PID 1234.
## Process Protection (Anti-Kill / Dumping)
Description:
This command allows you to add or remove process protection.
```cmd
shadow.exe process protection --pid <pid> [--add | --remove]
```
* `protection`: Protect the specified process.
* `-a / --add`: Add the process.
* `-r / --remove`: Remove the process.
* `pid`: The PID of the process you want to protect.
Example of use:
```cmd
shadow.exe process protection --pid 1234 --add
```
This command will protect the process with PID 1234.
## Terminate Process
Description:
This command allows you to terminate a process.
```cmd
shadow.exe process terminate --pid <pid>
```
* `terminate`: Terminate the specified process.
* `pid`: The PID of the process you want to terminate.
Example of use:
```cmd
shadow.exe process terminate --pid 1234
```
This command will terminate the process with PID 1234.
## Lists protected and hidden processes currently on the system
Description:
This command allows you to list the processes that are currently protected or hidden.
```cmd
shadow.exe process enumerate -l -t <value>
```
* `enumerate`: Terminate the specified process.
* `-l / --list`: List the protected or hidden process.
* `-t / --type`: Specify which type you want to list.
* Possible values:
- `hide`: List of hidden targets
- `protection`: List of protected targets
Example of use:
```cmd
shadow.exe process enumerate -l -t protection
```
This command will close and list the currently protected processes.

1
docs/registry.md
View File

@@ -1 +0,0 @@
## Registry

69
docs/thread.md
View File

@@ -1,69 +0,0 @@
## Thread
## Hide / Unhide thread
Description:
This command allows you to hide or reveal specific threads on the system.
```cmd
shadow.exe thread [hide | unhide] --tid <tid>
```
* `hide`: Hide the specified thread.
* `unhide`: Unhide the specified thread.
* `tid`: The TID of the thread you want to hide or reveal.
Example of use:
```cmd
shadow.exe thread hide --tid 1234
```
This command will hide the thread with TID 1234.
## Thread Protection (Anti-Kill)
Description:
This command allows you to add or remove thread protection.
```cmd
shadow.exe thread protection --tid <tid> [--add | --remove]
```
* `protection`: Protect the specified thread.
* `-a / --add`: Add the thread.
* `-r / --remove`: Remove the thread.
* `tid`: The TID of the thread you want to protect.
Example of use:
```cmd
shadow.exe thread protection --tid 1234 --add
```
This command will protect the thread with TID 1234.
## Lists protected and hidden threads currently on the system
Description:
This command allows you to list the thread that are currently protected or hidden.
```cmd
shadow.exe thread enumerate -l -t <value>
```
* `enumerate`: Terminate the specified thread.
* `-l / --list`: List the protected or hidden thread.
* `-t / --type`: Specify which type you want to list.
* Possible values:
- `hide`: List of hidden targets
- `protection`: List of protected targets
Example of use:
```cmd
shadow.exe thread enumerate -l -t protection
```
This command will close and list the currently protected threads.