diff --git a/docs/README.md b/docs/README.md deleted file mode 100644 index d1814b6..0000000 --- a/docs/README.md +++ /dev/null @@ -1,47 +0,0 @@ -## Windows Kernel Rootkit in Rust (shadow-rs) Documentation 🦀 - -This document presents an overview of the `shadow-rs` project, describing its features, instructions for use and details of the development process. `shadow-rs` is designed to provide an advanced set of tools for manipulating processes, threads, drivers and much more in the Windows kernel. - -### Table of contents - -* [Process](/docs/process.md) - * [Process (Hide / Unhide)](/docs/process.md#hide--unhide-process) - * [Elevate Process to System](/docs/process.md#elevate-process-to-system) - * [Process Signature (PP / PPL)](/docs/process.md#process-signature-pp--ppl) - * [Process Protection (Anti-Kill / Dumping)](/docs/process.md#process-protection-anti-kill--dumping) - * [Terminate Process](/docs/process.md#terminate-process) - * [Lists protected and hidden processes currently on the system](/docs/process.md#lists-protected-and-hidden-processes-currently-on-the-system) - -* [Thread](/docs/thread.md) - * [Thread (Hide / Unhide)](/docs/thread.md) - * [Thread Protection (Anti-Kill)](/docs/thread.md) - * [Lists protected and hidden threads currently on the system](/docs/thread.md) - -* [Driver](/docs/driver.md) - * [Driver (Hide / Unhide)](/docs/driver.md) - * [Enumerate Driver](/docs/driver.md) - -* [Misc](/docs/misc.md) - * [Driver Signature Enforcement (DSE) (Enable / Disable)](/docs/misc.md) - * [Enable Keylogger](/docs/misc.md) - * [ETWTI (Enable / Disable)](/docs/misc.md) - -* [Port](/docs/port.md) - * [Port (Hide / Unhide)](/docs/port.md) - -* [Callbacks](/docs/callback.md) - * [List / Remove / Restore Callbacks](/docs/callback.md) - * [Listing currently removed callbacks](/docs/callback.md) - -* [Module](/docs/module.md) - * [Hide Module](docs/module.md) - * [Enumerate Module](/docs/module.md) - -* [Registry](/docs/registry.md) - * [Key and Values (Hide / Unhide)](/docs/registry.md) - * [Registry Protection (Anti-Deletion e Overwriting)](/docs/registry.md) - -* [Injection](/docs/registry.md) - * [Process Injection - Shellcode (ZwCreateThreadEx)](/docs/injection.md) - * [Process Injection - DLL (ZwCreateThreadEx)](/docs/injection.md) - * [APC Injection - Shellcode](/docs/injection.md) \ No newline at end of file diff --git a/docs/callback.md b/docs/callback.md deleted file mode 100644 index 98904dc..0000000 --- a/docs/callback.md +++ /dev/null @@ -1 +0,0 @@ -## Callback \ No newline at end of file diff --git a/docs/driver.md b/docs/driver.md deleted file mode 100644 index 236650d..0000000 --- a/docs/driver.md +++ /dev/null @@ -1 +0,0 @@ -## Driver \ No newline at end of file diff --git a/docs/injection.md b/docs/injection.md deleted file mode 100644 index 83662cf..0000000 --- a/docs/injection.md +++ /dev/null @@ -1 +0,0 @@ -## Injection \ No newline at end of file diff --git a/docs/misc.md b/docs/misc.md deleted file mode 100644 index 41b9f1b..0000000 --- a/docs/misc.md +++ /dev/null @@ -1 +0,0 @@ -## Misc \ No newline at end of file diff --git a/docs/process.md b/docs/process.md deleted file mode 100644 index 2f178ae..0000000 --- a/docs/process.md +++ /dev/null @@ -1,149 +0,0 @@ -## Process - -## Hide / Unhide Process - -Description: -This command allows you to hide or reveal specific processes on the system. - -```cmd -shadow.exe process [hide | unhide] --pid -``` - -* `hide`: Hide the specified process. -* `unhide`: Unhide the specified process. -* `pid`: The PID of the process you want to hide or reveal. - -Example of use: - -```cmd -shadow.exe process hide --pid 1234 -``` - -This command will hide the process with PID 1234. - - -## Elevate Process to System - -Description: -This command allows you to raise the process to system. - -```cmd -shadow.exe process elevate --pid -``` - -* `elevate`: Elevate the process. -* `pid`: The PID of the process you want to escalate to system. - -Example of use: - -```cmd -shadow.exe process elevate --pid 1234 -``` - -This command will elevate the process with PID 1234. - -## Process Signature (PP / PPL) - -Description: -This command allows you to protect / unprotect a process using Process Protection (PP) or Protected Process Light (PPL). - -```cmd -shadow.exe process signature --pt --sg --pid -``` - -* `signature`: Signature the process. -* `pt`: The protection type. - * Possible values: - - `none`: No protection - - `protected-light`: Light protection - - `protected`: Full protection - -* `sg`: The protection signer. - * Possible values: - - `none`: No signer - - `authenticode`: Authenticode signer - - `code-gen`: Code generation signer - - `antimalware`: Antimalware signer - - `lsa`: LSA signer - - `windows`: Windows signer - - `win-tcb`: WinTcb signer - - `win-system`: WinSystem signer - - `app`: Application signer - - `max`: Maximum value for signers - -* `pid`: The PID of the process you want to modify PP / PPL. - -Example of use: - -```cmd -shadow.exe process signature --pid 1234 --pt protected --sg win-tcb -``` - -This command changes the protection of the process with PID 1234. - -## Process Protection (Anti-Kill / Dumping) - -Description: -This command allows you to add or remove process protection. - -```cmd -shadow.exe process protection --pid [--add | --remove] -``` - -* `protection`: Protect the specified process. -* `-a / --add`: Add the process. -* `-r / --remove`: Remove the process. -* `pid`: The PID of the process you want to protect. - -Example of use: - -```cmd -shadow.exe process protection --pid 1234 --add -``` - -This command will protect the process with PID 1234. - -## Terminate Process - -Description: -This command allows you to terminate a process. - -```cmd -shadow.exe process terminate --pid -``` - -* `terminate`: Terminate the specified process. -* `pid`: The PID of the process you want to terminate. - -Example of use: - -```cmd -shadow.exe process terminate --pid 1234 -``` - -This command will terminate the process with PID 1234. - -## Lists protected and hidden processes currently on the system - -Description: -This command allows you to list the processes that are currently protected or hidden. - -```cmd -shadow.exe process enumerate -l -t -``` - -* `enumerate`: Terminate the specified process. -* `-l / --list`: List the protected or hidden process. -* `-t / --type`: Specify which type you want to list. - - * Possible values: - - `hide`: List of hidden targets - - `protection`: List of protected targets - -Example of use: - -```cmd -shadow.exe process enumerate -l -t protection -``` - -This command will close and list the currently protected processes. \ No newline at end of file diff --git a/docs/registry.md b/docs/registry.md deleted file mode 100644 index 3b8e094..0000000 --- a/docs/registry.md +++ /dev/null @@ -1 +0,0 @@ -## Registry \ No newline at end of file diff --git a/docs/thread.md b/docs/thread.md deleted file mode 100644 index d1dbaa3..0000000 --- a/docs/thread.md +++ /dev/null @@ -1,69 +0,0 @@ -## Thread - -## Hide / Unhide thread - -Description: -This command allows you to hide or reveal specific threads on the system. - -```cmd -shadow.exe thread [hide | unhide] --tid -``` - -* `hide`: Hide the specified thread. -* `unhide`: Unhide the specified thread. -* `tid`: The TID of the thread you want to hide or reveal. - -Example of use: - -```cmd -shadow.exe thread hide --tid 1234 -``` - -This command will hide the thread with TID 1234. - -## Thread Protection (Anti-Kill) - -Description: -This command allows you to add or remove thread protection. - -```cmd -shadow.exe thread protection --tid [--add | --remove] -``` - -* `protection`: Protect the specified thread. -* `-a / --add`: Add the thread. -* `-r / --remove`: Remove the thread. -* `tid`: The TID of the thread you want to protect. - -Example of use: - -```cmd -shadow.exe thread protection --tid 1234 --add -``` - -This command will protect the thread with TID 1234. - -## Lists protected and hidden threads currently on the system - -Description: -This command allows you to list the thread that are currently protected or hidden. - -```cmd -shadow.exe thread enumerate -l -t -``` - -* `enumerate`: Terminate the specified thread. -* `-l / --list`: List the protected or hidden thread. -* `-t / --type`: Specify which type you want to list. - - * Possible values: - - `hide`: List of hidden targets - - `protection`: List of protected targets - -Example of use: - -```cmd -shadow.exe thread enumerate -l -t protection -``` - -This command will close and list the currently protected threads. \ No newline at end of file