shadow-rs 🦀
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation while leveraging Rust’s safety and performance features. This project is intended for educational and research purposes.
The project also provides useful crates for developing rootkits, such as shadowx, which consolidates core logic and essential techniques. It includes rootkit-specific tricks, with plans for additional features in future updates.
The documentation on how to execute CLI commands can be found on the Wiki
Table of Contents
- Notice
- Features
- Installation
- Supported Platforms
- Build Instructions
- Setup Instructions
- Disclaimer
- Contributing to shadow-rs
- References
- License
Notice
Important
This project is under development.
Features
- ✅ Process: Hide / Unhide, Signature (PP / PPL), Protection (Anti-Kill / Dumping), Elevate to System, Terminate, List Protected / Hidden Processes.
- ✅ Thread: Hide / Unhide, Protection (Anti-Kill), List Protected / Hidden Threads.
- ✅ Driver: Hide / Unhide, Enumerate, Signature Enforcement (Enable / Disable).
- ✅ Callback: List / Remove / Restore Callback, List Removed Callbacks.
- ✅ Keylogger & Ports: Enable Keylogger, Hide / Unhide Ports.
- ✅ Module & Registry: Hide / Enumerate Modules, Hide / Unhide Keys & Values, Registry Protection (Anti-Deletion / Overwriting).
- ✅ User Mode Code Execution: Injection via ZwCreateThreadEx (Shellcode / DLL), APC Injection (Shellcode).
- ✅ ETWTI: Disable Event Tracing for Windows (ETW).
Installation
- Install Rust from here.
- Follow Microsoft's guide to set up Rust for kernel development.
Supported Platforms
- ✅ Windows 10 / 11 (x64 only)
Build Instructions
Driver
Navigate to the driver directory and build the kernel driver:
cargo make default --release
Important
Note: The first build must be executed as Administrator. Subsequent builds do not require elevated privileges.
To enable mapping support for tools like kdmapper, compile with:
cargo make default --release --features mapper
Client
Navigate to the client directory and build the user-mode client:
cargo build --release
For compatibility with mapped drivers:
cargo build --release --features mapper
Setup Instructions
Enable Test Mode or Test Signing Mode
bcdedit /set testsigning on
Create / Start Service
You can use Service Control Manager or OSR Driver Loader to load your driver.
Debugging
Use Windbg to attach to the kernel and monitor driver activity.
bcdedit /debug on
bcdedit /dbgsettings net hostip:<IP> port:<PORT>
Contributing to shadow-rs
To contribute to shadow-rs, follow these steps:
- Fork this repository.
- Create a branch:
git checkout -b <branch_name>. - Make your changes and confirm them:
git commit -m '<commit_message>'. - Send to the original branch:
git push origin <project_name> / <local>. - Create the pull request.
Alternatively, consult the GitHub documentation on how to create a pull request.
Disclaimer
This project is for educational and research purposes. Malicious use of the software is strictly prohibited and discouraged. I am not responsible for any damage caused by improper use of the software.
References
I want to express my gratitude to these projects that inspired me to create shadow-rs and contribute with some features:
Other Essential Resources:
These materials and research have been invaluable in deepening my understanding of Windows kernel development:
- UnKnoWnCheaTs
- Reactos
- Blinding EDR On Windows
- Windows Kernel Programming - Pavel
- Rootkit Arsenal Escape Evasion Corners
- Rootkits Subverting Windows Greg Hoglund
- Rootkits Bootkits Reversing Malware Generation
- Memory Forensics
- Leveraging Rootkits for Post-Exploitation - Black Hat
License
This project is licensed under the MIT License. See the LICENSE file for details.