8f96d4ec09
- Moved and refactored several internal modules to `driver/src/internals/`: - Added new files: `enums.rs`, `externs.rs`, `structs.rs`, `types.rs`, and `mod.rs`. - Renamed `includes/vad.rs` to `internals/vad.rs` for better organization. - Updated `callback` module: - Refactored `notify_routine.rs`, `object.rs`, `registry.rs`, and supporting files for better callback handling. - Improved callback finding mechanism in `find_callback.rs` and `ioctls.rs`. - Adjusted `injection` module: - Refactored callback and I/O control handling in `callbacks.rs` and `ioctls.rs`. - Miscellaneous improvements: - Updated `misc/dse.rs`, `misc/etwti.rs`, and `keylogger/mod.rs`. - Refactored `process`, `registry`, and `thread` modules for better maintainability. - Simplified utility functions in `utils/`, including `address.rs`, `handles.rs`, `patterns.rs`, and more. - Cleaned up and removed unused files like `.gitignore` in multiple directories. - Updated `Cargo.toml` and `Cargo.lock` to reflect dependency changes.
Windows Kernel Rootkit in Rust (shadow-rs) 🦀
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation, while leveraging Rust’s safety and performance features. This project is intended for educational and research purposes.
Table of Contents
- Legal notice
- Documentation
- Features
- Others
- Build Instructions
- Setup Instructions
- Upcoming Features
- Contributing to shadow-rs
- License
Legal Notice
Important
This project is under development. This project is for educational and research purposes. Malicious use of the software is strictly prohibited and discouraged. I am not responsible for any damage caused by improper use of the software.
Documentation
If you would like to read the documentation on how to use the tool, simply navigate to the /docs folder. There you will find detailed information on setting up, using, and contributing to the project.
Features
Process
- ✅ Process (Hide / Unhide)
- ✅ Process Signature (PP / PPL)
- ✅ Process Protection (Anti-Kill / Dumping)
- ✅ Elevate Process to System
- ✅ Terminate Process
- ✅ Lists protected and hidden processes currently on the system
Thread
- ✅ Thread (Hide / Unhide)
- ✅ Thread Protection (Anti-Kill)
- ✅ Lists protected and hidden threads currently on the system
Driver
- ✅ Driver (Hide / Unhide)
- ✅ Enumerate Driver
Misc
-
Driver Signature Enforcement (DSE)
- ✅ DSE (Enable / Disable)
-
Keylogger
- ✅ Keylogger (Start / Stop)
-
ETWTI
- ✅ ETWTI (Enable / Disable)
Callbacks
- ✅ List / Remove / Restore Callbacks
- PsSetCreateProcessNotifyRoutine
- PsSetCreateThreadNotifyRoutine
- PsSetLoadImageNotifyRoutine
- CmRegisterCallbackEx
- ObRegisterCallbacks (PsProcessType / PsThreadType)
- ✅ Listing currently removed callbacks
Module
- ✅ Hide Module
- ✅ Enumerate Module
Registry
- ✅ Hide Key and Values
- ✅ Registry Protection (Anti-Deletion e Overwriting)
Injection
- ✅ Process Injection - Shellcode / DLL (ZwCreateThreadEx)
- ✅ APC Injection - Shellcode
Others
The following functionalities are not "features", they are basically techniques that may be of interest to you to explore, understand and apply in the development of your driver.
- Searching for a "Zw" api not exported from
ntoskrnl.exeat runtime. - Reflective Loading.
- Support for mapping the driver in memory.
Build Instructions
To build the project, ensure you have the Rust toolchain installed.
Driver
To build the driver, first go to the driver folder and then run the following command (When you do the first build you have to be as administrator, but after that you won't need to):
cargo make default --release
This driver can be mapped using kdmapper among other exploit tools, for example, to put mapping support, use the command:
cargo make default --release --features mapper
Client
To build the client, first go into the client folder, then run the following command:
cargo build --release
Since some features of the rootkit are not supported due to the controller mapping, use the following command to build the client with only the commands that can be executed with the mapping:
cargo build --release --features mapper
Setup Instructions
Enable Test Mode or Test Signing Mode
bcdedit /set testsigning on
[Optional] Debug via Windbg
bcdedit /debug on
bcdedit /dbgsettings net hostip:<IP> port:<PORT>
Create / Start Service
You can use Service Control Manager or OSR Driver Loader to load your driver.
Upcoming Features 🚧
Stay tuned for new features! Some upcoming highlights:
- ❌ Hide Ports
- ❌ File/Directory Hiding / Anti-Deletion and Overwriting
- ❌ Minifilters for Callbacks
- ❌ APC Injection - DLL
Contributing to shadow-rs
To contribute to shadow-rs, follow these steps:
- Fork this repository.
- Create a branch:
git checkout -b <branch_name>. - Make your changes and confirm them:
git commit -m '<commit_message>'. - Send to the original branch:
git push origin <project_name> / <local>. - Create the pull request.
Alternatively, consult the GitHub documentation on how to create a pull request.
License
Licensed under either of The MIT License at your option.