VectorKernel - PoCs For Kernelmode Rootkit Techniques Research

PoCs for Kernelmode rootkit techniques research or education. Currently focusing on Windows OS. All modules support 64bit OS only.

NOTE

Some modules use ExAllocatePool2 API to allocate kernel pool memory. ExAllocatePool2 API is not supported in OSes older than Windows 10 Version 2004. If you want to test the modules in old OSes, replace ExAllocatePool2 API with ExAllocatePoolWithTag API.

 

Environment

All modules are tested in Windows 11 x64. To test drivers, following options can be used for the testing machine:

1. Enable Loading of Test Signed Drivers

2. debugging-in-windbg--cdb--or-ntsd">Setting Up Kernel-Mode Debugging

Each options require to disable secure boot.

Modules

Detailed information is given in README.md in each project's directories. All modules are tested in Windows 11.

Module Name	Description
BlockImageLoad	PoCs to block driver loading with Load Image Notify Callback method.
BlockNewProc	PoCs to block new process with Process Notify Callback method.
CreateToken	PoCs to get full privileged SYSTEM token with ZwCreateToken() API.
DropProcAccess	PoCs to drop process handle access with Object Notify Callback.
GetFullPrivs	PoCs to get full privileges with DKOM method.
GetProcHandle	PoCs to get full access process handle from kernelmode.
InjectLibrary	PoCs to perform DLL injection with Kernel APC Injection method.
ModHide	PoCs to hide loaded kernel drivers with DKOM method.
ProcHide	PoCs to hide process with DKOM method.
ProcProtect	PoCs to manipulate Protected Process.
QueryModule	PoCs to perform retrieving kernel driver loaded address information.
StealToken	PoCs to perform token stealing from kernelmode.

TODO

More PoCs especially about following things will be added later:

• Notify callback
• Filesystem mini-filter
• Network mini-filter

Recommended References

• Pavel Yosifovich, Windows Kernel Programming, 2nd Edition (Independently published, 2023)

• Reversing-<a href=" https:="" title="Obfuscation">Obfuscation/dp/1502489309">Bruce Dang, Alexandre Gazet, Elias Bachaalany, and Sébastien Josse, Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation (Wiley Publishing, 2014)

• Greg Hoglund, and Jamie Butler, Rootkits : Subverting the Windows Kernel (Addison-Wesley Professional, 2005)

• Evasion-Corners/dp/144962636X">Bill Blunden, The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd Edition (Jones & Bartlett Learning, 2012)

• Pavel Yosifovich, Mark E. Russinovich, Alex Ionescu, and David A. Solomon, Windows Internals, Part 1: System architecture, processes, threads, memory management, and more, 7th Edition (Microsoft Press, 2017)

• Andrea Allievi, Mark E. Russinovich, Alex Ionescu, and David A. Solomon, Windows Internals, Part 2, 7th Edition (Microsoft Press, 2021)

• Matt Hand, Evading EDR - The Definitive Guide to Defeating Endpoint Detection Systems (No Starch Press, 2023)

Sketchy NuGet Package Likely Linked to Industrial Espionage Targets Developers

Threat hunters have identified a suspicious package in the&nbsp;NuGet package manager&nbsp;that's likely designed to target developers working with tools made by a Chinese firm that specializes in industrial- and digital equipment manufacturing. The package in question is&nbsp;SqzrFramework480, which ReversingLabs said was first published on January 24, 2024. It has been&nbsp;downloaded&nbsp;

New Malicious PyPI Packages Caught Using Covert Side-Loading Tactics

Cybersecurity researchers have discovered two malicious packages on the Python Package Index (PyPI) repository that were found leveraging a technique called&nbsp;DLL side-loading&nbsp;to circumvent detection by security software and run malicious code. The packages, named&nbsp;NP6HelperHttptest&nbsp;and&nbsp;NP6HelperHttper, were each downloaded&nbsp;537&nbsp;and&nbsp;166 times, respectively,

Malicious NuGet Packages Caught Distributing SeroXen RAT Malware

Cybersecurity researchers have uncovered a new set of malicious packages published to the NuGet package manager using a lesser-known method for malware deployment. Software supply chain security firm ReversingLabs described the campaign as coordinated and ongoing since August 1, 2023, while linking it to a host of rogue NuGet packages that were observed delivering a remote access trojan called

Rogue npm Package Deploys Open-Source Rootkit in New Supply Chain Attack

A new deceptive package hidden within the npm package registry has been uncovered deploying an open-source rootkit called r77, marking the first time a rogue package has delivered rootkit functionality. The package in question is node-hide-console-windows, which mimics the legitimate npm package node-hide-console-window in what's an instance of a typosquatting campaign. It was downloaded 704

North Korean Hackers Deploy New Malicious Python Packages in PyPI Repository

Three additional rogue Python packages have been discovered in the Package Index (PyPI) repository as part of an ongoing malicious software supply chain campaign called VMConnect, with signs pointing to the involvement of North Korean state-sponsored threat actors. The findings come from ReversingLabs, which detected the packages tablediter, request-plus, and requestspro. First disclosed at the

Malicious PyPI Packages Using Compiled Python Code to Bypass Detection

Researchers have discovered a novel attack on the Python Package Index (PyPI) repository that employs compiled Python code to sidestep detection by application security tools. "It may be the first supply chain attack to take advantage of the fact that Python bytecode (PYC) files can be directly executed," ReversingLabs analyst Karlo Zanki said in a report shared with The Hacker News. The package