XaFF-XaFF/Black-Angel-Rootkit XaFF-XaFF/Black-Angel-Rootkit

  • Stars
    star
    485
  • Rank 90,718 (Top 2 %)
  • Language
    C++
  • License
    GNU General Publi...
  • Created over 1 year ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
XaFF-XaFF/Black-Angel-Rootkit
github

XaFF-XaFF

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality.

Black Angel Rootkit


Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality.

Designed for Red Teams.


Rootkit Features

Rootkit can be loaded with kdmapper to bypass DSE, Black Angel Loader may not be working properly yet. Project driver-hijack is used to maintain full driver functionality such as callback support.

  • DSE Bypass (No need to turn test signing on)
  • KPP Bypass
  • Hide processes
  • Hide ports (TCP/UDP)
  • Process permission elevation
  • Process protection
  • Shellcode injector (Unkillable shellcode. Even if process dies, shellcode can still run)
  • (TODO) Hide files/directories
  • (TODO) Hide registry keys

Implementation

You can easily implement rootkit calls by copying and pasting BlackAngel header file into your project.

Demonstration

You can find rootkit demonstration on my channel

Additional Info

  • Remember to change ACTIVE_PROCESS_LINKS offset corresponding to your Windows versions. Current offset has been tested on Windows 10/11 Pro 21H2.
  • There may still be stability issues!
  • KM shellcode injector is OP. If you inject shellcode into protected process, no antivirus will remove it >:D Simple shellcodes such as Metasploit shell_reverse_tcp are able to work even if process is terminated.

Resources:

More Repositories

1

Cronos-Rootkit

Cronos is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes, protect and elevate them with token manipulation.
C++
721
star
2

CaveCarver

CaveCarver - PE backdooring tool which utilizes and automates code cave technique
C++
169
star
3

Kernel-Process-Hollowing

Windows x64 kernel mode rootkit process hollowing POC.
C++
150
star
4

Shellcodev

Shellcodev is a tool designed to help and automate the process of shellcode creation.
C++
100
star
5

ZwProcessHollowing

ZwProcessHollowing is a x64 process hollowing project which uses direct systemcalls, dll unhooking and RC4 payload decryption
C++
66
star
6

Cronos-Crypter

Cronos Crypter is an simple example of crypter created for educational purposes.
C#
18
star
7

AMSI-Bypass

Rasta's mouse AMSI patch but with function that makes it undetectable.
C#
13
star
8

MBR-Overwrite-with-custom-message

Overwrite MBR and add own custom message
C++
13
star
9

2Simple-Dll-Injector

C# DLL Injector written as simple as possible
C#
13
star
10

Watykanczyk

Remake znanego wirusa Watykaล„czyka w C#
C#
12
star
11

Heap-Injection

Example of C# heap injector for x64 and x86 shellcodes
C#
12
star
12

2Simple-Keylogger

Simple keylogger written in C# which is ready for modifications.
C#
12
star
13

WinREPL

WinREPL is a "read-eval-print loop" shell on Windows that is useful for testing/learning x86 and x64 assembly.
C++
9
star
14

Assembler-MessageBox

An Assembly x86 code that shows Windows MessageBox kept as simple as possible.
Assembly
8
star
15

Discord-Webhook-Cannon

Discord Webhook Cannon is a C# multithreaded, open-source Discord Webhook flooder. It can be used to flood webhooks which are used in malware.
C#
8
star