• Stars
    star
    841
  • Rank 54,194 (Top 2 %)
  • Language
    C++
  • Created over 1 year ago
  • Updated 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Now You See Me, Now You Don't

Chaos-Rootkit

Image Description

  • Chaos-Rootkit is a x64 ring0 rootkit with process hiding, privilege escalation, and capabilities for protecting and unprotecting processes, work on the latest Windows versions .

Features

  • Hide process: This feature allows you to hide processes from listing tools via DKOM.

  • Elevate specific process privileges : This feature enables you to elevate specific processes privilege .

  • Spawn elevated process: launch command prompt with elevated privileges .

  • Unprotect all processes

  • Protect a specific process with any given protection level (WinSystem, WinTcb, Windows, Authenticode, Lsa, Antimalware) .

Technical Details

  • First, we locate the ActiveProcessLinks, which is a pointer to the PLIST_ENTRY structure. In our case, the ActiveProcessLinks pointer is located at offset 0x448 within the EPROCESS structure. It is important to note that this offset may vary across different windows versions .

    image

    x64 x86
    0xE0 (late 5.2) 0xB4 (3.10)
    0xE8 (6.0) 0x98 (3.50 to 4.0)
    0x0188 (6.1) 0xA0 (5.0)
    0x02E8 (6.2 to 6.3) 0x88 (5.1 to early 5.2)
    0x02F0 (10.0 to 1607) 0x98 (late 5.2)
    0x02E8 (1703 to 1809) 0xA0 (6.0)
    0x02F0 (1903) 0xB8 (6.1 to 1903)
    0x0448 0xE8
  • The PLIST_ENTRY structure is a doubly linked list structure . It contains two members, Blink and Flink, which are pointers to the previous and next entries in the list, respectively, These pointers allow for efficient traversal of the linked list in both directions.

    image

  • The flink member resides in offset 0x0 and the blink member resides in offset 0x8. The flink address 0xffff9c8b\071e3488points to the next process node, while the blink address0xfffff805`5121e0a0` points to the previous process node

    Screenshot 2023-03-23 222046

  • a diagram represents the PLIST_ENTRY structure.

    Screenshot 2023-03-23 181753

  • To hide our chosen process in a listing tool, we can use a technique where we modify the flink and blink pointers of the adjacent process nodes to point to each other, effectively removing our process from the linked list. Specifically, we make the next process node's blink pointer point to the previous node, and the previous process node's flink pointer point to the next node. This makes our process appear invisible in the listing tool's view of the linked list of processes

    image

  • Note: After removing the node from PLIST_ENTRY structure, it is important to set the corresponding pointer to NULL, Otherwise, when attempting to close the process, the PLIST_ENTRY structure will get sent to the PspDeleteProcess API to free all its resources, after the API does not find the process in the structure, it will suspect that the process has already been freed, resulting in a Blue Screen of Death (BSOD), as shown below .

    image

Elevate process privileges

  • When a process is created, it inherits the token of the user who created it, The token is used by the system to determine what actions the process can perform, The token contains information about the user's security identifier (SID), group memberships, and privileges.

    image

  • The Token member resides at offset 0x4b8 in the _EPROCESS structure, which is a data structure that represents a process object. The Token member is defined in _EX_FAST_REF structure, which is a union type that can store either a pointer to a kernel object or a reference count, depending on the size of the pointer , The offset of the _EX_FAST_REF structure within _EPROCESS depends on the specific version of Windows being used, but it is typically located at an offset of 0x4b8 in recent versions of Windows..

  • Windows Build Number token Offsets for x64 and x86 Architectures

    x64 offsets x86 offsets
    0x0160 (late 5.2) 0x0150 (3.10)
    0x0168 (6.0) 0x0108 (3.50 to 4.0)
    0x0208 (6.1) 0x012C (5.0)
    0x0348 (6.2 to 6.3) 0xC8 (5.1 to early 5.2)
    0x0358 (10.0 to 1809) 0xD8 (late 5.2)
    0x0360 (1903) 0xE0 (6.0)
    0x04B8 0xF8 (6.1)
    0xEC (6.2 to 6.3)
    0xF4 (10.0 to 1607)
    0xFC (1703 to 1903)
    0x012C

    image

  • The _EX_FAST_REF structure in Windows contains three members: Object and RefCount and Value

    image

  • You can either spawn a privileged process or elevate an already existing process ID.

    image

  • For the sake of this explanation, we will focus on the second option and use CMD as an example

    image

  • CMD inherited Token

    image

  • we send the Process ID to the driver through an IOCTL

    image

  • after the driver receives the PID from the user mode application, it uses it to obtain a pointer to the _EPROCESS structure for the target process. The driver then accesses the Token member of the _EPROCESS structure to obtain a pointer to the process token, which it replaces with the system token, effectively changing the security context of the process to that of the system. However, if the driver does not correctly locate the Token member within the _EPROCESS structure or if the offset of the Token is other than 0x4b8 , the driver may crash the system or the target process ,this problem will be fixed in the next updates .

  • cmd token after

    image

  • the process privileges, groups, rights

    image

DEMO

2023-03-24.17-42-38.mp4

More Repositories

1

Terminator

Reproducing Spyboy technique to terminate all EDR/XDR/AVs processes
C++
923
star
2

Blackout

kill anti-malware protected processes ( BYOVD) (Microsoft Won )
C++
887
star
3

Amsi-Killer

Lifetime AMSI bypass
C++
587
star
4

APT38-0day-Stealer

APT38 Tactic PoC for Stealing 0days from security professionals
C++
267
star
5

C2-Hunter

Extract C2 Traffic
C++
245
star
6

Handle-Ripper

simple Windows handle hijacker with a nod to Apxaey for inspiration
C++
200
star
7

Orca

Incomplete project
C++
189
star
8

Bypass-Sandbox-Evasion

Bypass Malware Sandbox Evasion Ram check
C++
133
star
9

Tokenizer

Kernel Mode Driver for Elevating Process Privileges
C
129
star
10

Shellcode-Injector

x64/x86 shellcode injector
C++
111
star
11

SleepKiller

Bypass Malware Time Delays
C++
97
star
12

URootkit

user-mode Rootkit
C++
97
star
13

Wizard-Loader

Abuse Xwizard.exe for DLL Side-Loading
C++
83
star
14

U-Boat

Russian Wipers Dropper (educational-purposes )
C++
83
star
15

Overlord

abusing Process Hacker driver to terminate other processes (BYOVD)
C++
79
star
16

Hooks_Hunter

Detect API Hooks
C++
67
star
17

DeadLight

C# Malware that Steal Discord Token Directly From Memory and bypass any kind of token protection
C#
57
star
18

Dll-Injector

simple C++ dll injector
C++
53
star
19

BufferOverFlow

Exploit Windows-Based BufferOverflow (vulnserver)
C
44
star
20

TrampHook

x86 Trampoline Hook
C++
37
star
21

Among-Us-External

external hack for Among Us (PATCHED)
C++
36
star
22

Btc-Grabber

x86 Btc Stealer with Thread Hijack implemented (educational-purposes)
C++
34
star
23

Thread-Hijacking

Thread Execution Hijacking technique
C++
34
star
24

RSPCKiller

RtlSetProcessIsCritical Killer
C++
30
star
25

CE_AC_CI_EX

Solving game hacking challenges (CE/AC) using ASM/C++
Assembly
28
star
26

Mail_Killer

anonymous spam E-mail sender
Python
22
star
27

WDropper

C++ PowerShell dropper
C++
21
star
28

IFEO-PoC

Image File Execution Options Injection PoC
C++
19
star
29

KlTroll

Trolling Keyloggers by Forcing them to log Specific Text then freezing them
C++
17
star
30

AX509

subdomain finder
Python
10
star
31

AC-External

(basic)AC external hack written in C++
C++
10
star
32

CiaIoctl

User/Kernel Mode communication using IOCTL
C
9
star
33

Malware-IOCs

some of my IOCs from malware investigations
YARA
8
star
34

GRage

x86 Funny malware that Troll GTA players by killing the character every time it respawn
C++
8
star
35

HackTheBox-CubeMadness

external hack for CubeMadness
C++
5
star
36

ShEye

Simple Program To Detect API Hooks by Scanning OpCode Patterns
C++
2
star
37

Malwares-IDEAS

1
star