shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation while leveraging Rustβs safety and performance features. This project is intended for educational and research purposes.
The project also provides useful crates for developing rootkits, such as shadowx, which consolidates core logic and essential techniques. It includes rootkit-specific tricks, with plans for additional features in future updates.
The documentation on how to execute CLI commands can be found on the Wiki
- Legal notice
- Features
- Installation
- Supported Platforms
- Build Instructions
- Setup Instructions
- Contributing to shadow-rs
- References
- License
Important
This project is under development. This project is for educational and research purposes. Malicious use of the software is strictly prohibited and discouraged. I am not responsible for any damage caused by improper use of the software.
- β Process (Hide / Unhide)
- β Process Signature (PP / PPL)
- β Process Protection (Anti-Kill / Dumping)
- β Elevate Process to System
- β Terminate Process
- β Lists protected and hidden processes currently on the system
- β Thread (Hide / Unhide)
- β Thread Protection (Anti-Kill)
- β Lists protected and hidden threads currently on the system
- β Driver (Hide / Unhide)
- β Enumerate Driver
-
Driver Signature Enforcement (DSE)
- β DSE (Enable / Disable)
-
Keylogger
- β Enable Keylogger
-
ETWTI
- β ETWTI (Enable / Disable)
- β
List / Remove / Restore Callbacks
- PsSetCreateProcessNotifyRoutine
- PsSetCreateThreadNotifyRoutine
- PsSetLoadImageNotifyRoutine
- CmRegisterCallbackEx
- ObRegisterCallbacks (PsProcessType / PsThreadType)
- β Listing currently removed callbacks
- β Ports (Hide / Unhide)
- β Hide Module
- β Enumerate Module
- β Key and Values (Hide / Unhide)
- β Registry Protection (Anti-Deletion e Overwriting)
- β Process Injection - Shellcode (ZwCreateThreadEx)
- β Process Injection - DLL (ZwCreateThreadEx)
- β APC Injection - Shellcode
- β Windows 10 / 11 (x64)
To build the project, ensure you have the Rust toolchain installed.
To build the driver, first go to the driver folder and then run the following command (When you do the first build you have to be as administrator, but after that you won't need to):
cargo make default --releaseThis driver can be mapped using kdmapper among other exploit tools, for example, to put mapping support, use the command:
cargo make default --release --features mapperTo build the client, first go into the client folder, then run the following command:
cargo build --releaseSince some features of the rootkit are not supported due to the controller mapping, use the following command to build the client with only the commands that can be executed with the mapping:
cargo build --release --features mapperbcdedit /set testsigning on
bcdedit /debug on
bcdedit /dbgsettings net hostip:<IP> port:<PORT>
You can use Service Control Manager or OSR Driver Loader to load your driver.
To contribute to shadow-rs, follow these steps:
- Fork this repository.
- Create a branch:
git checkout -b <branch_name>. - Make your changes and confirm them:
git commit -m '<commit_message>'. - Send to the original branch:
git push origin <project_name> / <local>. - Create the pull request.
Alternatively, consult the GitHub documentation on how to create a pull request.
- https://leanpub.com/windowskernelprogrammingsecondedition
- https://www.youtube.com/watch?v=t7Rx3crobZU&pp=ugMICgJwdBABGAHKBRBibGFja2hhdCByb290a2l0
- https://github.com/memN0ps/eagle-rs
- https://www.amazon.com/Rootkits-Bootkits-Reversing-Malware-Generation/dp/1593277164
- https://github.com/Idov31/Nidhogg
- https://www.unknowncheats.me/
- https://www.amazon.com.br/Rootkit-Arsenal-Escape-Evasion-Corners/dp/144962636X
- https://github.com/eversinc33/Banshee
- https://synzack.github.io/Blinding-EDR-On-Windows/
- https://github.com/JKornev/hidden
- https://www.amazon.com.br/Rootkits-Subverting-Windows-Greg-Hoglund/dp/0321294319
- https://github.com/mirror/reactos
- https://github.com/Kharos102/ReadWriteDriverSample
- https://imphash.medium.com/windows-process-internals-a-few-concepts-to-know-before-jumping-on-memory-forensics-part-4-16c47b89e826
This project is licensed under the MIT License