Nidhogg is an all-in-one simple to use windows kernel rootkit.

Now You See Me, Now You Don't

Cronos is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes, protect and elevate them with token manipulation.

Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality.

A x64 Windows Rootkit using SSDT or Hypervisor hook

Experimental Windows x64 Kernel Rootkit with anti-rootkit evasion features.

InfinityHookPro Win7 -> Win11 latest

Load your driver like win32k.sys

Jormungandr is a kernel implementation of a COFF loader, allowing kernel developers to load and execute their COFFs in the kernel.

Windows x64 kernel mode rootkit process hollowing POC.

user-mode Rootkit

Resolve DOS MZ executable symbols at runtime

Hidden kernel mode code execution for bypassing modern anti-rootkits.

Bypassing code hooks detection in modern anti-rootkits via building faked PTE entries.

简单安排一下 autochk.sys 这个rootkit

POC Ring3 Windows Rootkit (x86 / x64) - Hide processes and files

NidhoggScript is a tool to generate "script" file that allows execution of multiple commands for Nidhogg

A poc that abuses Enclave

This is a demo project to illustrate the way to verify and restore original SST in case of some malware hooks

Expanding Kernel Lazy Importer