Skip to content

A Windows kernel-mode rootkit that abuses legitimate communication channels to control a machine.

License

Notifications You must be signed in to change notification settings

D4stiny/spectre

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

43 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Spectre Rootkit Logo

Welcome to the Spectre Rootkit, a proof-of-concept Windows kernel-mode rootkit I wrote with the hopes of demystifying the Windows kernel for red team usage. The Spectre Rootkit abuses legitimate communication channels in order to receive commands from a C2. You can read more about how it works here. This project was the focus of my talk, "Demystifying Modern Windows Rootkits", presented at both Black Hat USA 2020 and DEF CON 28.

Getting Started

Please see the Getting Started section of the wiki.

Components

Here are the projects inside the Spectre Rootkit solution.

  • spectre-kernel - The core driver project for the rootkit.
  • spectre-cli - The CLI utility used from the C2 to control an infected machine.
  • spectre-stager - The staging utility used to load the rootkit on a victim machine.
  • spectre-stager-util - Takes the built driver file and converts it into a XOR-obfuscated header for use by the spectre-stager.

Motivation

The primary motivation for this project was because of the lack of examples for Windows rootkits. You'll often find examples of red team tooling that lies in user-mode, but the amount of kernel-mode red team tooling is sparse. This project is meant to act as a point of reference, specifically to show one-way of approaching the problem of writing a rootkit. Not only did I want to write a rootkit to assist in the development of future red team tooling, but the secondary purpose of this project was to challenge myself by exploring parts of the kernel that aren't well-documented and researching novel techniques I could apply to the rootkit. You'll find that the code base follows a strict code style and is heavily documented.

Notable Tricks and Techniques

The Spectre Rootkit is made up of several tricks and techniques, here are a few of the noteworthy ones:

Thanks

Some well deserved thanks go to...

  1. Alex Ionescu - Long-time mentor and Windows internals expert.
  2. ReactOS Project - An incredible reference about the internals of the Windows kernel.
  3. Nemanja Mulasmajic - Gave the idea for the NtFunctionResolver component of the rootkit.

Licensing

Interested in a special license? Contact me at billdemirkapi (AT) gmail (DOT) com.

About

A Windows kernel-mode rootkit that abuses legitimate communication channels to control a machine.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published