# Win_Rootkit **Repository Path**: ydhcui/Win_Rootkit ## Basic Information - **Project Name**: Win_Rootkit - **Description**: A kernel-mode rootkit with remote control - **Primary Language**: Unknown - **License**: Not specified - **Default Branch**: master - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 1 - **Created**: 2021-06-10 - **Last Updated**: 2021-06-10 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README # Win_Rootkit A kernel-mode rootkit with remote control that utilizes C++ Runtime in it's driver. Uses DKOM and IRP Hooks. Hiding Processes, token manipulation , hiding tcp network connections by port... ### Hiding TCP network connections: ![ezgif-6-8cefc9a805ab](https://user-images.githubusercontent.com/60041914/87465040-c1247f80-c61c-11ea-8869-80fbb301cdf2.gif) ### Hiding Processes: ![hide](https://user-images.githubusercontent.com/60041914/86835571-fc670180-c0a4-11ea-9f0f-35b1a1eac1ff.gif) ### Process elevation (token manipulation): ![elev](https://user-images.githubusercontent.com/60041914/86833920-da6c7f80-c0a2-11ea-9f6d-9ce15bbbdc5d.gif) Tested on Windows 7 SP 1 ### Features - [x] Elevate Process privillages to NT AUTHORITY\SYSTEM by token manipulation - [x] Hide process by unlinking from ActiveProcessLinks - [x] Remote command execution - [x] A remote keylogger - [x] Dropper - [x] TCP connection hiding by port (IRP hooking)