# Win_Rootkit

**Repository Path**: ydhcui/Win_Rootkit

## Basic Information

- **Project Name**: Win_Rootkit
- **Description**: A kernel-mode rootkit with remote control
- **Primary Language**: Unknown
- **License**: Not specified
- **Default Branch**: master
- **Homepage**: None
- **GVP Project**: No

## Statistics

- **Stars**: 0
- **Forks**: 1
- **Created**: 2021-06-10
- **Last Updated**: 2021-06-10

## Categories & Tags

**Categories**: Uncategorized

**Tags**: None

## README

# Win_Rootkit
A kernel-mode rootkit with remote control that utilizes C++ Runtime in it's driver.         
Uses DKOM and IRP Hooks.             
Hiding Processes, token manipulation , hiding tcp network connections by port...

### Hiding TCP network connections:
![ezgif-6-8cefc9a805ab](https://user-images.githubusercontent.com/60041914/87465040-c1247f80-c61c-11ea-8869-80fbb301cdf2.gif)

### Hiding Processes:
![hide](https://user-images.githubusercontent.com/60041914/86835571-fc670180-c0a4-11ea-9f0f-35b1a1eac1ff.gif)

### Process elevation (token manipulation):
![elev](https://user-images.githubusercontent.com/60041914/86833920-da6c7f80-c0a2-11ea-9f6d-9ce15bbbdc5d.gif)

Tested on Windows 7 SP 1

### Features
- [x] Elevate Process privillages to NT AUTHORITY\SYSTEM by token manipulation
- [x] Hide process by unlinking from ActiveProcessLinks
- [x] Remote command execution
- [x] A remote keylogger
- [x] Dropper
- [x] TCP connection hiding by port (IRP hooking)