AI prompts
base on PoCs for Kernelmode rootkit techniques research. # VectorKernel
PoCs for Kernelmode rootkit techniques research or education.
Currently focusing on Windows OS.
All modules support x64 family 64bit OS only.
## Environment
All modules are tested in Windows 11 x64.
To test drivers, following options can be used for the testing machine:
1. [Enable Loading of Test Signed Drivers](https://learn.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option)
2. [Setting Up Kernel-Mode Debugging](https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-kernel-mode-debugging-in-windbg--cdb--or-ntsd)
Each options require to disable secure boot.
## Modules
Detailed information is given in README.md in each project's directories.
All modules are tested in Windows 11.
| Module Name | Description |
| :--- | :--- |
| [BlockImageLoad](./BlockImageLoad/) | PoCs to block driver loading with Load Image Notify Callback method. |
| [BlockNewProc](./BlockNewProc/) | PoCs to block new process with Process Notify Callback method. |
| [CreateToken](./CreateToken/) | PoCs to get full privileged SYSTEM token with `ZwCreateToken()` API. |
| [DropProcAccess](./DropProcAccess/) | PoCs to drop process handle access with Object Notify Callback. |
| [ElevateHandle](./ElevateHandle/) | PoCs to elevate handle access with DKOM method. |
| [GetFullPrivs](./GetFullPrivs/) | PoCs to get full privileges with DKOM method. |
| [GetProcHandle](./GetProcHandle/) | PoCs to get full access process handle from kernelmode. |
| [InjectLibrary](./InjectLibrary/) | PoCs to perform DLL injection with Kernel APC Injection method. |
| [ModHide](./ModHide/) | PoCs to hide loaded kernel drivers with DKOM method. |
| [ProcHide](./ProcHide/) | PoCs to hide process with DKOM method. |
| [ProcProtect](./ProcProtect/) | PoCs to manipulate Protected Process. |
| [QueryModule](./QueryModule/) | PoCs to perform retrieving kernel driver loaded address information. |
| [StealToken](./StealToken/) | PoCs to perform token stealing from kernelmode. |
## TODO
More PoCs especially about following things will be added later:
* Notify callback
* Filesystem mini-filter
* Network mini-filter
## Recommended References
* [Pavel Yosifovich, **_Windows Kernel Programming, 2nd Edition_** (Independently published, 2023)](https://leanpub.com/windowskernelprogrammingsecondedition)
* [Bruce Dang, Alexandre Gazet, Elias Bachaalany, and Sébastien Josse, **_Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation_** (Wiley Publishing, 2014)](https://www.amazon.com/Practical-Reverse-Engineering-Reversing-Obfuscation/dp/1502489309)
* [Greg Hoglund, and Jamie Butler, **_Rootkits : Subverting the Windows Kernel_** (Addison-Wesley Professional, 2005)](https://www.amazon.com/Rootkits-Subverting-Windows-Greg-Hoglund/dp/0321294319)
* [Bill Blunden, **_The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd Edition_** (Jones & Bartlett Learning, 2012)](https://www.amazon.com/Rootkit-Arsenal-Escape-Evasion-Corners/dp/144962636X)
* [Pavel Yosifovich, Mark E. Russinovich, Alex Ionescu, and David A. Solomon, **_Windows Internals, Part 1: System architecture, processes, threads, memory management, and more, 7th Edition_** (Microsoft Press, 2017)](https://www.microsoftpressstore.com/store/windows-internals-part-1-system-architecture-processes-9780735684188)
* [Andrea Allievi, Mark E. Russinovich, Alex Ionescu, and David A. Solomon, **_Windows Internals, Part 2, 7th Edition_** (Microsoft Press, 2021)](https://www.microsoftpressstore.com/store/windows-internals-part-2-9780135462409)
* [Matt Hand, **_Evading EDR - The Definitive Guide to Defeating Endpoint Detection Systems_** (No Starch Press, 2023)](https://nostarch.com/evading-edr)
", Assign "at most 3 tags" to the expected json: {"id":"5708","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"