Simple Windows usermode rootkit with privilege escalation, stealth capabilities, and remote C2 management.
Educational Use Only
This repository contains a proof-of-concept of usermode rootkits techniques for research and defensive learning purposes:Running or modifying this code on machines you do not own or without explicit written authorization is illegal and unethical.
This project is for research, learning, and defense development only.
Core Capabilities:
- Token stealing for NT AUTHORITY\SYSTEM privileges
- UAC bypass mechanisms
- Process/file/registry hiding via inline hooking
- Interactive SYSTEM reverse shell (TCP port 4444)
- DLL injection into target processes
- Real-time keylogger with C2 exfiltration
Anti-Analysis:
- VM detection (VMware, VirtualBox, QEMU)
- Debugger detection (PEB, NtQueryInformationProcess)
- Sandbox evasion techniques
C2 Infrastructure:
- Flask HTTPS server with web dashboard (port 8443)
- XOR encrypted C2 communications
- Agent registration and task queuing
- Real-time keylog viewer
- SQLite backend for persistence
Contact: 28zaakypro@proton.me