Home

Awesome

Spectre Rootkit Logo

Welcome to the Spectre Rootkit, a proof-of-concept Windows kernel-mode rootkit I wrote with the hopes of demystifying the Windows kernel for red team usage. The Spectre Rootkit abuses legitimate communication channels in order to receive commands from a C2. You can read more about how it works here. This project was the focus of my talk, "Demystifying Modern Windows Rootkits", presented at both Black Hat USA 2020 and DEF CON 28.

Getting Started

Please see the Getting Started section of the wiki.

Components

Here are the projects inside the Spectre Rootkit solution.

Motivation

The primary motivation for this project was because of the lack of examples for Windows rootkits. You'll often find examples of red team tooling that lies in user-mode, but the amount of kernel-mode red team tooling is sparse. This project is meant to act as a point of reference, specifically to show one-way of approaching the problem of writing a rootkit. Not only did I want to write a rootkit to assist in the development of future red team tooling, but the secondary purpose of this project was to challenge myself by exploring parts of the kernel that aren't well-documented and researching novel techniques I could apply to the rootkit. You'll find that the code base follows a strict code style and is heavily documented.

Notable Tricks and Techniques

The Spectre Rootkit is made up of several tricks and techniques, here are a few of the noteworthy ones:

Thanks

Some well deserved thanks go to...

  1. Alex Ionescu - Long-time mentor and Windows internals expert.
  2. ReactOS Project - An incredible reference about the internals of the Windows kernel.
  3. Nemanja Mulasmajic - Gave the idea for the NtFunctionResolver component of the rootkit.

Licensing

Interested in a special license? Contact me at billdemirkapi (AT) gmail (DOT) com.