abcd2c10-1078-4cf9-b320-04ca38d22f98

Chaos-Rootkit.sys :inline :inline

Description

Chaos-Rootkit is a x64 ring0 rootkit with process hiding, privilege escalation, and capabilities for protecting and unprotecting processes, work on the latest Windows versions.

  • UUID: abcd2c10-1078-4cf9-b320-04ca38d22f98
  • Created: 2023-06-05
  • Author: Michael Haag
  • Acknowledgement: |

DownloadBlock

This download link contains the vulnerable driver!

Commands

sc.exe create Chaos-Rootkit.sys binPath=C:\windows\temp\Chaos-Rootkit.sys type=kernel && sc.exe start Chaos-Rootkit.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://github.com/ZeroMemoryEx/Chaos-Rootkit

    • Known Vulnerable Samples

    PropertyValue
    FilenameChaos-Rootkit.sys
    Creation Timestamp2023-05-21 06:19:33
    MD59532893c1d358188d66b0d7b0784bb6b
    SHA1d022f5e3c1bba43871af254a16ab0e378ea66184
    SHA2560ae8d1dd56a8a000ced74a627052933d2e9bff31d251de185b3c0c5fc94a44db
    Authentihash MD57f41d82fd2f02bb6e2d621bc225c34b2
    Authentihash SHA13b78b68280429db35d224cb4d32033e6c01b8011
    Authentihash SHA25660fb851ce3da03c319a423979b47a95dd231085d89b26516f3e25164a1a14dfb
    RichPEHeaderHash MD5a0fa124e7a2c5f9aaacbb1ca24b36629
    RichPEHeaderHash SHA15be22e273d55ccd22c76a09844780399fd8e9f64
    RichPEHeaderHash SHA256f810290edf657960bade7beb246ab62f6f5d9caa01685a249ac4ad4c36255896

    Download

    Certificates

    Expand
    Certificate 13d597c6ebaaaf994d4463d3387c0dd2
    FieldValue
    ToBeSigned (TBS) MD56b552c6f192fd7c811a7f292b41dd282
    ToBeSigned (TBS) SHA1fbd054373b922c03cad87c948c29ed2ed0883910
    ToBeSigned (TBS) SHA256e9098f46ff7e02093422a6e4745f420d41fc08c66a95b6f62f09b44297bf35af
    SubjectCN=WDKTestCert anash,133231280654008727
    ValidFrom2023-03-12 20:54:25
    ValidTo2033-03-12 00:00:00
    Signature2877c0544f97abe3532296be49983e1e9b7f4c99ef327222c4b2b6d70194c8d97db7140a51dc6a18a009549aabe1bcb8c95d089917b9fed893b52f0518b649680aab7fdb5af9098de934aede339cee3d3c271ffc25c8d1b188fee3ff9a8b6591ac9f6e21934467db0d7d6595edcc98f3bbaf303202fab533ae82372da8d8b8dee1dcb80312e8ebe140ea9edfac35bf59e909b49edad358761784ffafb590665a6426e9b3fae943864a0484002555a654647e1495e92d9e8dafd00b0e36e30a921ec424e2d4a70d579879bdaaab9bc21824479b905e710ae1269e3fc3695c50811805f163e23590e53c173a79adda0fe1deb674f34fc0adf3cbcf93a4955907f7
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber13d597c6ebaaaf994d4463d3387c0dd2
    Version3

    Imports

    Expand
    • ntoskrnl.exe
    • WDFLDR.SYS

    Imported Functions

    Expand
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • IoDeleteSymbolicLink
    • ObfDereferenceObject
    • IoCreateDevice
    • PsLookupProcessByProcessId
    • PsGetProcessImageFileName
    • __C_specific_handler
    • IofCompleteRequest
    • RtlCopyUnicodeString
    • DbgPrintEx
    • ExReleasePushLockExclusiveEx
    • ExAcquirePushLockExclusiveEx
    • ExInitializePushLock
    • PsReferencePrimaryToken
    • DbgPrint
    • WdfVersionUnbind
    • WdfLdrQueryInterface
    • WdfVersionBind
    • WdfVersionUnbindClass
    • WdfVersionBindClass

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "13d597c6ebaaaf994d4463d3387c0dd2",
      "Signature": "2877c0544f97abe3532296be49983e1e9b7f4c99ef327222c4b2b6d70194c8d97db7140a51dc6a18a009549aabe1bcb8c95d089917b9fed893b52f0518b649680aab7fdb5af9098de934aede339cee3d3c271ffc25c8d1b188fee3ff9a8b6591ac9f6e21934467db0d7d6595edcc98f3bbaf303202fab533ae82372da8d8b8dee1dcb80312e8ebe140ea9edfac35bf59e909b49edad358761784ffafb590665a6426e9b3fae943864a0484002555a654647e1495e92d9e8dafd00b0e36e30a921ec424e2d4a70d579879bdaaab9bc21824479b905e710ae1269e3fc3695c50811805f163e23590e53c173a79adda0fe1deb674f34fc0adf3cbcf93a4955907f7",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "CN=WDKTestCert anash,133231280654008727",
      "TBS": {
        "MD5": "6b552c6f192fd7c811a7f292b41dd282",
        "SHA1": "fbd054373b922c03cad87c948c29ed2ed0883910",
        "SHA256": "e9098f46ff7e02093422a6e4745f420d41fc08c66a95b6f62f09b44297bf35af",
        "SHA384": "4b008e59d2ea4c49427250d7da08075c183e7759d91b9defaf47873d9dab76f2b9e17cd95aeee7ca99ea0967a3ceeb0f"
      },
      "ValidFrom": "2023-03-12 20:54:25",
      "ValidTo": "2033-03-12 00:00:00",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "CN=WDKTestCert anash,133231280654008727",
      "SerialNumber": "13d597c6ebaaaf994d4463d3387c0dd2",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2024-09-26