de62baae-872d-4e9a-b6d9-b0ac99854c66
Chaos-Rootkit.sys
Description
Chaos-Rootkit is a x64 ring0 rootkit with process hiding, privilege escalation, and capabilities for protecting and unprotecting processes and ability to restrict access to files except for whitelisted process work seamlessly on the latest Windows versions.
This download link contains the vulnerable driver!
Commands
sc.exe create Chaos-Rootkit.sys binPath=C:\windows\temp\Chaos-Rootkit.sys type=kernel && sc.exe start Chaos-Rootkit.sys
Use Case | Privileges | Operating System |
---|---|---|
Elevate privileges | kernel | Windows 11 |
Detections
YARA 🏹
Expand
with header and size limitation
without header and size limitation
for renamed driver files
Resources
Known Vulnerable Samples
Property | Value |
---|---|
Filename | |
Creation Timestamp | 2024-02-24 04:54:46 |
MD5 | 443e8d915c04c370b7c31bb5f11ebab7 |
SHA1 | c3f8b7f0995073abb58c2aec1b6062f89fe838a0 |
SHA256 | bdc73f752c1353d41e877d8bf42a1c53f0bba7d6f52348aaef60e06f4d3087d0 |
Authentihash MD5 | cec49dd8b1dbb091e3d6f8134cee5bdc |
Authentihash SHA1 | a4b5442d906715caaadc011d0c2fa44cd894dbfe |
Authentihash SHA256 | 23be3616a4fb4e620f971e4348dc46b7980abca6463be3cb4b83769a955f2810 |
RichPEHeaderHash MD5 | ae12000e18da8fac0c57ef3d7cd3236e |
RichPEHeaderHash SHA1 | 803fe53650c7d62f0652d87117cab64e01934e73 |
RichPEHeaderHash SHA256 | 329187edf745b2d770774d2c1698151b8e63215b7bc7f56dceb4b2894efe0501 |
Certificates
Expand
Certificate 13d597c6ebaaaf994d4463d3387c0dd2
Field | Value |
---|---|
ToBeSigned (TBS) MD5 | 6b552c6f192fd7c811a7f292b41dd282 |
ToBeSigned (TBS) SHA1 | fbd054373b922c03cad87c948c29ed2ed0883910 |
ToBeSigned (TBS) SHA256 | e9098f46ff7e02093422a6e4745f420d41fc08c66a95b6f62f09b44297bf35af |
Subject | CN=WDKTestCert anash,133231280654008727 |
ValidFrom | 2023-03-12 20:54:25 |
ValidTo | 2033-03-12 00:00:00 |
Signature | 2877c0544f97abe3532296be49983e1e9b7f4c99ef327222c4b2b6d70194c8d97db7140a51dc6a18a009549aabe1bcb8c95d089917b9fed893b52f0518b649680aab7fdb5af9098de934aede339cee3d3c271ffc25c8d1b188fee3ff9a8b6591ac9f6e21934467db0d7d6595edcc98f3bbaf303202fab533ae82372da8d8b8dee1dcb80312e8ebe140ea9edfac35bf59e909b49edad358761784ffafb590665a6426e9b3fae943864a0484002555a654647e1495e92d9e8dafd00b0e36e30a921ec424e2d4a70d579879bdaaab9bc21824479b905e710ae1269e3fc3695c50811805f163e23590e53c173a79adda0fe1deb674f34fc0adf3cbcf93a4955907f7 |
SignatureAlgorithmOID | 1.2.840.113549.1.1.5 |
IsCertificateAuthority | True |
SerialNumber | 13d597c6ebaaaf994d4463d3387c0dd2 |
Version | 3 |
Imports
Expand
- FLTMGR.SYS
- ntoskrnl.exe
- WDFLDR.SYS
Imported Functions
Expand
- FltGetRequestorProcessId
- KeWaitForSingleObject
- ExInitializePushLock
- ExAcquirePushLockExclusiveEx
- ExReleasePushLockExclusiveEx
- MmProbeAndLockPages
- MmUnlockPages
- MmProtectMdlSystemAddress
- MmMapLockedPagesSpecifyCache
- MmUnmapLockedPages
- IoAllocateMdl
- IofCompleteRequest
- KeReleaseMutex
- IoCreateSymbolicLink
- IoDeleteDevice
- IoDeleteSymbolicLink
- IoFreeMdl
- ObfDereferenceObject
- NtCreateFile
- PsReferencePrimaryToken
- PsLookupProcessByProcessId
- PsGetProcessImageFileName
- __C_specific_handler
- wcsstr
- RtlCopyUnicodeString
- DbgPrintEx
- KeInitializeMutex
- RtlGetVersion
- DbgPrint
- MmGetSystemRoutineAddress
- IoCreateDevice
- WdfVersionBindClass
- WdfVersionUnbind
- WdfLdrQueryInterface
- WdfVersionBind
- WdfVersionUnbindClass
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- .pdata
- INIT
- .reloc
Signature
Expand
{
"Certificates": [
{
"IsCertificateAuthority": true,
"SerialNumber": "13d597c6ebaaaf994d4463d3387c0dd2",
"Signature": "2877c0544f97abe3532296be49983e1e9b7f4c99ef327222c4b2b6d70194c8d97db7140a51dc6a18a009549aabe1bcb8c95d089917b9fed893b52f0518b649680aab7fdb5af9098de934aede339cee3d3c271ffc25c8d1b188fee3ff9a8b6591ac9f6e21934467db0d7d6595edcc98f3bbaf303202fab533ae82372da8d8b8dee1dcb80312e8ebe140ea9edfac35bf59e909b49edad358761784ffafb590665a6426e9b3fae943864a0484002555a654647e1495e92d9e8dafd00b0e36e30a921ec424e2d4a70d579879bdaaab9bc21824479b905e710ae1269e3fc3695c50811805f163e23590e53c173a79adda0fe1deb674f34fc0adf3cbcf93a4955907f7",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
"Subject": "CN=WDKTestCert anash,133231280654008727",
"TBS": {
"MD5": "6b552c6f192fd7c811a7f292b41dd282",
"SHA1": "fbd054373b922c03cad87c948c29ed2ed0883910",
"SHA256": "e9098f46ff7e02093422a6e4745f420d41fc08c66a95b6f62f09b44297bf35af",
"SHA384": "4b008e59d2ea4c49427250d7da08075c183e7759d91b9defaf47873d9dab76f2b9e17cd95aeee7ca99ea0967a3ceeb0f"
},
"ValidFrom": "2023-03-12 20:54:25",
"ValidTo": "2033-03-12 00:00:00",
"Version": 3
}
],
"CertificatesInfo": "",
"Signer": [
{
"Issuer": "CN=WDKTestCert anash,133231280654008727",
"SerialNumber": "13d597c6ebaaaf994d4463d3387c0dd2",
"Version": 1
}
],
"SignerInfo": ""
}
last_updated: 2024-09-26