A basic Direct Kernel Object Manipulation rootkit that removes a process from the EPROCESS list, hiding it from the Task Manager
Switch branches/tags
Nothing to show
Clone or download
Latest commit d09eb89 Oct 25, 2017
Type Name Latest commit message Commit time
Failed to load latest commit information.
driver Extra file Oct 25, 2017
img Added image Mar 25, 2017
loader Formatting Aug 3, 2017
tools Fixed tools path Mar 19, 2017
README.md More readme mistakes Aug 3, 2017
makefile fixing 64bit option in makefile Aug 3, 2017



Update: Now works for both 64bit and 32bit architecture! Tested on:

  • Windows 10 Enterprise Edition x64 Build 15063.rs2_release.170317-1834
  • Windows 7 SP1 x86



For more information on the concepts used here please check out my article.


Does not bypass PatchGuard or driver signing requirements.

Please use a VM whenever you run this. Current tests on Windows 10 observe it takes about 30 minutes after unlinking the process to induce a BSOD.

Compiling The Driver

The driver has a number of dependencies and you'll need to compile it using msbuild or visual studio. I used Visual Studio during the development process. You'll need:

  1. The Windows 10 SDK
  2. WDK 10

Once those are setup and integrated with Visual Studio, start a new empty KMDF (Kernel Mode Driver Framework) project and import the files in the /driver folder.

Under Debug -> [ProjectName] Properties -> Driver Settings -> General, make sure your Target OS Version is Windows 7 and the Target Platform is Desktop.

Then under Build -> Configuration Manager, make sure the Platform is Win32, and x86 is selected under "Active solution platform".

Now you should be able to use Build -> Build [ProjectName] to build the project. This will generate a .sys file if everything went well. Then put the .sys file in c:\Windows\System32\drivers[ProjectName].sys, or change the following define statement in loader.c to the path you've specified:

#define DRIVER "c:\\Windows\System32\drivers\Rootkit.sys"

Compiling The Loader

For the loader you can simply use the makefile and mingw to cross compile it.

sudo apt-get install mingw-w64

Then you can create a 32-bit Windows executable using the makefile with:

make 32bit

And a 64-bit Windows executable with:

make 64bit