/>
/<
/<
|\_______{o}----------------------------------------------------------_
[\\\\\\\\\\\{*}:::<=================KINGSGUARD===================- >
|/~~~~~~~{o}----------------------------------------------------------~
\<
\<
\>
This is a Windows userland rootkit. Given my infamous history with AppInit DLLs, I obviously decided to give it another go.
In order to prevent loader lock and not slow the system down to a crawl, a PPID verification function was implemented inside of DllMain. Only processes at and below explorer.exe
will successfully load this rootkit.
The hooking library being used in MinHook.
Kingsguard hooks the following functions for the purposes of evasion and protection:
NtQuerySystemInformation
NtOpenProcess
NtTerminateProcess
NtEnumerateValueKey
NtQueryValueKey
NtSetValueKey
NtDeleteValueKey
NtOpenFile
NtQueryDirectoryFile
The project can be built with MinGW. Run make
and find the compiled DLL as kingsguard.dll
. Run make 32bit
for a 32-bit version.
Options are set within include/config.h
.
DLL
-> DLL name to hide / remove from PEBPROCESSA/W
-> Process name to hide / protectKEY
-> Registry value name to hide / protectPATH
-> File system path to protectTAUNT
-> Set totrue
to modify all process names toDLL
valueNOTERM
-> Set totrue
to prevent users from killing other processes
IMPORTANT: all values in config.h
MUST be lowercase.
An install script is provided. It needs more testing and should be refined, but it works for now.
One note on the explorer.exe loading. This is a limitation that can be easily bypassed by running under a service process. System integrity is more important to me.
Also, the hooks are not all encompassing. If a function is called with specific right not accounted for, it will bypass and call the original hook. One example of this is with NtOpenFile. The current function looks only for DELETE
in the DesiredAccess mask, but there are other flags that can be used to delete a file like FILE_SHARE_DELETE_ON_CLOSE
.
Another note on the PATH hook - it searches for a substring. For example, if it is set to C:\Users
, any files at this directory and its respective subdirectories will be locked. Be careful.
Lastly, all processes seem to load via AppInit minus a few crucial ones like cmd.exe and reg.exe (this is an expected limitation due to certain processes not loading user32.dll). I recommend pairing this with regprotect.ps1
as a support object.
- Having a hook instead of just modifying the PEB to remove the kingsguard dll. Procexp is still able to see the loaded DLL as of this moment.