# Chaos-Rootkit
* Chaos-Rootkit is an x64 Ring 0 rootkit i wrote to better understand kernel internals and rootkit techniques.
* Gui version
# Features
* Hide process: This feature allows you to hide processes from listing tools via DKOM.
* Elevate specific process privileges : This feature enables you to elevate specific processes privilege .
* Swap the driver on disk and in memory with a Microsoft driver: All credit for this implementation goes to [IDontCode](https://x.com/_xeroxz) [Back Engineering](https://back.engineering/) for his exceptional work, I've also handled the unload and shutdown routines for this feature so that the rootkits driver doesn’t get corrupted or crash at some point.
* Restrict file access for user-mode applications except for the provided process ID
* Spawn elevated process: launch command prompt with elevated privileges .
* Bypass the file integrity check and protect it against anti-malware : this work by redirecting file operations to a legitimate file, making our file appear authentic and signed with a valid certificate also if an anti-malware attempting to scan it, the rootkit will immediately kill the anti-malware process.
* Unprotect all processes
* Protect a specific process with any given protection level (WinSystem, WinTcb, Windows, Authenticode, Lsa, Antimalware) .
* Protect a specific file against anti-malware, when an anti malware tries to scan it the rootkit will shut it down this done by checking the caller EPROCESS protection member .
# Contribution
# Writeup
* https://www.hackandhide.com/chaos-rootkit-internals-explained/