Skip to content

Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality.

License

Notifications You must be signed in to change notification settings

jmpoep/Black-Angel-Rootkit

 
 

Repository files navigation

Black Angel Rootkit


Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality.

Designed for Red Teams.


Rootkit Features

Rootkit can be loaded with kdmapper to bypass DSE, Black Angel Loader may not be working properly yet. Project driver-hijack is used to maintain full driver functionality such as callback support.

  • DSE Bypass (No need to turn test signing on)
  • KPP Bypass
  • Hide processes
  • Hide ports (TCP/UDP)
  • Process permission elevation
  • Process protection
  • Shellcode injector (Unkillable shellcode. Even if process dies, shellcode can still run)
  • (TODO) Hide files/directories
  • (TODO) Hide registry keys

Implementation

You can easily implement rootkit calls by copying and pasting BlackAngel header file into your project.

Additional Info

  • Remember to change ACTIVE_PROCESS_LINKS offset corresponding to your Windows versions. Current offset has been tested on Windows 10/11 Pro 21H2.
  • There may still be stability issues!
  • KM shellcode injector is OP. If you inject shellcode into protected process, no antivirus will remove it >:D Simple shellcodes such as Metasploit shell_reverse_tcp are able to work even if process is terminated.

Resources:

About

Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C++ 100.0%