Browse by type

Chaos-Rootkit is a x64 Ring 0 rootkit with capabilities for process hiding, privilege escalation, protecting and unprotecting processes, and restricting access to files except for whitelisted processes. It can bypass file integrity checks and protect it against anti-malware, working seamlessly on the latest Windows versions.
Gui version
Hide process: This feature allows you to hide processes from listing tools via DKOM.
Elevate specific process privileges : This feature enables you to elevate specific processes privilege .
Restrict file access for user-mode applications except for the provided process ID
Spawn elevated process: launch command prompt with elevated privileges .
Bypass the file integrity check and protect it against anti-malware : this work by redirecting file operations to a legitimate file, making our file appear authentic and signed with a valid certificate also if an anti-malware attempting to scan it, the rootkit will immediately kill the anti-malware process.
Unprotect all processes
Protect a specific process with any given protection level (WinSystem, WinTcb, Windows, Authenticode, Lsa, Antimalware) .
ActiveProcessLinks, which is a pointer to the PLIST_ENTRY structure. In our case, the ActiveProcessLinks pointer is located at offset 0x448 within the EPROCESS structure. It is important to note that this offset may vary across different windows versions .
| x64 | x86 | ||
|---|---|---|---|
| 0xE0 | (late 5.2) | 0xB4 | (3.10) |
| 0xE8 | (6.0) | 0x98 | (3.50 to 4.0) |
| 0x0188 | (6.1) | 0xA0 | (5.0) |
| 0x02E8 | (6.2 to 6.3) | 0x88 | (5.1 to early 5.2) |
| 0x02F0 | (10.0 to 1607) | 0x98 | (late 5.2) |
| 0x02E8 | (1703 to 1809) | 0xA0 | (6.0) |
| 0x02F0 | (1903) | 0xB8 | (6.1 to 1903) |
| 0x0448 | 0xE8 |
PLIST_ENTRY structure is a doubly linked list structure . It contains two members, Blink and Flink, which are pointers to the previous and next entries in the list, respectively, These pointers allow for efficient traversal of the linked list in both directions.
0x0 and the blink member resides in offset 0x8. The flink address 0xffff9c8b\071e3488 points to the next process node, while the blink address 0xfffff805\5121e0a0 points to the previous process node
PLIST_ENTRY structure.

PLIST_ENTRY structure, it is important to set the corresponding pointer to NULL, Otherwise, when attempting to close the process, the PLIST_ENTRY structure will get sent to the PspDeleteProcess API to free all its resources, after the API does not find the process in the structure, it will suspect that the process has already been freed, resulting in a Blue Screen of Death (BSOD), as shown below .

The Token member resides at offset 0x4b8 in the _EPROCESS structure, which is a data structure that represents a process object. The Token member is defined in EX_FAST_REF structure, which is a union type that can store either a pointer to a kernel object or a reference count, depending on the size of the pointer , The offset of the _EX_FAST_REF structure within _EPROCESS depends on the specific version of Windows being used, but it is typically located at an offset of 0x4b8 in recent versions of Windows..
Windows Build Number token Offsets for x64 and x86 Architectures
| x64 offsets | x86 offsets |
|---|---|
| 0x0160 (late 5.2) | 0x0150 (3.10) |
| 0x0168 (6.0) | 0x0108 (3.50 to 4.0) |
| 0x0208 (6.1) | 0x012C (5.0) |
| 0x0348 (6.2 to 6.3) | 0xC8 (5.1 to early 5.2) |
| 0x0358 (10.0 to 1809) | 0xD8 (late 5.2) |
| 0x0360 (1903) | 0xE0 (6.0) |
| 0x04B8 | 0xF8 (6.1) |
| 0xEC (6.2 to 6.3) | |
| 0xF4 (10.0 to 1607) | |
| 0xFC (1703 to 1903) | |
| 0x012C |

_EX_FAST_REF structure in Windows contains three members: Object and RefCount and Value



after the driver receives the PID from the user mode application, it uses it to obtain a pointer to the _EPROCESS structure for the target process. The driver then accesses the Token member of the _EPROCESS structure to obtain a pointer to the process token, which it replaces with the system token, effectively changing the security context of the process to that of the system. However, if the driver does not correctly locate the Token member within the _EPROCESS structure or if the offset of the Token is other than 0x4b8 , the driver may crash the system or the target process ,this problem will be fixed in the next updates .
cmd token after


$ claude mcp add Chaos-Rootkit \
-- python -m otcore.mcp_server <graph>