- NetRootKit - Kernel Driver that currently supports following features:
- Hooks to the GetTCPTable() and GetTCPTable2 APIs provided by nsiproxy. Enables to hide the TCP connection based on different parameters given.
- Enables to hide the Process ID.
-
NetRootKitController - User-mode application that interacts with the NetRootKit driver. Sends the commands to execute different functionalities supported by the driver.
-
GetTCPConnections - Test application that calls GetTCPTable() and GetTCPTable2() APIs. Used to verify our results.
- Step 1: Enabling test mode (TESTSIGNING) on Windows.
- Command(As Administrator)> bcdedit /set TESTSIGNING on
- Restart
- Helpful Link: https://learn.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option
- Step 2: Build the NetRootKit project. Copy the content of the Driver Files to a folder.
- Example Folder Name: NetRootKit
- Step 3: Install the Driver and the User-Application
- Driver Install: devcon install NetRootKit.inf Root\NetRootKit
- Application Name: NetRootKitController
- Check the connection with the kernel driver.
Format: NetRootKitController check-connection <message>
Example: NetRootKitController check-connection "Hello Kernel"
OUTPUT: Connected! message echoed successfully
-
Hide the IP address based on the Local-IP Address.
Format: NetRootKitController hide-ip <ip>
Example: NetRootKitController hide-ip 192.168.0.1 -
Hide the IP based on the Remote-IP Address
Format: NetRootKitController hide-remote-ip <ip>
Example: NetRootKitController hide-remote-ip 192.168.0.1 -
Hide the IP based on the local port number
Format: NetRootKitController hide-ip <ip>
Example: NetRootKitController hide-ip 49650 -
Hide the IP based on the given PID.
Format: NetRootKitController hide-connect-pid <pid>
Example: NetRootKitController hide-connect-pid 7756 -
Hide the IP based on the Process Name.
Format: NetRootKitController hide-connect-process <process_name>
Example: NetRootKitController hide-connect-process "anyservice.exe" -
Hide the PID from the PID list.
Format: NetRootKitController hide-pid <pid>
Example: NetRootKitController hide-pid 7756 -
Disable Screen Capture Protection by Hooking SetWindowDisplayAffinity in Kernel.
Format: NetRootKitController disable-window-capture <pid>
Example: NetRootKitController disable-window-capture 7756
| Commands | Description |
|---|---|
| 1. GetTCPConnections gettcptable1 | // Calls Win32 API GetTCPTable() to get the TCP Connection details. |
| 2. GetTCPConnections gettcptable2 | // Calls Win32 API GetTCPTable2() to get the TCP connection details. |