Sunder: Windows rootkit designed to work with BYOVD exploits
Sunder
Windows rootkit modeled after Lazarus Group’s FudModule rootkit. Reference this version of Sunder for an example of the appid.sys driver exploit, which was utilized by Lazarus Group FudModule rootkit.
Sunder’s vulnerable driver in this GitHub repository is Dell’s dbutil_2_3.sys driver, since it is a simple vulnerability and therefore makes the rootkit-specific code easier to read. This driver is blocked by Microsoft. Execute the following commands to allow blocked drivers (bcdedit command not required on Windows 11):
This rootkit is designed to work with various kernel exploits. This allows you to change the vulnerable driver utilized to gain kernel read and write primitives. Updating the vulnerable driver is necessary to evade Microsoft’s blocked driver list.
Sunder contains the following payloads:
- Token Stealing – Steal a token from any process (spawns cmd.exe, but can be modified to spawn any process)
- Token Escalation – Add permissions to a given process
- ACL Editing – Opens handle to target process despite integrity or PPL protection level
- Note: Offsets for ACL editing have only been tested against winlogon.exe, and may need updated for other target processes
- Enable/Disable PPL – Tamper with process PPL protection levels
- Disable ETWti – Disable ETW threat intelligence (kernel-mode hooking)
- Clear process callbacks – Clear all process creation notification callbacks
- Clear thread callbacks – Clear all thread creation notification callbacks
- Clear DLL callbacks – Clear all DLL image load notification callbacks
Improvements and Additions
The following are ways the rootkit can (and should) be improved for operational use. I will not be updating the public release to include these features.
- Include offsets for various Windows OS versions
- Create the Kernel driver service from rootkit code
- Clean up driver and service on exit
- Convert interactive post-ex prompts into commandline arguments
- Encrypt or hash plaintext strings
- Disable object/registry callbacks
- Disable ETW providers
- Disable minifilter drivers
- Suspend EDR threads
