Userland Rootkit with C2

Simple Windows usermode rootkit with privilege escalation, stealth capabilities, and remote C2 management.

Educational Use Only
This repository contains a proof-of-concept of usermode rootkits techniques for research and defensive learning purposes:

Running or modifying this code on machines you do not own or without explicit written authorization is illegal and unethical.
This project is for research, learning, and defense development only.

Features

Core Capabilities:

Token stealing for NT AUTHORITY\SYSTEM privileges
UAC bypass mechanisms
Process/file/registry hiding via inline hooking
Interactive SYSTEM reverse shell (TCP port 4444)
DLL injection into target processes
Real-time keylogger with C2 exfiltration

Anti-Analysis:

VM detection (VMware, VirtualBox, QEMU)
Debugger detection (PEB, NtQueryInformationProcess)
Sandbox evasion techniques

C2 Infrastructure:

Flask HTTPS server with web dashboard (port 8443)
XOR encrypted C2 communications
Agent registration and task queuing
Real-time keylog viewer
SQLite backend for persistence

Contact: 28zaakypro@proton.me

Name		Name	Last commit message	Last commit date
Latest commit History 17 Commits
PrivEscalation		PrivEscalation
dropper		dropper
fileHooks		fileHooks
include		include
processHooks		processHooks
registryHooks		registryHooks
src		src
.gitignore		.gitignore
Capture d'écran 2025-12-12 173844.png		Capture d'écran 2025-12-12 173844.png
README.md		README.md
build.ps1		build.ps1
c2_server.py		c2_server.py
http_server.py		http_server.py

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

Userland Rootkit with C2

Features

About

Uh oh!

Releases

Packages

Languages

28Zaaky/Usermode-Rootkit

Folders and files

Latest commit

History

Repository files navigation

Userland Rootkit with C2

Features

About

Topics

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages