Windows Rootkit Exploits with BYOVD: A Deep Dive into Sunder

Listen to this Post

GitHub – ColeHouston/Sunder: Windows rootkit designed to work with BYOVD exploits
GitHub – ColeHouston/Sunder

You Should Know:

Sunder is a Windows rootkit specifically designed to work with Bring Your Own Vulnerable Driver (BYOVD) exploits. This tool is particularly relevant for red teamers, blue teamers, and penetration testers who are exploring advanced techniques in Windows security. Below are some practical commands and steps to understand and work with Sunder:

1. Cloning the Repository:

git clone https://github.com/ColeHouston/Sunder.git
cd Sunder

2. Building the Rootkit:

  • Ensure you have the necessary build tools installed (e.g., Visual Studio).
  • Open the project in Visual Studio and build the solution.

3. Loading the Rootkit:

  • Use a vulnerable driver to load the rootkit. This can be done using tools like `sc.exe` or LoadDriver.exe.
    sc create Sunder binPath= "C:\path\to\Sunder.sys" type= kernel
    sc start Sunder
    

4. Verifying the Rootkit:

  • Check if the rootkit is loaded using tools like `Process Hacker` or WinObj.
    tasklist /m Sunder.sys
    

5. Testing the Rootkit:

  • Use the rootkit to hide processes, files, or registry keys.
  • Example command to hide a process:
    Sunder.exe --hide-pid 1234
    

6. Unloading the Rootkit:

  • To unload the rootkit, stop and delete the service.
    sc stop Sunder
    sc delete Sunder
    

7. Analyzing the Rootkit:

  • Use tools like `IDA Pro` or `Ghidra` to analyze the rootkit’s behavior and understand its capabilities.

8. Defending Against BYOVD Exploits:

  • Ensure your systems are patched and up-to-date.
  • Use tools like `Driver Verifier` to detect vulnerable drivers.
    verifier /standard /driver <driver_name.sys>
    

9. Monitoring for Rootkits:

  • Use tools like `Sysinternals Suite` to monitor for suspicious activities.
    autoruns.exe
    

10. Reporting and Documentation:

  • Document your findings and report any vulnerabilities to the appropriate parties.

What Undercode Say:

Sunder is a powerful tool for understanding the intricacies of Windows rootkits and BYOVD exploits. It is essential for security professionals to familiarize themselves with such tools to both exploit and defend against advanced threats. Always ensure you have the proper permissions and legal authority before using such tools in any environment. Continuous learning and practice are key to staying ahead in the ever-evolving field of cybersecurity.

For further reading and resources, visit the official GitHub repository: GitHub – ColeHouston/Sunder.

References:

Reported By: Florian Hansemann – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image