Benthic (Bentico) is a comprehensive project thoroughly designed with the explicit goal of establishing a robust foundation for the development of rootkits. By offering a centralized repository of knowledge, Benthic stands as a valuable initiative for anyone looking to contribute to and benefit from the collective understanding of this field. However, it is imperative to underscore that Benthic is not a tool intended for malicious purposes; rather, it is a carefully constructed initiative for educational exploration and practical insights.
Benthic's significance extends beyond its basic functionality within Windows environments; it serves as a gateway for individuals venturing into the intricate and advanced field of rootkit development.
"A Rootkit is a collection of software designed to give malicious actors control of a computer network or application. Once activated, the malicious program sets up a backdoor exploit and may deliver additional malware, such as ransomware, bots, keyloggers or trojans. Rootkits may remain in place for years because they are hard to detect, due in part to their ability to block some antivirus software and malware scanner software. Known rootkits can be classified into a few broad families, although there are many hybrids as well. One of the most well-known types is the kernel mode rootkit (complicated to create), a sophisticated piece of malware that can add new code to the operating system or delete and edit operating system code." ~ CrowdStrike
Essentially, a rootkit is a form of malicious software strategically designed to target a computer's operating system while hiding its presence and activities from users and security solutions.
In the case of Benthic, this manifests as a specialized focus on the complexities inherent in developing Windows kernel mode drivers.
Benthic is a fully functional Windows rootkit developed as part of the Abyss framework, designed to demonstrate real-world stealth, persistence, and control from kernel mode. While initially presented in pieces during early 2025, it was officially released at DEF CON 33.
This modular rootkit integrates a range of advanced techniques:
- 🔍 Process Hiding (DKOM): Modifies kernel structures to make arbitrary processes invisible to user-mode tools.
- ⌨️ Keylogging (Keyboard Filter Driver): Hooks keyboard input using a low-level filter driver to capture keystrokes invisibly.
- 📡 Network Stealth (NSI): Hides active TCP connections by manipulating the Network Store Interface, commonly used by tools like netstat.
- 🛡️ Network Obfuscation (WFP): Filters or blocks outbound/inbound traffic by intercepting and controlling network events via the Windows Filtering Platform.
- 🌐 Kernel-mode C2 (WSK): Implements a covert Command & Control channel using WinSock Kernel (WSK), enabling real-time bidirectional communication from kernel space.
- 📁 File & Folder Hiding (Minifilter): Uses a custom minifilter driver to filter requests and exclude hidden files from directory listings.
All modules can run independently or as part of the full rootkit pipeline. Whether you're studying Windows internals or building your own lab-grade malware for research purposes, Benthic provides a comprehensive, real-world foundation for kernel-mode stealth techniques.
📁 You can find all materials related to these events (slides, demos, extra resources) in the Cybersecurity Conferences folder of this repository.
📌 TheMalwareGuardian: Awesome Bootkits & Rootkits Development Resources: My compilation (+400) of extensive resources dedicated to bootkit and rootkit development.
This project represents a dedicated exploration into the intricate realm of rootkits, with a specific focus on providing a comprehensive resource for both students and professionals embarking on their journey in this complex field.
The subject of rootkits is multifaceted, and this project serves as a starting point for understanding its nuances. It's important to acknowledge that certain aspects may assume a level of prior knowledge, while others may remain uncharted due to the inherent complexities of the subject matter.
This work is designed to offer valuable insights and resources to support your educational and developmental goals, making it suitable for anyone seeking to delve into rootkit development. If you have specific inquiries, require additional clarification, or wish to engage in collaborative efforts, please do not hesitate to get in touch.
We're Alejandro and María, the creators of this project, and we're very approachable. We'll gladly find time to talk, walk you through the details, or just have a good conversation.
Alejandro Vázquez
Red Team Operator & Reverse Engineer
|
María San José
Malware & Forensics Analyst
|