SpectreRoot is a modular macOS rootkit framework written in C++ and Objective-C++ targeting pre-SIP (System Integrity Protection) systems. It demonstrates practical techniques for stealth, persistence, and privilege escalation using kernel and userland components.
- Direct Kernel Object Manipulation (DKOM): Hide processes by unlinking kernel structures.
- Privilege Escalation: Gain root via setuid, host port abuse, or legacy macOS APIs.
- Launchd Job Tampering: Unlink persistent agents and daemons from launchd memory.
- Kernel Memory Access: Read/write kernel space with Mach APIs.
- Custom KEXT Loader: Load unsigned kernel extensions using syscall stubs or
kextload. - Stealth Techniques: Dylib injection, log scrubbing, and file hiding utilities.
SpectreRoot/
βββ build/ # Output KEXTs and compiled binaries
βββ dkom/ # Process hiding via kernel list manipulation
βββ docs/ # Internal documentation and architecture
βββ kernel_access/ # task ports and remote memory primitives
βββ kext/ # KEXT source and Makefile
βββ launchd/ # launchd job unlinking logic
βββ loader/ # Userland loader and syscall trampolines
βββ privilege/ # Escalation logic and host port tools
βββ root_escalation/ # Authorization-based root gain
βββ stealth/ # File concealment and log cleanup
βββ utils/ # Dylib injection and kernel symbol resolution
βββ README.md # You are here
- macOS 10.9β10.14 (x86_64, SIP disabled)
- Xcode CLI tools
- Root access
task_for_pidentitlement or AMFI bypass- Knowledge of Mach APIs and macOS internals
This tool is provided for educational use only. Do not deploy it on any system without explicit permission. The author disclaims all liability for misuse or damage resulting from this project.
- Jonathan Levin β OS X and iOS Internals
- Apple's XNU Source
- Research on DKOM and launchd persistence