Finding Rootkits Handler(Breaking the Futo Rootkit Codes)
(by neocrackr (Project Leader) Sep 14 2006, 02:56 (UTC+0) )
Finding_Rootkit's_Handler
Breaking the Futo Rootkit Codes
Vault On Rootkit.com : https://www.rootkit.com/download.php?browse=1&user=neocrackr
Changelogs
https://www.rootkit.com/vault/neocrackr/Changelogs.htm
Download Link Full Source Code With Binary
https://www.rootkit.com/vault/neocrackr/Finding_Rootkits_Handler.rar
Introduction of Software
When the FUTO makes hidden the PIDs, the window's programs are live in system and we can accesses to them.
With some function you can give the PIDs of them.
After finding the some PID you can search in the processes list and if any PID is not exist that mean you find the Root kit's program (Hidden Processes).
Why Windows Handles?
When you start the system, it automatically creates the desktop window. The desktop window is a system-defined window that paints the background of the screen and serves as the base for all windows displayed by all applications.
Why the Application Windows?
Every graphical Microsoft Windows-based application creates at least one window, called the main window, that serves as the primary interface between the user and the application. Most applications also create other windows, either directly or indirectly, to perform tasks related to the main window. Each window plays a part in displaying output and receiving input from the user.
When you start an application, the system also associates a handle with the application. The handle is the program Handle From.
What is an Application Instance Handle ?
Every application has an instance handle associated with it. The system provides the instance handle to an application when the application starts. Because it can run multiple copies of the same application, the system uses instance handles internally to distinguish one instance of an application from another. The application must specify the instance handle in many different windows, including those that create windows.
Window Handle
After creating a window, the creation function returns a window handle that uniquely identifies the window. A window handle has the HWND data type; an application must use this type when declaring a variable that holds a window handle. An application uses this handle in other functions to direct their actions to the window.
Class Name
Every window belongs to a window class. An application must register a window class before creating any windows of that class. The window class defines most aspects of a window's appearance and behavior. The chief component of a window class is the window procedure, a function that receives and processes all input and requests sent to the window. The system provides the input and requests in the form of messages.
Parent or Owner Window Handle
A window can have a parent window. A window that has a parent is called a child window. The parent window provides the coordinate system used for positioning a child window. Having a parent window affects aspects of a window's appearance; for example, a child window is clipped so that no part of the child window can appear outside the borders of its parent window. A window that has no parent, or whose parent is the desktop window, is called a top-level window. An application uses the EnumWindows function to obtain a handle to each of its top-level windows. EnumWindows passes the handle to each top-level window, in turn, to an application-defined callback function, EnumWindowsProc.
A window can own, or be owned by, another window. An owned window always appears in front of its owner window, is hidden when its owner window is minimized, and is destroyed when its owner window is destroyed.
Sending Messages (For Closing the Windows)
Any application can post and send messages. Like the system, an application posts a message by copying it to a message queue and sends a message by passing the message data as arguments to a window procedure. To post messages, an application uses the PostMessage function. An application typically sends a message to notify a window procedure to perform a task immediately. The SendMessage function sends the message to the window procedure corresponding to the given window. The function waits until the window procedure completes processing and then returns the message result
The Win32 API
The Program Codes - Module1.bas Codes
Copy all of Codes In a module.
'Finding Rootkit's Handler Breaking the Futo Rootkit Codes
'By Nima Bagheri ,'A Rootkit's Project Leader
'THE CRACKERS GROUP INC 2006 (C) , Nima Bagheri, September 2006
'E-mail: Thecrackers_group at yahoo dot ca
'Vault On Rootkit.com : https://www.rootkit.com/download.php?browse=1&user=neocrackr
'All Projects Links
'https://www.rootkit.com/vault/neocrackr/Changelogs.htm
'FUTO Project on Rootkit.com
'http://www.rootkit.com/vault/petersilberman/FUTo_enhanced.zip
Const TH32CS_SNAPHEAPLIST = &H1
Const TH32CS_SNAPPROCESS = &H2
Const TH32CS_SNAPTHREAD = &H4
Const TH32CS_SNAPMODULE = &H8
Const TH32CS_SNAPALL = (TH32CS_SNAPHEAPLIST Or TH32CS_SNAPPROCESS Or TH32CS_SNAPTHREAD Or TH32CS_SNAPMODULE)
Const TH32CS_INHERIT = &H80000000
Private Type PROCESSENTRY32
dwSize As Long
cntUsage As Long
th32ProcessID As Long
th32DefaultHeapID As Long
th32ModuleID As Long
cntThreads As Long
th32ParentProcessID As Long
pcPriClassBase As Long
dwFlags As Long
szExeFile As String * 260
End Type
Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal lFlags As Long, ByVal lProcessID As Long) As Long
Private Declare Function EnumProcesses Lib "PSAPI.DLL" (ByRef lpidProcess As Long, ByVal cb As Long, ByRef cbNeeded As Long) As Long
Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Private Declare Function Process32First Lib "kernel32.dll" (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As Long
Private Declare Function Process32Next Lib "kernel32.dll" (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As Long
Private Declare Function CloseHandle Lib "kernel32.dll" (ByVal hObject As Long) As Long
' For find thread of processes
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As Long, ByVal lpWindowName As Long) As Long
Private Declare Function GetParent Lib "user32" (ByVal hwnd As Long) As Long
Private Declare Function SetParent Lib "user32" (ByVal hWndChild As Long, ByVal hWndNewParent As Long) As Long
Private Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hwnd As Long, lpdwProcessId As Long) As Long
Private Declare Function GetWindow Lib "user32" (ByVal hwnd As Long, ByVal wCmd As Long) As Long
Private Declare Function LockWindowUpdate Lib "user32" (ByVal hwndLock As Long) As Long
Private Declare Function GetDesktopWindow Lib "user32" () As Long
Private Declare Function GetWindowTextLength Lib "user32" Alias "GetWindowTextLengthA" (ByVal hwnd As Long) As Long
Private Declare Function DestroyWindow Lib "user32" (ByVal hwnd As Long) As Long
Private Declare Function GetModuleFileName Lib "kernel32" Alias "GetModuleFileNameA" (ByVal hModule As Long, ByVal lpFileName As String, ByVal nSize As Long) As Long
Private Declare Function GetWindowWord Lib "user32" (ByVal hwnd As Long, ByVal nIndex As Long) As Integer
Const GWW_HINSTANCE = (-6)
Private Declare Function GetClassName Lib "user32" Alias "GetClassNameA" (ByVal hwnd As Long, ByVal lpClassName As String, ByVal nMaxCount As Long) As Long
Private Declare Function GetWindowText Lib "user32" Alias "GetWindowTextA" (ByVal hwnd As Long, ByVal lpString As String, ByVal cch As Long) As Long
Const GW_HWNDNEXT = 2
Private Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long
Private Const WM_CLOSE = &H10 'Closing window
Private Const SW_SHOW = 5 'showing window
Private Const WM_SETTEXT = &HC 'Setting text of child window
Private Const WM_GETTEXT = &HD 'Getting text of child window
Private Const WM_GETTEXTLENGTH = &HE
Private Const EM_GETPASSWORDCHAR = &HD2 'Checking if its a password field or not
Private Const BM_CLICK = &HF5 'Clicking a button
Private Const SW_MAXIMIZE = 3
Private Const SW_MINIMIZE = 6
Private Const SW_HIDE = 0
Private Const SW_RESTORE = 9
Private Const WM_MDICASCADE = &H227 'Cascading windows
Private Const MDITILE_HORIZONTAL = &H1
Private Const MDITILE_SKIPDISABLED = &H2
Private Const WM_MDITILE = &H226
Dim prcPID() As Long
Dim phwnd(1000, 2) As Long
Dim ptext(1000) As String * 50
Sub Main()
a = MsgBox("Do you Want Run Futo Rootkit on Your System ?!", vbCritical + vbYesNo, "Alerting")
If a = 6 Then
c = Shell("notepad.exe")
DoEvents
b = Shell("exe\fu.exe -ph " & c)
End If
c = Timer
Do
Sleep 1
DoEvents
Loop Until c + 5 < Timer
Call processes
'the window update
LockWindowUpdate GetDesktopWindow
'retrieve the handle of the window
mWnd = InstanceToWnd(Pid)
'Unlock windowupdate
LockWindowUpdate False
Call findp
End Sub
Function InstanceToWnd(ByVal target_pid As Long) As Long
Dim test_hwnd As Long, test_pid As Long, test_thread_id As Long
'For windows text and class
Dim WText As String * 512
Dim bRet As Long, WLen As Long
Dim WClass As String * 50
'Find the first window
test_hwnd = FindWindow(ByVal 0&, ByVal 0&)
Do While test_hwnd 0
'Get the window's thread
WLen = GetWindowTextLength(test_hwnd)
bRet = GetWindowText(test_hwnd, WText, WLen + 1)
GetClassName test_hwnd, WClass, 50
'Get the window's PIDs
test_thread_id = GetWindowThreadProcessId(test_hwnd, test_pid)
i = i + 1
phwnd(i, 1) = Val(test_pid)
Debug.Print phwnd(i, 1)
phwnd(i, 2) = Val(test_hwnd)
Debug.Print phwnd(i, 2)
ptext(i) = WText
Debug.Print ptext(i)
'retrieve the next window
test_hwnd = GetWindow(test_hwnd, GW_HWNDNEXT)
Loop
End Function
Sub processes()
lngCBSize = 8 ' Really needs To be 16, but Loop will increment prior to calling API
lngCBSizeReturned = 96
Do While lngCBSize
|
