main menu
vault
you must be level 2 to upload files to your vaultdownloads
you must be logged to access downloadsRootkit Collection
| File | Contributer | Link |
| Hacker Def... | hf | n/a |
| HE4Hook | admin | n/a |
| BASIC CLAS... | hoglund | n/a |
| Vanquish | xshadow | n/a |
| NT Rootkit | hoglund | n/a |
| FU | fuzen_op | n/a |
| WinlogonHi... | JeFFOsZ | n/a |
| klister | joanna | n/a |
| Patchfinde... | joanna | n/a |
| MyNetwork | hoglund | n/a |
| MTDWin | hoglund | n/a |
| NTFSHider | hoglund | n/a |
| VideoCardK... | hoglund | n/a |
| VICE | fuzen_op | n/a |
| Klog | Clandestin... | n/a |
| NtIllusion | Kdm | n/a |
| AFX Rootki... | TheRealAph... | n/a |
| SInAR | vulndev | n/a |
| Shadow Wal... | Clandestin... | n/a |
| BootRootki... | dereksoede... | n/a |
| CHAZ - Nim... | neocrackr | n/a |
| Clandestin... | merlvingia... | n/a |
| FUTo | petersilbe... | n/a |
| Windows Me... | alcapone66... | n/a |
| RAIDE | petersilbe... | n/a |
| BOOT KIT | vipinkumar | n/a |
| BluePill | Joanna and... | n/a |
| DEFRAG | blume1975 | n/a |
| Keyboard H... | chpie | n/a |
| CheatEngin... | DarkByte | n/a |
| short description | Vanquish is a DLL injection based Romanian rootkit that hides files, folders, registry entries and logs passwords. |
| long description: | Source code and compiled binary are in my vault. |
| project leader: | xshadow |
| homepage: | |
| changelog: | https://www.rootkit.com/vault/xshadow/ReadMe.txt |
| download: | link |
| view options: unpacked threads | collapsed threads | old style view | |
- Re: Fails to inject into most processes including explorer! (XP2)
(by encpx (Untrusted stranger) May 08 2007, 15:21 (UTC+0) )Ah, is this DEP in action? I hope so, now I just need to find some information on disabling it.
- Re: Having some problems...
(by michaelwu (Untrusted stranger) Dec 11 2008, 11:22 (UTC+0) )the same to you.
who can help us? - Re: Remove and Re-Install
(by Sting3r11 (Untrusted stranger) Dec 01 2006, 02:08 (UTC+0) )err.. a little clarification;
Exact MSG is
Removing:
Checking for previous installation...
Vanquish is not installed. Nothing to remove.
Press any key to continue
- Re: Remove and Re-Install
(by BlackBlade (Normal user) Jan 31 2007, 07:16 (UTC+0) )I got it! If it sais that it is already installed type in command promt (in the setup.cmd)
setup do remove
It will say its installed in C:\WINDOWS
type y them press enter.
Then it will say thats its removed and you dont need to restart system!- Re: Remove and Re-Install
(by kevii (Untrusted stranger) Jun 06 2007, 00:13 (UTC+0) )What he means is that when he tries to install it says:
Previous vanquish already installed so remove
And when he tries to remove it says that there is no vanquish
SO you cant remove or install
Happening to me. sucks- Re: Remove and Re-Install
(by rootkit_xu (Untrusted stranger) Jul 05 2007, 22:25 (UTC+0) )Copy vanquish.exe to C:\Windows,and then try again.
- Re: Remove and Re-Install
(by p1p0 (Untrusted stranger) Apr 15 2008, 21:12 (UTC+0) )That one solved the problem
- Re: Remove and Re-Install
- Re: Remove and Re-Install
- Re: Remove and Re-Install
- Re: Remove and Re-Install
- Re: Suggesting to improve
(by SC_Modder (Rootkit Contributor) Mar 31 2007, 18:47 (UTC+0) )The problem with that is that ASM opcodes aren't going to be perfectly even on 5 bytes.
For example, say you hooked GetCurrentProcessId:
GetCurren> 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
7C809926 8B40 20 MOV EAX,DWORD PTR DS:[EAX+20]
7C809929 C3 RETN
Copying the first 5 bytes of that instruction into a buffer and having a JMP after could change that entirely to look like this:
GetCurren> 64:A1 180000E9 MOV EAX,DWORD PTR FS:[E9000018]
7C809926 0000 ADD BYTE PTR DS:[EAX],AL
7C809928 0000 ADD BYTE PTR DS:[EAX],AL
Which obviously would crash. - Re: Compile Error!
(by deros68x (Normal user) Jul 18 2006, 00:14 (UTC+0) )add the following line of definitions
HANDLE OpenThread(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwThreadId); - Re: Vanquish v0.2.1
(by helpmsg (Normal user) Mar 27 2007, 21:52 (UTC+0) )hello xshadow !
If you can, please send me a copy of source.. plz..
e-mail:helpmsg@gmail.com
Thank you very much! - Re: Vanquish v0.2.1
(by jskk123 (Untrusted stranger) May 17 2006, 02:53 (UTC+0) )hello xshadow !
If you can, please send me a copy of source.. plz..
e-mail:jskkk123@empal.com
Thank you very much!
- Re: Vanquish v0.2.1
(by junkie213 (Untrusted stranger) May 08 2006, 02:37 (UTC+0) )I did setup do remove but it said vanquish not installed, nothing to do. BUT i have named a folder vanquish and it disappeares... HELP!
- Re: Vanquish v0.2.1
(by 0macro0 (Untrusted stranger) Aug 03 2006, 07:23 (UTC+0) )Yeah, I installed vanquish v0.2.1 on my windows 2003 advanceded server. I did setup.cmd do install and it was installing but it said something along the lines as 'bind' was not an operable command or something of the sort. then it said vanquish had been installed. Now if i name a folder vanquish it just stays as the previous folder name and I cant change its name, delete it, or open it. So I went back and did setup.cmd do uninstall and it said it wasnt a valid command, so then restarted cmd.exe and navigated to the directory the setup.cmd is in and did the command ls and it said that wasnt a valid command. So its messed up and I cant Unistall it.
- Re: Vanquish v0.2.1
(by banme (Normal user) Apr 16 2007, 18:48 (UTC+0) )First off ur a moron...
second off know when to use ls command and when to use DIR
deee dee deeee...
bind isnt a operable command cause the bind.exe FILE prolly wasnt in the same Direcory as the setup.cmd file or the startup directory of setup.cmd wasnt set properly or well w.e u get the point do some of ur own footwork and go about things with a more inquisitive attitude and a more in depth research as to why.- Re: Vanquish v0.2.1
(by smiller (Untrusted stranger) Aug 20 2008, 17:58 (UTC+0) )First off, I need to say sorry that I'm a rootkit beginner so please have sympathy, but after I installed Vanquish I wasn't sure what to do next. I'm trying to hide some processes (i.e. netcat and the cmd when I telnet it) and possibly hide the folder that it resides in but I'm not sure what I need to do or how to use this rootkit. I was able to use FU but I always needed the PID for those processes, so I was hoping that Vanquish did it automatically and kept it hidden without intervention on each server 2003 reboot. Help?
- Re: Vanquish v0.2.1
- Re: Vanquish v0.2.1
- Re: Vanquish v0.2.1
- Re: Source is back
(by Metahuman (Normal user) May 28 2005, 16:31 (UTC+0) )Hey! Thats great news...
Am waiting for the new release!
Already been 4 weeks now! - Re: where is src?
(by forc1 (Normal user) Nov 13 2006, 02:59 (UTC+0) )downloads -> xshadow's vault -> vanquish-0.2.1-src.zip
| finding vanquish? (by killachains82 (Untrusted stranger) Apr 07 2009, 10:38 (UTC+0) )
I ran setup.cmd and went to c:\WINDOWS. but then I ran it, and everything staring with vanquish was hidden, which is good. but now I cant find setup because I left it in the vanquish folder. how do I remove it? |
| Can you help me? (by michaelwu (Untrusted stranger) Dec 11 2008, 11:29 (UTC+0) )
how can i use this rootkit? |
| Compiling Error (by thygamer (Normal user) Dec 29 2007, 17:28 (UTC+0) )
C:\Documents and Settings\Guy\Desktop\vanquish-0.2.1\bin\vanquish-0.2.1-src\injec.cpp(197) : error C2065: 'OpenThread' : undeclared identifier |
| Blue Screen (by rootkit_xu (Untrusted stranger) Jul 11 2007, 10:56 (UTC+0) )
Vanquish will not work properly in Windows XP Pro SP2 with IE7 and a lot of KB Patches.System will appear blue screen when user try loging into Windows after Windows is restarted,and also when Windows is shutdowning (It is Intermittent issue not appear every time).And many applications work unstable include Explorer.EXE. |
| Fails to inject into most processes including explorer! (XP2) (by encpx (Untrusted stranger) May 08 2007, 15:13 (UTC+0) )
Running vanquish -install from the windows directory causes the dll to only be injected to a few processes. It is then hidden from those processes only. |
| Having some problems... (by mistic0017 (Untrusted stranger) Apr 02 2007, 12:52 (UTC+0) )
I'm testing Vanquish on a XP (No SP) VM and I'm having a little trouble getting things to work (that or I'm entirely incompetent). It's entirely possible that I missed what I needed to read... but here goes. |
| Monitoring Software Work-around? (by brodyh (Untrusted stranger) Feb 22 2007, 21:38 (UTC+0) )
I tried to use this rootkit on a computer with CybraryN monitoring software, which is supposed to block the Start menu. However, since Vanquish overwrote the API (right?) the Start menu is re-enabled. Is there a way around this? |
| Remove and Re-Install (by Sting3r11 (Untrusted stranger) Dec 01 2006, 02:04 (UTC+0) )
Having a few troubles. Was fooling around with Vanquish earlier, testing some of it capabilities and all the cmds etc. And I "setup do remove" and then did a reboot later on. I then attempt to Re-install as I did want to use it, now I get the msg that its already installed when i try and install it, and get the msg that its removed if I try and remove it... Any ideas? |
| Suggesting to improve (by yytg (Normal user) Nov 21 2006, 14:46 (UTC+0) )
Cold be a bug wane hooking a fast "multi thread" process |
| great kit man! could you help me tweak and clear a few bugs up? (by c0w (Untrusted stranger) Jul 18 2006, 10:24 (UTC+0) )
xshadow, Great job on this rootkit man! Just 1 problem (actually 3...) |
| Win 2k3 Server SP 1 (by fourton (Normal user) May 28 2006, 14:12 (UTC+0) )
I just tested Vanquish on 2003 Server with SP1. |
| Compile Error! (by toni93 (Normal user) May 09 2006, 13:32 (UTC+0) )
Hello! |
| Vanquish v0.2.1 (by xshadow (Project Leader) Nov 04 2005, 17:54 (UTC+0) )
As the subject says :) |
| Source is back (by xshadow (Project Leader) Apr 30 2005, 07:35 (UTC+0) )
By popular request, the source is back. Expect a brand-new vanquish release in a few weeks (hopefully). |
| where is src? (by Kilo.XIE (Normal user) Jan 07 2005, 13:40 (UTC+0) )
Vanquish is a good utility. You said that src and bin is in your vault. But i couldn't find src. Can you give me a copy of src? |