main menuhome
forums
Show me new threads!
bookmarks
post article
view blogs
vault you must be level 2 to upload files to your vault
downloads you must be logged to access downloads
Rootkit Collection
A news back-end to implement RootKit news into your website is here or more advanced version here.
An XML/RSS feed that includes both NEWS and BLOGS for RootKit is here: XML/RSS.
![[Valid RSS]](valid-rss.png "Validate my RSS feed")
Beta feed for replied posts here. feedback to admins not forums, we know about times being off...
|
ROOTKIT
First to set up camp.
|
Saturday July 31st |
| | Featured Article: Nostalgia: n00bk1t, an advanced ring3 rootkit in C by jeffosz | HVM- going into details
By: Dr.EXEPart 1
This is my first article so I expect you not to be rigorous.
Of course all of us experience lots of problems and maybe stuck in something when we try to get deeper into anything new. So that’s why I write this article.
We’ll try to understand the AMD Pasifica’s some ‘hidden’ details (at least there were hidden for me).I’ll give you the part of text from AMD’s manual, which they thing must help you to write correct code.
continued...
|
|
Kernel Sockets Module based on TDI and WSK - updated
@ :: worthy ::
Mar 01 2010, 21:26 (UTC+0) | bardano writes:
/*
** This code is published under the GNU GENERAL PUBLIC LICENSE without any warranties.
*/
//***************************************************************************************************
Kernel Sockets Module is designed to provide a simple, common WinSock-like interface for network programming in kernel mode without depending on the target operating system. On Windows XP and Windows Server 2003, it uses the Transport Driver Interface (TDI) implementation, on Windows Vista, Windows Server 2008 and Windows 7 - Windows Sockets Kernel (WSK) implementation. The two parts of code are separated by conditional compilation directives. Interface is common. A simple SMTP-client is provided as a demonstration of client functions. BackDoor module demonstrates server functions. The proposed solution - a fully working example, which sends e-mail to a specific mailbox on the server "mail.ru". Account Settings you can find inside the solution.
continued...
. . . |
|
Nostalgia: n00bk1t, an advanced ring3 rootkit in C
@ :: deep article ::
Feb 27 2010, 18:41 (UTC+0) | jeffosz writes: I had this laying around for a few years now. Maybe someone finds it useful :)
n00bk1t
-------
0x01 About
----------
n00bk1t is a user-mode (ring3) rootkit. It is very similar to hxdef but it's written
completely in C (well, 99% of it). It has the ability to hide processes/files/regkeys/
ports/services/.... It also logs windows login (local,via TS and runas) information and
ftp/pop3 (plain/ssl) password(s). It's not perfect but it fool's alot of users ;)
continued...
. . . |
|
TDL3 - Why so serious? Let's put a smile on that face ..
@ :: deep article ::
Nov 09 2009, 07:59 (UTC+0) | thug4lif3 writes: Abstract:
TDL or TDSS family is a famous trojan variant for its effectiveness and active technical development. It contains couple compoments: a kernel-mode rootkit and user-mode DLLs which performs the trojan operation such as downloaders, blocking Avs, etc,. Since the rootkit acts as an “injector” and protector for the usermode bot binaries, almost all technical evolutions of this threat family focus on rootkit technology so as to evade AV scanners.
As in its name, TDL3 is 3rd generation of TDL rootkit which still takes its aims at convering stealthy existences of its malicious codes. Beside known features, this threats is exposed with a couple of impressive tricks which help it bypassing personal firewall and staying totally undetected by all AVs and ARKs at the moment. These aspects and techniques will be discussed in more detail in the sections that follow.
continued...
. . . |
|
Access token stealing on Windows
@ :: deep article ::
Sep 26 2009, 04:38 (UTC+0) | csaba writes: Token manipulation in the past
The well known way of manipulating access tokens was introduced by Greg Hoglund in 2004, and the proof of concept code was published in the famous FU rootkit. This technique modified the memory region pointed to by UserAndGroups and RestrictedSids. This memory region is the dynamic part of the access token. In Windows versions prior to Windows Vista there were no integrity checks on these fields, therefore it was possible to add and remove SIDs.
New integrity checking features introduced in Vista
In new versions of Windows starting with Vista two new fields appeared in the _TOKEN structure: SidHash and RestrictedSidHash.
These two fields contain the hashes of the SIDs stored in the dynamic part of the token in order to prevent accidental or intended modification. The hashes are checked every time the token is used. This results in the fact that the technique developed by Greg Hoglund cannot be used in recent versions of Microsoft Windows.
continued...
|
|
One safe hook handler - E8 Method, paper
@ :: worthy ::
Aug 05 2009, 12:37 (UTC+0) | Dreg writes: There exist different libraries to set hooks, lot of them in Windows, but
time ago we faced a specific problem for which no solution nor documentation
were found about. The problem is: how to setup hooks for several APIs in runtime,
reading from a configuration file that gives the APIs and prototypes? When
discussing about this idea I got another question in response: why do you want to
do that? My answer was: I don't want to develop a different handler for every hooked API
and compile every time for it to work, and I don't want to build a run time Handler creator.
We cam sum up in two requisites:
1.- Use some kind of technology that does not require previous compiling.
2.- Develop some kind of macro to simplify the coding and reduce compile errors.
As I was not convinced of these solutions, I started to think about this problem
and about what I really want, so the right question appeared: What do I need to
do what I want? And the answer is simple: Having one handler for every hook, just
know when it is called, which API/hook is the caller and then take proper decissions.
That's it!, I need and "API ID". Or best expressed, I need a "hook_caller ID"
This is the point where I need to mention that the hook method I need is "Detours"
[R.9] [R.6], said, insert a JMP, PUSH + RET ... in the address where we want
to place the hook. I selected this method [R.9] taking care about that
some of the other methods have a problem when you call directly the memory address where the
hook lies, so the handler it is not executed, i.e. IAT HOOKING. In the methods that
insert JMP, PUSH + RET... in reserved memory or padding bytes, direct calls don't
execute the handler. As my first priority was to intercept every call to the hooked APIs,
the "Detours" method [R.9] [R.6] that overwrites instructions where we want our hook
placed, looked the best. Though this method implies the use of some kind of LDE
(Length-Disassembler Engine) [R.7], among other things, there exist libraries in the
web that allow us to use this method in Windows without any trouble.
continued...
|
|
Network Programming Interface of Windows Vista/2008: internals, using and hacking
@ :: deep article ::
May 17 2009, 15:15 (UTC+0) | MaD. writes: The release of Windows Vista has brought a lot of the new features within the network subsystem. Microsoft has limited TDI, making it available for use with legacy drivers only; NDIS has advanced to the very different version 6. Flexible and robust APIs, the interface’s scalability – that’s what Microsoft says in its presentations. But not all of this goes well, the security software vendors prefer to use poorly documented and sometimes unstable ways for the hooks’ installation. In this article I’m going to tell you something about the newest features of Windows Vista – the Network Programming Interface. There are several features of the network subsystem, such as the Winsock Kernel, which will be discussed here. The main thing of the article is to show how the personal firewalls’ vendors build their products under Windows Vista, the features and hacks they use to achieve the robustness of the firewalls and how the firewalls can be bypassed on this level.
continued...
. . . |
|
the older posts:
- Implementing SMM PS/2 Keyboard sniffer
Feb 10 2009, 13:45 (UTC+0)
- Windows Auxiliary API library - Internals
Dec 23 2008, 16:33 (UTC+0)
- CodeWalker: Another AntiRootkit Tool
Dec 21 2008, 16:44 (UTC+0)
- Interrupt Descriptor table explained.
Nov 18 2008, 08:00 (UTC+0)
- Hide your SSDT hooks
Nov 07 2008, 18:06 (UTC+0)
- How Memory Analysis Works to Perform Integrity Checking
Nov 02 2008, 22:37 (UTC+0)
- CsrWalker - using csrss as rkdetector
Sep 10 2008, 09:48 (UTC+0)
- Rootkit Unhooker v3.8 It's Past, Present and Future of the NTx86 Rootkit Detection
Aug 13 2008, 06:31 (UTC+0)
- [download]The Most Powerful BotNet attacker------icepoint
Jul 28 2008, 19:07 (UTC+0)
- Vista System Restore Rootkit
Jul 27 2008, 04:54 (UTC+0)
|
ROOTKITS, Subverting the Windows Kernel
By: Greg Hoglund and Jamie Butler
Rootkits are powerful tools to compromise computer systems without detection. Get the original and best book on the subject here.
|
active for last 5 minutes
registered users:79912
There are currently 0 registered users and 18 guests browsing the website.
Welcome our latest registered user: Pris
| Jul 31, 12:06 |
| May 09, 04:30 |
| May 08, 15:33 |
| May 04, 15:42 |
| May 02, 03:59 |
| Best Screenshots / Analog |
| the most active news users |
based on the number of news posts for last 30 days
|
