REGISTER
desert eagle
main menu

home

forums
    Show me new threads!

bookmarks

post article

view blogs

vault

you must be level 2 to upload files to your vault

downloads

you must be logged to access downloads

Rootkit Collection

File Contributer Link
Hacker Def... hfn/a
HE4Hook adminn/a
BASIC CLAS... hoglundn/a
Vanquish xshadown/a
NT Rootkit hoglundn/a
FU fuzen_opn/a
WinlogonHi... JeFFOsZn/a
klister joannan/a
Patchfinde... joannan/a
MyNetwork hoglundn/a
MTDWin hoglundn/a
NTFSHider hoglundn/a
VideoCardK... hoglundn/a
VICE fuzen_opn/a
Klog Clandestin...n/a
NtIllusion Kdmn/a
AFX Rootki... TheRealAph...n/a
SInAR vulndevn/a
Shadow Wal... Clandestin...n/a
BootRootki... dereksoede...n/a
CHAZ - Nim... neocrackrn/a
Clandestin... merlvingia...n/a
FUTo petersilbe...n/a
Windows Me... alcapone66...n/a
RAIDE petersilbe...n/a
BOOT KIT vipinkumarn/a
BluePill Joanna and...n/a
DEFRAG blume1975n/a
Keyboard H... chpien/a
CheatEngin... DarkByten/a

search the site

backends
A news back-end to implement RootKit news into your website is here or more advanced version here.

An XML/RSS feed that includes both NEWS and BLOGS for RootKit is here: XML/RSS.

[Valid RSS]

Beta feed for replied posts here. feedback to admins not forums, we know about times being off...

ROOTKIT
First to set up camp. 		Saturday July 31st
Featured Article: Nostalgia: n00bk1t, an advanced ring3 rootkit in C    by jeffosz
Simple method of offline memory analysis

By: hoglund

By: Alcapone666

During acquiring the evidence from a running compromised system investigators often dump \\Device\PhysicalMemory object using dd tool (The size of dumped image is equal to total RAM size presented in system).

Process of an initial incident response can be split into two simple steps. Step 1: to collect volatile data (memory). Step 2: to collect non volatile data (volumes or drivers). There are a lot of tools to analyze Windows file systems (The Sleuth Kit or Encase). Also there are tools to online memory analyze such as physmem and livekd from Sysinternals or winkdump from crazylord article.
But, how to analyze dumped memory image file for instance to recover list of active processes?
The simplest method of offline analysis is presented below:

- open image file in hex editor
- we have to know virtual addresses of PsActiveProcessHead (but we can start from KiWaitInListHead address, etc…) and structure of EPROCESS block
- then we can find all active processes and much more…(we can go deeper into image of memory, printing handle table, process environment blocks, etc…)

Example:
Virtual address of PsActiveProcessHead in W2K with SP4 = 8046e460.
As we can see, after opening image file addresses starts from 0. So physical address of double linked list PsActiveProcessHead is located at 0046e460. (By default Windows 2000 allocates kernel address space in the upper half of the 4 GB virtual address space)

0046e460 80 86 69 81 60 b4 0b 81 00 00 00 00 00 00 00 00 |..i.`...........|
0046e470 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
0046e480 01 00 00 00 7c 8b c0 f3 02 00 00 00 01 00 04 00 |....|...........|


The virtual address of last active process is at (810bb460 - a0) = 810bb3c0. So the address in image file is at 010bb3c0. To print ImageFileName of this process we have to look at offset (1fc) from the beginning of process (010bb5bc). Because of listing only one word in line by hex editor and starting from 0 we have to find the following address 010bb5b0. Here is the result:


010bb5b0 00 00 00 00 00 00 00 00 00 00 00 00 64 64 2e 65 |............dd.e|
010bb5c0 78 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |xe..............|


I hope, that this handy method will be helpful for some forensic investigators.

read comments (10) / write comment

recent comments:
Good vs. Evilfuzen_op07.Jun:13:14
Cross-postedhoglund05.Jun:12:56

printer-friendly version

login:
password:
ROOTKITS, Subverting the Windows Kernel
By: Greg Hoglund and Jamie Butler

Rootkits are powerful tools to compromise computer systems without detection. Get the original and best book on the subject here.

logged users

active for last 5 minutes

registered users:79912

There are currently 0 registered users and 22 guests browsing the website.

Welcome our latest registered user: Pris

recent board posts
subject author date
Hiding Tcp... _MAX_ Jul / 27
unload dri... dubteam2000 Jul / 26
APC Delive... aall87 Jul / 21
x64 SSDT h... lolwurst Jul / 21
password r... markedu9 Jul / 19
How to hid... Hack4freedom Jul / 15
UNC PATH A... pain_abator Jul / 15
CALL in na... _MAX_ Jul / 13
Conflict b... _MAX_ Jul / 08
Making dev... blackd0t Jul / 06
Hide proce... l0ngshot Jul / 01
Process Ha... krzys Jul / 01
Rooting VP... simplicityx Jun / 24
Rootkits: ... chimai Jun / 24
NDIS Inter... lclee_vx Jun / 17

recently replied posts
subject author date
x64 SSDT h... vrtulex Jul/27
unload dri... EreTIk Jul/27
Hiding Tcp... _MAX_ Jul/27
BIOS Rootk... rossettoecioccolato Jul/25
about this... DiabloNova Jul/22
APC Delive... aall87 Jul/21
password r... markedu9 Jul/19
UNC PATH A... pain_abator Jul/19
How to hid... vrtulex Jul/16
CALL in na... _MAX_ Jul/16
Hide proce... vrtulex Jul/10
Conflict b... _MAX_ Jul/08
Making dev... blackd0t Jul/07

recent blog entries
DiabloNova Jul 31, 12:06
ghost1369 May 09, 04:30
DiabloNova May 08, 15:33
_4epen May 04, 15:42
DiabloNova May 02, 03:59
Best Screenshots / Analog
May 14, 2010

dep.png /

click on the picture to enlarge and see description

!

read comments (0)
write comment

view archive(90) :

Analog(53) / Best Screenshots(37)

submit a picture to gallery

the most active news users
based on the number of news posts for last 30 days

user nr. of posted news

select skin


"I can't believe it!", says Luke.
"That is why you fail", responds Yoda.