rootkit.com

main menu

home

forums
Show me new threads!

bookmarks

view blogs

vault

you must be level 2 to upload files to your vault

downloads

you must be logged on, and level 1, to access downloads

Rootkit Collection

File	Contributer	Link
Hacker Def...	hf	n/a
HE4Hook	admin	n/a
BASIC CLAS...	hoglund	n/a
Vanquish	xshadow	n/a
NT Rootkit	hoglund	n/a
FU	fuzen_op	n/a
WinlogonHi...	JeFFOsZ	n/a
klister	joanna	n/a
Patchfinde...	joanna	n/a
MyNetwork	hoglund	n/a
MTDWin	hoglund	n/a
NTFSHider	hoglund	n/a
VideoCardK...	hoglund	n/a
VICE	fuzen_op	n/a
Klog	Clandestin...	n/a
NtIllusion	Kdm	n/a
AFX Rootki...	TheRealAph...	n/a
SInAR	vulndev	n/a
Shadow Wal...	Clandestin...	n/a
BootRootki...	dereksoede...	n/a
CHAZ - Nim...	neocrackr	n/a
Clandestin...	merlvingia...	n/a
FUTo	petersilbe...	n/a
Windows Me...	alcapone66...	n/a
RAIDE	petersilbe...	n/a
BOOT KIT	vipinkumar	n/a
BluePill	Joanna and...	n/a
DEFRAG	blume1975	n/a
Keyboard H...	chpie	n/a
CheatEngin...	DarkByte	n/a

backends
A news back-end to implement RootKit news into your website is here or more advanced version here.

An XML/RSS feed that includes both NEWS and BLOGS for RootKit is here: XML/RSS.

Beta feed for replied posts here. feedback to admins not forums, we know about times being off...

ROOTKIT
Will RE for Cash

Thursday September 02nd

Featured Article: Nostalgia: n00bk1t, an advanced ring3 rootkit in C by jeffosz

modGREPER - hidden kernel modules detector

By: joanna

modGREPER is a hidden module detector for Windows 2000/XP/2003. It
searches through whole kernel memory (0x80000000 – 0xffffffff) in
order to find structures which looks like a valid module description
objects. Currently two most important objects type are recognized:
well known _DRIVER_OBJECT and _MODULE_DESCRIPTION. GREPER has some
sort of artificial intelligence built in, which allows it recognize if
the given bytes actually describe a module-specific object. The term
AI for this algorithm is probably a little bit exaggerated, since it
is just a few bunches of logical rules which should be satisfied by
the potential fields of the structure in question.

modGREPER builds a list of found objects, matches them to each other
and finally compares this list against the list of kernel modules
obtained with documented API (EnumDeviceDrivers).

modGREPER should be able to detect all kinds of modules hiding
techniques used today. Some of the modules are also marked as
“SUSPECTED”. This applies to (not hidden) modules which corresponding
image files are either not present either lie within hidden
directories (hidden by rootkit not system)). This feature was added
because, sadly, most of the rootkits do not even try to hide their
kernel modules against API!

modGREPER is also able to find and display the list of unloaded kernel
modules. This way it is sometime possible to detect also more advanced
driverless kernel rootkits. However the list has some limitations – it
is of a limited capacity and contains only a module base name (no path
included).

Q: Is it possible to write kernel rootkit which will not be detected
by tool like modGREPER?
A: Yes it is

Q: What is the reason to release such tool then?
A: To stimulate people to write more subtle rootkits :)

Q: What about userland rootkits?
A: Userland rootkits can be ALWAYS detected with much simpler means.
And also some of the rootkits which are believed to be usermode only,
do contain also some kernel modules. Now you can find out which :)

WARNING: This is experimental tool and there is completely no warranty
for it. It can blue screen your machine without a single question. Use
at your own risk! Especially please note that, as many other AI based
tools, some false positives may be possible (though are rather
unlikely). Use ?-v? switch to examine all suspected situations.

get the tool here:

http://invisiblethings.org/tools/modGREPER-0.1-bin.zip

read comments (2) / write comment

recent comments:
Already defeated, but thank you ;-) Clandestiny 07.Jun:19:39

views: 3084 printer-friendly version

ROOTKITS, Subverting the Windows Kernel
By: Greg Hoglund and Jamie Butler

Rootkits are powerful tools to compromise computer systems without detection. Get the original and best book on the subject here.

logged users

active for last 5 minutes

registered users:80290

There are currently 0 registered users and 30 guests browsing the website.

Welcome our latest registered user: samel

recent board posts
subject author date
rootkit is systan Sep / 01
help! i ca... qxsl2000 Aug / 31
ndis simpl... b919134 Aug / 30
ZwXxx Rout... systan Aug / 25
Hiding "sc... brym Aug / 24
MSV1_0_LOG... eKKiM Aug / 22
Driver Com... tp012409 Aug / 22
network fi... b919134 Aug / 18
I can't st... al3xey Aug / 12
Windows Vi... 120decibels Aug / 11
Creating a... masterjippo Aug / 10
New to Roo... arapes Aug / 07
DPC lock. Spec0p Aug / 05
Whats up w... Ntsc Aug / 05
Hiding Tcp... _MAX_ Jul / 27

recently replied posts
subject author date
rootkit is systan Sep/01
Hiding "sc... systan Sep/01
ZwXxx Rout... systan Sep/01
ndis simpl... _MAX_ Aug/31
help! i ca... qxsl2000 Aug/31
header Vir... systan Aug/25
MSV1_0_LOG... eKKiM Aug/22
Driver Com... vrtulex Aug/22
I can't st... vrtulex Aug/22
network fi... b919134 Aug/19

recent blog entries
littlebu Aug 24, 04:27
DiabloNova Aug 16, 04:49
DiabloNova Aug 13, 16:44
DiabloNova Aug 09, 15:25
DiabloNova Aug 05, 15:52

Best Screenshots / Analog
May 14, 2010
dep.png /
click on the picture to enlarge and see description
!
read comments (0)
write comment
view archive(90) :
Analog(53) / Best Screenshots(37)
submit a picture to gallery

the most active news users
based on the number of news posts for last 30 days

user nr. of posted news

select skin

As a computer, I find your faith in technology amusing.