Rootkit has always been a back door in the * NIX system, but now WIN will start popular rootkit, because rootkit generally has hidden her own features, so it is not like a general back door to find it easily. Now Win The most popular back door is the HXDEF of foreign countries. The code has been issued. HXDEF is not enough to hide your own process, and there are many ways to find it itself, but in the future Rootkit will do better in the hidden process, or use non-process methods to check the process to check the process to detect the rootkit method. The new version of HXDEF has been used. The new version of HXDEF has been known. It has already begun to use another The hidden process method has also already developed a third-party tool to hide the process of other programs, and this method can make KLister can't find its hidden process. Naturally, there are many ways to detect rootkit, I also Introducing a feasible, but there will be limit check methods. The general rootkit cannot be the same, such as HXDEF, and domestic NTROTKIT, so as long as we use remote enumeration methods, you should be able to detect rootkit. The presence.
The principle is that the service of remote enumeration system, HXDEF and NTROTKIT hidden service are unable to hide remote enumeration services, then we can get it as long as we compare remote enumeration services and local enumeration services. Rootkit hides the service. This method is limited to the remote system to allow remote verification (IPC, RPC, etc.).
The following code is possible to remotely and local enumeration WIN32 type all-running services, change the enumeration service type, you can enumerate all services (Win32 Driver), by comparing remote and local enumeration results, It should be able to find if there is a hidden service. Remote enumeration requires a remote system to allow IPC remote verification.
// ******************************************************** ***************************************
// Version: v1.0 // CODER: Wineggdrop // Date Release: null // purpose: To View Local or Remote Win32 Service (A Way to Detect Some Rookits) // Test Platform: Win 2k Pro and Server SP4 // Compiled On: VC 6.0 // Others: // A Way To Detect Rootkit By Comparing The Results Of Listing Service // Locally And Remotely Since Most Rootkit Does not Hide Service In Remote // Session // The Code Only List WIN32 Service. Modifying the servicetype can list all // Services (Win32 Driver) // limited: // ipc connection is enabled // *********************************************************** **************************** # include
#pragma Comment (Lib, "Advapi32.Lib") #pragma Comment (Lib, "MPR.LIB")
// Function prototype declaration // ------------------------------------------- -------------------------------------------------- ---------
BOOL ListRemoteService (const char * RemoteIP, const char * UserName, const char * Password); BOOL ListSpecifiedTypeService (const char * RemoteIP, const DWORD dwServiceType); BOOL EstablishIPCConnection (const char * RemoteIP, const char * UserName, const char * Password) ; BOOL Disconnectipc (const char * remoteip); // ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ -------------------------------------------------- -------------- // end of fucntion prototype declaration
INT Main (int Argc, char * argv []) {if (argc! = 4 && argc! = 2) // argument number is Wrong, Display usage and exit {printf ("Usage:% s local / remoteip username password / N ", Argv [0]); Printf (" Example:% S //12.12.12.12 Test Test / N ", Argv [0]); Printf (" EXAMPLE:% S Local / N ", Argv [0]) Return -1;}
IF (Argc == 4) {ListremoteService (Argv [1], Argv [2], Argv [3]); // let's list the remoteip service} else {ix (strcmpi (argv [1], "local") = = 0) // List local service {listSpecifiedTypeService (null, service_win32);}} Return 0;} // end of main (); // ---------------------------------------------------------------------------------------------------- -------------------------------------------------- ----------------
// purpose: to list service remotely // Return Type: Boolean // Parameters: // in: const char * Remoteip -> Remote ip to connection // in: const char * username -> user name for ipc connection / / In: const char * password -> Password for ipc connection // ---------------------------------- --------------------------------------------------
Bool ListremoteService (const char * usrname, const char * password) {char Remoteaddress [128] = {0};
IF (strncmp, "//", 2)! = 0) // Check WHETHER IT'S IN // ip Form {sprintf (remoteaddress, "//% s / ipc $", remoteip); // add // IF it's not in // ip form} else {sprintf (Remoteaddress, "% S / IPC $", Remoteip;} Printf ("Connecting IPC ... / R"); if (! EstablishipCconnection (RemoteadDress, UserName, Password)) // Fail To Connect IP {printf ( "Fail To Establish IPC Connection / n"); return FALSE;} printf ( "Connecting IPC OK / n"); DWORD dwServiceType = SERVICE_WIN32; ListSpecifiedTypeService (RemoteIP, dwServ iCetype); // List service Remotely Return DisconnectIPC (RemoteAddress);} // end of listRemoteService ()
/ / -------------------------------------------------------------------------------------------- ------------------------------------
// purpose: to list service based on the service: Boolean // Parameters: // in: const char * remoteip -> Remote ip to connection // in: const dword dwserviceType -> The Service Type / / --------------------------------------------------- --------------------------------- Bool ListSpecifiedTypeService (Const DWord DWServiceType) {char RemoteaddRESS [128] = {0}; lPenum_service_status lpservices = null; dword nsize = 0; DWORD NSERVICESRETURNED; DWORD NRESUMEHANDE = 0; sc_handle schscmanager = null; bool flag = false; DWORD i = 0; uint j = 0;
IF (Remoteip! = NULL) // List service Remotely {IF (strncmp (remoteip, "//", 2)! = 0) // Check WHETHER IT'S IN/ ip Form {sprintf (remoteaddress, "//% s ", Remoteip; // add // if it's not in // ip form} else {sprintf (remoteaddress,"% s ", remoteip);}}
IF (remoteip! = null) {SCHSCMANAGER = OpenScManager (RemoteAddress, null, sc_manager_all_access);} else {SCHSCMANAGER = OpenScManager (null, null, sc_manager_all_access);}
IF (SchscManager == Null) // Fail to Open SCM {Printf ("Fail to Open SCM / N"); Return False;}
LPSERVICES = (LPENUM_SERVICE_STATUS) LOCALALLOC (LPTR, 64 * 1024); // Allocate Ram
IF (lpservices == null) // fail to allocate ram {printf ("fail to allocate ram / n"); goto cleanup;
// Enum All Service Based On Service Type if (EnumServicesStatus (schSCManager, dwServiceType, SERVICE_ACTIVE, (LPENUM_SERVICE_STATUS) lpServices, 64 * 1024, & nSize, & nServicesReturned, & nResumeHandle) == NULL)
{Printf ("Fail to Enum Service / N"); goto cleanup;}
// Display the Services Printf ("% - 34S% S / N / N", "Servicename", "DisplayName"); for (i = 0; i / / -------------------------------------------------------------------------------------------- ------------------------------------ // purpose: to Establish IPC Connection // Return Type: Boolean // Parameters: // in: const char * Remoteip -> Remote ip to connection /// in: const char * username -> user name for ipc connection / / In: const char * password -> Password for ipc connection // this is to simple, i won't comment it // -------------------- -------------------------------------------------- ------------- Bool EstablishipConnection (Const Char * Username, Const Char * Password) {NetResource Net; NET.lpLocalName = NULL; NET.lpRemoteName = (char *) RemoteIP; NET.dwType = RESOURCETYPE_ANY; NET.lpProvider = NULL; return (WNetAddConnection2 (& NET, Password, UserName, CONNECT_INTERACTIVE) == NO_ERROR);} // End Of ESTABLISHIPCCONNECTION () / / -------------------------------------------------------------------------------------------- ------------------------------------ // purpose: bond ipc connection // Return Type: Boolean // Parameters: // in: const char * remoteip -> Remote ip to connection // this is too simple, i won't comment it // -------------------------------------------------- ------------------------------- Bool DisconnectiPC (const char * remoteip) {returnne (WnetCancelConnection2 (Remoteip, Null, TRUE ) == NO_ERROR);} // end of disconnectip () // end of file In fact, there is no need to write a procedure, there is a ready-made program, sc.exe can check the remote service, but sc.exe is listed in a service, but we care about it is running. Service service name and display name, and add a number before each service, it is more easy. For example, the last service number of remote enumeration is 40, but the last service number of the local enumeration is 35, then you already It can be known that 5 services are hidden.
