Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Hacker Defender / Rootkits in general

  1. #1
    Junior Member
    Join Date
    May 2009
    Posts
    42

    Default Hacker Defender / Rootkits in general

    Hi can anyone advise on rootkits? I have been looking into some and not suprisingly come across hacker defender (there are some great vid tuts here by the way) I'm guessing this kit is now well known enough to be detectable and useless for the purposes of stealth or anyone attempting to conduct a "real world" simulation exercise. Will packing/crypting still allow the kit to function (in the absence of more sophisticated anti virus / anti rootkit software)?
    If not can anyone suggest a better way to proceed with this type of experiment?

    thx

  2. #2
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by Danboy View Post
    Hi can anyone advise on rootkits? I have been looking into some and not suprisingly come across hacker defender (there are some great vid tuts here by the way) I'm guessing this kit is now well known enough to be detectable and useless for the purposes of stealth or anyone attempting to conduct a "real world" simulation exercise. Will packing/crypting still allow the kit to function (in the absence of more sophisticated anti virus / anti rootkit software)?
    If not can anyone suggest a better way to proceed with this type of experiment?

    thx
    Can you be more specific about what you want to achieve? What antivirus or anti rootkit software do you want to bypass? Its Windows rootkits you're interested in I assume? What features do you want the rootkit to have? Do you want to hide files, processes, network connections, services, registry keys?
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  3. #3
    Junior Member
    Join Date
    Jan 2010
    Location
    Canada
    Posts
    84

    Default

    1. Get, Read, and Understand, Rootkits: Subverting the Windows Kernel
    2. Program a Rootkit
    3. ?????
    4. Profit!

    Or in more managable bites:

    1. Download and install the DDK (Driver Development Kit)
    2. If You dont know C and ASM give up now and go over to rootkits.com
    3. Get a base to work off of, mine is just a basic driver base ncluded with the DDK, but oh well.
    4. Implement Fild Hiding, generally to hide the folder your rootkit and affiliates is in (windows\system32\drivers) is a good one as it doesnt even look suspicious from a live cd.
    5. Implement Process Hiding, generally the user land part of the Rootkit, if you include it, or processes spawned by it (cracking programs, w/e)
    6. Implement Socket Hiding, usually done by hooking the TCP.SYS file and filtering its output)
    7. Implement a secure way for it to reboot and if necessary include the proper hiding techniques n your rootkit.
    8. Implement the fun part, the backdoor and all its friends that go with it, like crakcing programs, data gatherers, and keyloggers.
    9. Make a Self contained Driver Installer, the sys file is insde the exe file, and all the exe file does is copy the sysfile out and install it (reg keys, etc)

  4. #4
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by HitThemLow View Post
    1. Get, Read, and Understand, Rootkits: Subverting the Windows Kernel
    Professional Rootkits is also good, it is a little lighter on content, but as a starting place is not too shabby.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  5. #5
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    Would it be fesable to create a rootkit, for vista or windows7. Havn't found much infomation about rootkits for those OS, why?

  6. #6
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    I have one I wrote myself, it follows the same basic principals as all the others.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  7. #7
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    I have one I wrote myself, it follows the same basic principals as all the others.
    How did you get it to run,registry or loged into system account?, they were meant to have software to stop drivers being loaded, or stop rootkits.

  8. #8
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by compaq View Post
    How did you get it to run,registry or loged into system account?, they were meant to have software to stop drivers being loaded, or stop rootkits.
    The code was to prevent non-signed drivers being loaded. Here's a news article that might hint you out:

    MS Watches as Vista Gets 0wn3d by Rootkit - Intelligence

    Judging by your responses, I'm guessing you're not up to writing one yet, so get yourself a copy of Professional Rootkits, Rootkits: Subverting the Windows Kernel, and an account on rootkit.com. Between the three there is more than enough info for you to continue.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  9. #9
    Junior Member
    Join Date
    Jan 2010
    Location
    Canada
    Posts
    84

    Default

    Just to add on Gitsnik said, I also have one, more for penetration testing, and if you have to ask, chances are you arent ready, sure, you could go copy the code from a book, but would you know how or why it worked? no.

    I reccomend rootkits.com as your onestop source for information, but there are many things they dont have, for example microcodes and bios rootkits.

    Vista and Windows 7 are a bit new in the realm of rootkits, at least public ones, the ofsets to critical things change quite a bit and so before the first public one comes out, some genious has to go find them again (not exactly accurate, but close enough ).

    I found, in mine at least, that most of the code was compatibility, alot of "trace along memory until you fnd xxx byte sequence, if the -32 offset of that is x byte, then its vista"

    and other such faggotry.

  10. #10
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    @Gitsnik,HitThemLow
    So you use the method to flush pointers (i think) from memory so you rootkit will work, and thats in windows 7?

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •