文件列表:

Driver_RootKit\EXE (0, 2003-12-06)
Driver_RootKit\EXE\fu.exe (45056, 2003-12-06)
Driver_RootKit\EXE\i386 (0, 2003-12-06)
Driver_RootKit\EXE\i386\msdirectx.pdb (76800, 2003-12-06)
Driver_RootKit\EXE\ListPrivileges.txt (636, 2003-02-02)
Driver_RootKit\EXE\msdirectx.nms (98808, 2003-12-06)
Driver_RootKit\EXE\msdirectx.sys (4864, 2003-12-06)
Driver_RootKit\fu (0, 2003-12-06)
Driver_RootKit\fu\Debug (0, 2003-12-06)
Driver_RootKit\fu\fu.bbs (161, 2003-05-27)
Driver_RootKit\fu\fu.cpp (17906, 2003-12-06)
Driver_RootKit\fu\fu.dsp (4511, 2003-05-26)
Driver_RootKit\fu\fu.dsw (527, 2003-05-26)
Driver_RootKit\fu\fu.h (810, 2003-05-27)
Driver_RootKit\fu\fu.ncb (60416, 2003-12-06)
Driver_RootKit\fu\fu.opt (48640, 2003-07-28)
Driver_RootKit\fu\fu.plg (1259, 2003-05-27)
Driver_RootKit\fu\fu.sln (908, 2003-12-06)
Driver_RootKit\fu\fu.suo (8704, 2003-12-06)
Driver_RootKit\fu\fu.vcproj (3726, 2003-12-01)
Driver_RootKit\fu\Instdrv.cpp (8715, 2003-05-27)
Driver_RootKit\fu\Instdrv.h (176, 2002-07-24)
Driver_RootKit\fu\Release (0, 2003-12-06)
Driver_RootKit\Sys (0, 2003-12-06)
Driver_RootKit\Sys\ioctlcmd.h (1391, 2003-12-04)
Driver_RootKit\Sys\MAKEFILE (267, 1999-08-30)
Driver_RootKit\Sys\ProcessName.c (2027, 2003-12-01)
Driver_RootKit\Sys\ProcessName.h (579, 2003-11-30)
Driver_RootKit\Sys\Rootkit.c (26398, 2003-12-06)
Driver_RootKit\Sys\Rootkit.h (2366, 2003-12-04)
Driver_RootKit\Sys\SOURCES (96, 2003-01-30)

Program: fu.exe and msdirectx.sys Written by: fuzen_op Email: fuzen_op@yahoo.com or fuzen_op@rootkit.com Description: fu.exe and msdirectx.sys work as one. fu.exe passes down parameters as IOCTL's to the msdirectx.sys driver. As such, once the driver is loaded, you do not need any special privilege to run fu.exe. msdirectx.sys is the driver and does all the work of fu.exe. The driver is never unloaded until reboot. You can use whatever methods you like to load the driver such as SystemLoadAndCallImage suggested by Greg Hoglund. The driver is named msdirectx.sys. It is a play on Microsoft's DirectX and is named this to help hide it. (A future tool will hide it completely!) The FU rootkit can now hide any named driver in a manner similar to the way it hides processes. All the code to do this is in the user land program (fu.exe) and the corresponding driver (msdirectx.sys). This functionality is not exposes to the regular user when showing the Usage of FU. You must read the fu.exe code yourself to determine the parameters to pass to hide drivers. The reason for this is that it uses a hard coded address that has only been tested on two machines. Look for MyPsLoadedModuleList in the fu.exe code. Change it as necessary. If you want to send IOCTL's to a driver, you need a handle to it. FU makes no effort to hide or delete the symbolic link used to open a handle to the driver to be hidden. You could add this code easily though if you wanted. The msdirectx.sys driver should just delete the symbolic link while it is hiding the driver. The driver has many uses. It can change the groups on any process. So, you could give your process System by typing: fu -pss #process_pid System It can also hide a process. Type: fu -ph #process_pid At times you may want to "adjust" the privileges on a particular process. You can do this by typing something like: fu -prs #process_pid SeDebugPrivilege You will need to type the specific privileges you want, but no worries I have listed them in ListPrivileges.txt. Another feature is msdirectx.sys can change the AUTH_ID on any process. This can be used to impersonate another logon session so that Windows Auditing etc. does not know what user really performed the actions you choose to take with the process. Type: fu -pas #process_pid The process specified now looks like System in the Event Viewer, etc. You can recompile it to use Anonymous_Logon, LocalService, or NetworkService instead of System. See Rootkit.h. The driver does all this by Direct Kernel Object Manipulation (TM)!! No worries about do I have permission to that process, token, etc. If you can load a driver once, you are golden! Also, it does not use "hooking" techniques. Hooking is easily detectable. FU is much better. It just writes directly to memory because it understands the structures inside and out. Program Usage: fu [-pl] #number to list the first #number of processes [-ph] #PID to hide the process with #PID [-pas] #PID to set the AUTH_ID to SYSTEM on process #PID. Use this to impersonate other people when you do things. Note: You can recompile it to use Anonymous_Logon, LocalService, or NetworkService instead of System. See Rootkit.h. [-prl] to list the available privileges [-prs] #PID #privilege_name to set privileges on process #PID [-pss] #PID #account_name to add #account_name SID to process #PID token Caveat: The binaries I have included will only run on Windows 2000/XP. See above. You will definitely have to recompile for NT because the kernel in 2000/XP exports except_handler3 and NT does not so the driver is not compatible across all three. See the note above if you wish to hide drivers. WE ARE MODIFYING KERNEL STRUCTURES (OBJECTS) DIRECTLY IN MEMORY. AS SUCH, AT TIMES IT CAN CAUSE A BLUESCREEN. I HAVE SEEN IT HAPPEN, BUT I WOULD SAY IT IS ***% TO 99% STABLE. IT ALL DEPENDS ON WHAT YOU ARE DOING AT THE TIME. IF YOU FIND A PROBLEM OR A BUG, PLEASE EMAIL ME AT THE ABOVE ADDRESS. PROVIDE AS MUCH DETAIL AS POSSIBLE ABOUT THE SEQUENCE OF EVENTS. WE MAY ALSO ARRANGE TO SEND ME YOUR PHYSICAL DUMP OF MEMORY, BUT DON'T SEND THAT IMMEDIATELY AS MY EMAIL WILL NOT HOLD IT. Thanks: Greg Hoglund - the father of Windows rootkits and a code guru. Joe - who made NDIS cry. Contagion - if its on the wire, he knows what to do. m0ribundi - my mentor.

近期下载者：

相关文件：

评论：[我要评论] [举报此文件]

收藏者：