Driver_RootKit
所属分类:驱动编程
开发工具:Visual C++
文件大小:112KB
下载次数:69
上传日期:2012-11-16 15:51:23
上 传 者:
ibmis0100
说明: 驱动级RootKit工具,可以用来隐藏进程和驱动
(The drive level RootKit tools, can be used to hide processes and drive.)
文件列表:
Driver_RootKit\EXE (0, 2003-12-06)
Driver_RootKit\EXE\fu.exe (45056, 2003-12-06)
Driver_RootKit\EXE\i386 (0, 2003-12-06)
Driver_RootKit\EXE\i386\msdirectx.pdb (76800, 2003-12-06)
Driver_RootKit\EXE\ListPrivileges.txt (636, 2003-02-02)
Driver_RootKit\EXE\msdirectx.nms (98808, 2003-12-06)
Driver_RootKit\EXE\msdirectx.sys (4864, 2003-12-06)
Driver_RootKit\fu (0, 2003-12-06)
Driver_RootKit\fu\Debug (0, 2003-12-06)
Driver_RootKit\fu\fu.bbs (161, 2003-05-27)
Driver_RootKit\fu\fu.cpp (17906, 2003-12-06)
Driver_RootKit\fu\fu.dsp (4511, 2003-05-26)
Driver_RootKit\fu\fu.dsw (527, 2003-05-26)
Driver_RootKit\fu\fu.h (810, 2003-05-27)
Driver_RootKit\fu\fu.ncb (60416, 2003-12-06)
Driver_RootKit\fu\fu.opt (48640, 2003-07-28)
Driver_RootKit\fu\fu.plg (1259, 2003-05-27)
Driver_RootKit\fu\fu.sln (908, 2003-12-06)
Driver_RootKit\fu\fu.suo (8704, 2003-12-06)
Driver_RootKit\fu\fu.vcproj (3726, 2003-12-01)
Driver_RootKit\fu\Instdrv.cpp (8715, 2003-05-27)
Driver_RootKit\fu\Instdrv.h (176, 2002-07-24)
Driver_RootKit\fu\Release (0, 2003-12-06)
Driver_RootKit\Sys (0, 2003-12-06)
Driver_RootKit\Sys\ioctlcmd.h (1391, 2003-12-04)
Driver_RootKit\Sys\MAKEFILE (267, 1999-08-30)
Driver_RootKit\Sys\ProcessName.c (2027, 2003-12-01)
Driver_RootKit\Sys\ProcessName.h (579, 2003-11-30)
Driver_RootKit\Sys\Rootkit.c (26398, 2003-12-06)
Driver_RootKit\Sys\Rootkit.h (2366, 2003-12-04)
Driver_RootKit\Sys\SOURCES (96, 2003-01-30)
Program: fu.exe and msdirectx.sys
Written by: fuzen_op
Email: fuzen_op@yahoo.com or fuzen_op@rootkit.com
Description:
fu.exe and msdirectx.sys work as one. fu.exe passes down parameters as IOCTL's
to the msdirectx.sys driver. As such, once the driver is loaded, you do not need any
special privilege to run fu.exe. msdirectx.sys is the driver and does all the work
of fu.exe. The driver is never unloaded until reboot. You can use whatever methods
you like to load the driver such as SystemLoadAndCallImage suggested by Greg Hoglund.
The driver is named msdirectx.sys. It is a play on Microsoft's DirectX and is named
this to help hide it. (A future tool will hide it completely!)
The FU rootkit can now hide any named driver in a manner similar to the way it hides
processes. All the code to do this is in the user land program (fu.exe) and the
corresponding driver (msdirectx.sys). This functionality is not exposes to the regular
user when showing the Usage of FU. You must read the fu.exe code yourself to determine
the parameters to pass to hide drivers. The reason for this is that it uses a hard coded
address that has only been tested on two machines. Look for MyPsLoadedModuleList in the
fu.exe code. Change it as necessary. If you want to send IOCTL's to a driver, you need
a handle to it. FU makes no effort to hide or delete the symbolic link used to open a
handle to the driver to be hidden. You could add this code easily though if you wanted.
The msdirectx.sys driver should just delete the symbolic link while it is hiding the driver.
The driver has many uses. It can change the groups on any process. So,
you could give your process System by typing:
fu -pss #process_pid System
It can also hide a process. Type:
fu -ph #process_pid
At times you may want to "adjust" the privileges on a particular process. You can do
this by typing something like:
fu -prs #process_pid SeDebugPrivilege
You will need to type the specific privileges you want, but no worries I have listed
them in ListPrivileges.txt.
Another feature is msdirectx.sys can change the AUTH_ID on any process. This can be used
to impersonate another logon session so that Windows Auditing etc. does not know what
user really performed the actions you choose to take with the process. Type:
fu -pas #process_pid
The process specified now looks like System in the Event Viewer, etc. You can recompile
it to use Anonymous_Logon, LocalService, or NetworkService instead of System. See
Rootkit.h.
The driver does all this by Direct Kernel Object Manipulation (TM)!! No worries about do I have
permission to that process, token, etc. If you can load a driver once, you are golden!
Also, it does not use "hooking" techniques. Hooking is easily detectable. FU is much
better. It just writes directly to memory because it understands the structures inside
and out.
Program Usage:
fu
[-pl] #number to list the first #number of processes
[-ph] #PID to hide the process with #PID
[-pas] #PID to set the AUTH_ID to SYSTEM on process #PID.
Use this to impersonate other people when you
do things.
Note: You can recompile it to use Anonymous_Logon,
LocalService, or NetworkService instead of
System. See Rootkit.h.
[-prl] to list the available privileges
[-prs] #PID #privilege_name to set privileges on process #PID
[-pss] #PID #account_name to add #account_name SID to process #PID token
Caveat:
The binaries I have included will only run on Windows 2000/XP. See above. You
will definitely have to recompile for NT because the kernel in 2000/XP exports
except_handler3 and NT does not so the driver is not compatible across all three.
See the note above if you wish to hide drivers.
WE ARE MODIFYING KERNEL STRUCTURES (OBJECTS) DIRECTLY IN MEMORY. AS SUCH, AT TIMES
IT CAN CAUSE A BLUESCREEN. I HAVE SEEN IT HAPPEN, BUT I WOULD SAY IT IS ***% TO 99%
STABLE. IT ALL DEPENDS ON WHAT YOU ARE DOING AT THE TIME.
IF YOU FIND A PROBLEM OR A BUG, PLEASE EMAIL ME AT THE ABOVE ADDRESS. PROVIDE
AS MUCH DETAIL AS POSSIBLE ABOUT THE SEQUENCE OF EVENTS. WE MAY ALSO ARRANGE TO SEND
ME YOUR PHYSICAL DUMP OF MEMORY, BUT DON'T SEND THAT IMMEDIATELY AS MY EMAIL WILL NOT
HOLD IT.
Thanks:
Greg Hoglund - the father of Windows rootkits and a code guru.
Joe - who made NDIS cry.
Contagion - if its on the wire, he knows what to do.
m0ribundi - my mentor.
近期下载者:
相关文件:
收藏者: