Autor
He de decir, que los ejecutables finales JAMAS los mandeis a antivirus online (como Hispasec) o dejeis que os escaneen el PC con ellos, porque añadiran sus firmas, y ya no lo seran.....
Que los ingenieros de los AVs son condenadamente listos xD
Ojo, puede, es mas, probablemente tengas que realizar mucho codeo y edicion para que tu rootkit sea completamente indetectable. Lo que se explica aqui es publico, por lo que los AVs ya saben lo que aqui se explica, solo se trata de dar IDEAS.
Es decir, a la primera, o incluso realizando todos los cambios aki expuestos, vuestros AVs detectaran el rootkit. Pero estos tutoriales espero que os despierten la IMAGINACION de como modificarlos para que no sean detectables.
De todas formas, siempre podeis usar MORPHINE (http://rootkit.host.sk) o UPX para cifrar o comprimir el ejecutable final.
O usar el tutorial de Badcode que ha puesto en el foro de Troyanos y Virus, buscado los offsets "culpables" de la deteccion de los AVs.
El codigo del Hack Defender (y su ejecutable) asi como el codigo del Morphine (encriptador de PE headers) y su ejecutable en:
http://rootkit.host.sk
Y otra direccion de interes (cuando esta online): www.rootkit.com
Todo esto, sacado del foro de www.governmensecurity.org
Salu2
Citar
Ok, I shortly described what needs to happen to modify your hxdef in jimmy's post of his modified version, but I think that everyone should do their own and keep it private because public versions like that will be grabbed in a matter of days (for testing purposes if people upload to KAV then KAV checks the content of all files which get stored on their servers so DONT USE ONLINE CHECKING).
It's not hard, and I'm no guru, but I will help out as much as I can.
Thanks goes to:
* george (for helping with compiling and hiding from av)
* darkranger (for scanning the files)
* holy_father (author of the rootkit, without him nothing could be done)
OK, the things you need are:
* XP DDK (filemirrors.com -> xp_ddk.iso)
* Visual C++ _or_ Visual Studio .NET
* Delphi 7 (borland.com then search for crack on cracks.am)
* HxDef 1.00 Source Code (http://rootkit.host.sk)
* Winsock 2.2 API for Delphi (http://home.earthlink.net/~akonshin/files/winsock2.zip)
* ntifs.h (http://www.insidewindows.info/ntifs.h)
* PE Resource Explorer (http://www.wilsonc.demon.co.uk/d7resourceexplorer.htm)
Ok, so download the 1.00 release from rootkit.host.sk, then inside there is a .zip file called src.zip, extract that wherever you want.
The file hxdef100.dpr is the main source of the code, this is where the majority of the work takes place.
First of all, use the replace function (ctrl+r) to replace "hxdef" with any other 5 character string. It must be 5 characters or you need to change offsets later on (which I don't know how to do).
Next, there are lines like these:
CODE
Here your hxdef will already be changed thanks to the first step, but the "-rk*" needs to be changed to a "-**" where "**" is any 2 character string.
Lastly in this file, all we change is all "RK_" references to any "**_" reference where "**" is any 2 character string.
Now, in order to compile, you extract the Winsock 2.2 API you downloaded to the _same_ directory that contains your hxdef source code, and also you need to copy all files from the "units" directory (found in src.zip from hxdef release) to your source code directory.
Then hit CTRL+F9 to compile.
All done? Not yet. This compiles our new .exe which is now hidden from all AV, but we need to hide the driver also (to read up on how rootkits actually work hit http://www.rootkit.com). What we do now is edit the driver sources.
Edit driver.c and driver.h in your driver dir from src.zip, and yet again change all references of "hxdef" to another 5 character string the same as in your hxdef100.dpr file.
Next, edit the sources file and change this line
CODE
To your inc dir of your DDK installation.
Finally, copy the ntifs.h file to your DDK\inc\wxp directory, choose Start -> Programs -> Development Kits -> Windows DDK 2600 -> Build Environments -> Win XP Free Environment.
This opens up a command window, navigate to the dir with your driver sources, and type build. You should now have your driver.sys file in objfre\i386\ (relative to your driver source directory).
IF you get errors in VS.NET with something to do with "jvc" copy your driver directory to your DDK root folder, and proceed.
Next, open up PE Resource Explorer, select Import -> RC Data, open your .sys file, and then choose Save As -> driver.res in the folder of your hxdef100.dpr file. Now you have updated your driver =D Hit CTRL+F9 in Delphi again to recompile your new hxdef with your new driver.
To hide rdrbs100.dpr just change the reference of hxdef to another 5 character string. I haven't tested this myself, but it should work. Finally to hide your backdoor client from AV (not necessary if you connect from a PC with no AV) just change all references of "hxdef" to another 5 character string. Hit CTRL+F9 for both, and you are done =D. Then follow the instructions in readmeen.txt provided by holy_father in the main hxdef100.zip release file to setup your ini (use the characters to hide the values such as [/"<S>/"tar"<//t<up>"]// so to hide the .ini from AV.
Voila! You are all done. I MAY have missed something, if it doesn't work for you let me know. Hope you enjoy my first tut.
It's not hard, and I'm no guru, but I will help out as much as I can.
Thanks goes to:
* george (for helping with compiling and hiding from av)
* darkranger (for scanning the files)
* holy_father (author of the rootkit, without him nothing could be done)
OK, the things you need are:
* XP DDK (filemirrors.com -> xp_ddk.iso)
* Visual C++ _or_ Visual Studio .NET
* Delphi 7 (borland.com then search for crack on cracks.am)
* HxDef 1.00 Source Code (http://rootkit.host.sk)
* Winsock 2.2 API for Delphi (http://home.earthlink.net/~akonshin/files/winsock2.zip)
* ntifs.h (http://www.insidewindows.info/ntifs.h)
* PE Resource Explorer (http://www.wilsonc.demon.co.uk/d7resourceexplorer.htm)
Ok, so download the 1.00 release from rootkit.host.sk, then inside there is a .zip file called src.zip, extract that wherever you want.
The file hxdef100.dpr is the main source of the code, this is where the majority of the work takes place.
First of all, use the replace function (ctrl+r) to replace "hxdef" with any other 5 character string. It must be 5 characters or you need to change offsets later on (which I don't know how to do).
Next, there are lines like these:
CODE
Código:
ServerMailslotNamePart='\\.\mailslot\hxdef-rk100s';
ClientMailslotNamePart='\\.\mailslot\hxdef-rkc';
DriverDeviceName='\\.\HxDefDriver';
ClientMailslotNamePart='\\.\mailslot\hxdef-rkc';
DriverDeviceName='\\.\HxDefDriver';
Here your hxdef will already be changed thanks to the first step, but the "-rk*" needs to be changed to a "-**" where "**" is any 2 character string.
Lastly in this file, all we change is all "RK_" references to any "**_" reference where "**" is any 2 character string.
Now, in order to compile, you extract the Winsock 2.2 API you downloaded to the _same_ directory that contains your hxdef source code, and also you need to copy all files from the "units" directory (found in src.zip from hxdef release) to your source code directory.
Then hit CTRL+F9 to compile.
All done? Not yet. This compiles our new .exe which is now hidden from all AV, but we need to hide the driver also (to read up on how rootkits actually work hit http://www.rootkit.com). What we do now is edit the driver sources.
Edit driver.c and driver.h in your driver dir from src.zip, and yet again change all references of "hxdef" to another 5 character string the same as in your hxdef100.dpr file.
Next, edit the sources file and change this line
CODE
Código:
INCLUDES=c:\ddk\inc
To your inc dir of your DDK installation.
Finally, copy the ntifs.h file to your DDK\inc\wxp directory, choose Start -> Programs -> Development Kits -> Windows DDK 2600 -> Build Environments -> Win XP Free Environment.
This opens up a command window, navigate to the dir with your driver sources, and type build. You should now have your driver.sys file in objfre\i386\ (relative to your driver source directory).
IF you get errors in VS.NET with something to do with "jvc" copy your driver directory to your DDK root folder, and proceed.
Next, open up PE Resource Explorer, select Import -> RC Data, open your .sys file, and then choose Save As -> driver.res in the folder of your hxdef100.dpr file. Now you have updated your driver =D Hit CTRL+F9 in Delphi again to recompile your new hxdef with your new driver.
To hide rdrbs100.dpr just change the reference of hxdef to another 5 character string. I haven't tested this myself, but it should work. Finally to hide your backdoor client from AV (not necessary if you connect from a PC with no AV) just change all references of "hxdef" to another 5 character string. Hit CTRL+F9 for both, and you are done =D. Then follow the instructions in readmeen.txt provided by holy_father in the main hxdef100.zip release file to setup your ini (use the characters to hide the values such as [/"<S>/"tar"<//t<up>"]// so to hide the .ini from AV.
Voila! You are all done. I MAY have missed something, if it doesn't work for you let me know. Hope you enjoy my first tut.
Citar
there is another reference to hxdef there.... in .\Device\UDP\.\?.?\HxDef, also it could be detecting names of the fields in .ini, also switches could be detectable too smile.gif I'll try too update this thread with what needs to be changed after I go through it all.
Citar
http://yousmelllikeshit.com/files/hxdef-builder-3.rar
with this u can compile hxdef without delphi vc ddk..
with this u can compile hxdef without delphi vc ddk..
Citar
F:\hxdef-builder-3>comp\dcc32 -Udcus;units hxdef100.dpr
Citar
When you view sources of hxdef, and change all references, looks good, but check the hex of the compiled exe, still reference to hxdef in one line change that... also change switch names (helps if other user finds your hxdef ;P), also it doesnt hurt to change non api strings so they cant find it in the future. gl
Citar
URGENT!!!!
Remeber to edit this
@cDriverDeviceName : db '\',000h, '?',000h, '?',000h, '\',000h
db 'H',000h, 'x',000h, 'D',000h, 'e',000h
db 'f',000h, 'D',000h, 'r',000h, 'i',000h
db 'v',000h, 'e',000h, 'r',000h,000h,000h
You see the instance of HxDef ??! (I think this is the problem with the backdoor but i have no idea!)
Remeber to edit this
@cDriverDeviceName : db '\',000h, '?',000h, '?',000h, '\',000h
db 'H',000h, 'x',000h, 'D',000h, 'e',000h
db 'f',000h, 'D',000h, 'r',000h, 'i',000h
db 'v',000h, 'e',000h, 'r',000h,000h,000h
You see the instance of HxDef ??! (I think this is the problem with the backdoor but i have no idea!)
Citar
thats why I recompiled the sys driver. its now completely undetected. only takes 5 minutes too.
download the hxdef builder its somewhere on this board. download the hxdef source and extract it into the hxdef builder directory.
edit the driver.c and driver.h. replace hxdef with something of your choice.
example in driver.c:
PDEVICE_OBJECT HxDefDriverDeviceObject = NULL;
ULONG out_size;
replace it with
PDEVICE_OBJECT MYDriverDeviceObject = NULL;
ULONG out_size;
and
NTSTATUS HxDefDriverIO(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
with
NTSTATUS MYDriverIO(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
and so on.
save it and open driver.h
#define NT_DEVICE_NAME L"\\Device\\HxDefDriver"
with
#define NT_DEVICE_NAME L"\\Device\\MYDriver"
...
got the idea? if not turn on your brain
now open hxdef100 sourcefile and edit everything like befor. replace hxdef, hackerdefender and RK (stands for rootkit) with something you like. don't use the autoreplace funktion for RK you will break the code.
recheck if everything is right and use the bats to create the executable.
now test the rootkit on your system first (well I did it cause I know what I do).
if you know the service name of your rootkit trying on your own system is no problem.
after all hxdef etc variables are gone even KAV didn't find anything in my recompiled version. (with some more changes too)
download the hxdef builder its somewhere on this board. download the hxdef source and extract it into the hxdef builder directory.
edit the driver.c and driver.h. replace hxdef with something of your choice.
example in driver.c:
PDEVICE_OBJECT HxDefDriverDeviceObject = NULL;
ULONG out_size;
replace it with
PDEVICE_OBJECT MYDriverDeviceObject = NULL;
ULONG out_size;
and
NTSTATUS HxDefDriverIO(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
with
NTSTATUS MYDriverIO(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
and so on.
save it and open driver.h
#define NT_DEVICE_NAME L"\\Device\\HxDefDriver"
with
#define NT_DEVICE_NAME L"\\Device\\MYDriver"
...
got the idea? if not turn on your brain
now open hxdef100 sourcefile and edit everything like befor. replace hxdef, hackerdefender and RK (stands for rootkit) with something you like. don't use the autoreplace funktion for RK you will break the code.
recheck if everything is right and use the bats to create the executable.
now test the rootkit on your system first (well I did it cause I know what I do).
if you know the service name of your rootkit trying on your own system is no problem.
after all hxdef etc variables are gone even KAV didn't find anything in my recompiled version. (with some more changes too)
Citar
well I changed that much that I don't actually know why its now undetected
I looked for anything like hacker defender, def, defender, rootkit, rk, hxdef,hxd ..
so for example also:
HxdefLogFileName='c:\hxdlogex.txt'
the logfile name has to be replaced
HackerIdentificator='kernel32.dll'+#00;
replace
after that it should work fine
I looked for anything like hacker defender, def, defender, rootkit, rk, hxdef,hxd ..
so for example also:
HxdefLogFileName='c:\hxdlogex.txt'
the logfile name has to be replaced
HackerIdentificator='kernel32.dll'+#00;
replace
after that it should work fine
Citar
pav still detects hackerdefender ini
to change that, look for the 9 things that are in the ini file in hxdef.dpr
like hidden table and change it to something else (dont forget to change it in the .ini too)
to change that, look for the 9 things that are in the ini file in hxdef.dpr
like hidden table and change it to something else (dont forget to change it in the .ini too)
En línea
:
