Sciencemadness Discussion Board
Not logged in [Login - Register]
Go To Bottom

Printable Version  
Author: Subject: another kind of mad science
Organikum
resurrected
*****




Posts: 2228
Registered: 12-10-2002
Location: Europe
Member Is Offline

Mood: fluffy!

[*] posted on 1-5-2003 at 03:30
another kind of mad science


Windows rootkits.
Anybody in the know on this topic?
And no, I am no skriptkiddie with ambitions, ;) I am interested in the technique which is used to hide processes and threads by intercepting api calls. (if I got that right so far...). It looks like a possibility to adapt Windows (W2k) more to my personal needs. (how far these "needs" are real needed or just weired imaginations of myself is another question)

Related:
I am looking for a real-time enviroment/OS addon for W2k or NT. I know this exists, has someone access to it and would share an evaluation copy perhaps?

oRg ;)
View user's profile View All Posts By User
a_bab
National Hazard
****




Posts: 449
Registered: 15-9-2002
Member Is Offline

Mood: Angry !!!!!111111...2?!

[*] posted on 1-5-2003 at 14:25


So you want to hide a little proggie in order to make it invisible from the task manager ? Well, you can make your program into a service process with the API function RegisterServiceProcess.

Try to be more specific with your needs; maybe I can help you. Also specify the language you are planning to use.
View user's profile View All Posts By User
Organikum
resurrected
*****




Posts: 2228
Registered: 12-10-2002
Location: Europe
Member Is Offline

Mood: fluffy!

[*] posted on 1-5-2003 at 19:36


No, that is exactly not what I am after - hiding a program to make it invisible is not of much use on ones own machine. And I am not interested in the usual trojan techniques like running the program as a thread of another, unsuspicious program and what there is more in this direction, not at least as I don´t want to write trojans. (I am to antisocial to be interested in other peoples machines or harddisk contents. The imagination to be of any interest for some "hacker" is a overestimation which is so far out as popular).
You might consider to have a look for "rootkit" - it is no trojan not even related to it. It is (so far I know by now) a set of routines which allowes to intercept OS communication on its own level or even before this in the HAL. This set of routines has to be hooked to another program (this can be a realtime enviroment or a trojan or something else) for gaining functionality.
Rootkits for UNIX and alike OS are quite common, but for Windows NT there are up to now only three or four known. The applied technique is highly interesting in my eyes - it is the first appproach known to me where a access is possible which allows true monitoring and steering of the "big hairball" Windows.

If anybody has asked himself how the nifty software the NSA and in future other agencies too (ab)use will look like and work, here is one possible and plausible answer

Languages? English and german I would prefer, but C, C++ and assembler might be better adapted. I am no programmer, but it is not necessary to be able to lay a egg for to cook a omelette. ;)
(reading C at least is necessary, understood)

a_bab, if you are realy interested and willing to lend a helping hand - welcome! The rootkit routines are available - first step woul be to understand how they work and how to hook them. For me the next step imagible would be to try a simple recording/comparing functionality where a program initiates certain OS functions to be used and the rootkit allowes the logging and compare of the REAL datastream and not the possibly intercepted output of the user interface.

A lot of what I think on is to find in realtime OS extensions for NT which are rootkits by itself - it is the only way to get this to work as I believe.

hiding programs from the task manager? Never! "Nuke_a_bab.exe" is on my desktop! (perhaps I should put it in "autostart"?) ;););)

org :cool:
View user's profile View All Posts By User
a_bab
National Hazard
****




Posts: 449
Registered: 15-9-2002
Member Is Offline

Mood: Angry !!!!!111111...2?!

[*] posted on 3-5-2003 at 23:00


It appears to me that you want to access remotely your computer, isn't it ? In this case, there are some other programs which are using this rootkit tehnique and these programs will allow you to actually have access to nearly all the resources of the other computer. There are malitious tools, like trojans, and in this case it's a great start to you to search for a good trojan source, so you can understand how it's actually working.
Another clue could be these "remote tools" like Carbon Copy, PCAnywhere, etc.

All of these tools are using a certain port to conect to the other computer. The best option is TCP-IP, but the modem could be also used.
View user's profile View All Posts By User
Organikum
resurrected
*****




Posts: 2228
Registered: 12-10-2002
Location: Europe
Member Is Offline

Mood: fluffy!

[*] posted on 4-5-2003 at 07:56


You got me completely wrong I fear. Probably I didn´t express me right. But how you come to think I want a remote access program isn´t understandable to me.
Not at all.
View user's profile View All Posts By User
Iv4
National Hazard
****




Posts: 312
Registered: 28-5-2003
Member Is Offline

Mood: No Mood

[*] posted on 6-6-2003 at 03:33


Most versions of Linux have somehing like that(OS extension).
View user's profile View All Posts By User This user has MSN Messenger
Organikum
resurrected
*****




Posts: 2228
Registered: 12-10-2002
Location: Europe
Member Is Offline

Mood: fluffy!

shocked.gif posted on 6-6-2003 at 11:24


LINUX comes with rootkit as OS extension included? If Linus Torvald hears this he will fall from his chair at transmeta I believe.
On the other side: What a service!
:D:D




Restrict alcohol and Tobacco.
Legalize everything else.
Mandatory LSD for politicians and Franklyn.
View user's profile View All Posts By User
Iv4
National Hazard
****




Posts: 312
Registered: 28-5-2003
Member Is Offline

Mood: No Mood

[*] posted on 8-6-2003 at 05:08


I'm still a little dazed(ex GF called again still no to the abortion) but if you'r doubting it I'm still prety sure that they exist.It was a prety simple command I belive(basically just copying the kernel).
View user's profile View All Posts By User This user has MSN Messenger
Organikum
resurrected
*****




Posts: 2228
Registered: 12-10-2002
Location: Europe
Member Is Offline

Mood: fluffy!

sad.gif posted on 8-6-2003 at 06:18
Iv4


Regarding your probs (oh shit....) - let it go, rootkits arn´t yours at the moment....

wish you best to get out of the malaise..

ORG




Restrict alcohol and Tobacco.
Legalize everything else.
Mandatory LSD for politicians and Franklyn.
View user's profile View All Posts By User
Iv4
National Hazard
****




Posts: 312
Registered: 28-5-2003
Member Is Offline

Mood: No Mood

[*] posted on 8-6-2003 at 06:42
Double vodka martini


Weird I can drink more since I decided to stop(second time in weeks).Thanks dude but I dont get the bit about rootkits.
View user's profile View All Posts By User This user has MSN Messenger
franklyn
International Hazard
*****




Posts: 2989
Registered: 30-5-2006
Location: Da Big Apple
Member Is Offline

Mood: No Mood

[*] posted on 19-10-2006 at 04:31


R O O T _ R A T S

FOR THOSE OF YOU WHO REALLY HATE WINDOWS.

Utilities:

System file replacer:

- DUD

Dud is a program that does absolutely nothing. Run it and it will

immediately unload. It can be used as a replacement for annoying

system files, such as C:\Windows\System32. Simply replace the

folder with dud.exe, and you'll never see the offending application

again !

GET IT HERE -> http://www3.telus.net/_/dud

( J U S T . K I D D I N G ! ! )

* WARNING: DO NOT REPLACE C:\Windows\System32 WITH DUD, OR ELSE THEN

YOU REALLY WON'T SEE THOSE OFFENDING WINDOW FILES AGAIN ! !


Actually it does have some very limited use. There are system files

which are very difficult to disable or uninstall. The file extension

of the offending file would first be renamed to '.old ' when logged

in as Administrator in ' Safe Mode '. Then DUD can be renamed as

that file in the system folder, rendering the particular application

inopperative. Windows file protection should be fooled into accepting

this substitute as authentic. The original system file, now appended

' old ' may now be deleted, backed up or archived.

Those knowledgeable will recognize that this behaves much as a

rootkit. Rootkits are particularly insidious forms of malicious

programs that hide by substituting for part of the operating system

and are practically undetectable except by monitoring for it's

characteristic signiture as it pretends to be a service or driver.

There is a body of opinion that holds that removing a rootkit is

forbiddingly impractical. Even if the nature and composition of a

rootkit is known, the time and effort of a system administrator with

the necessary skills or experience would be better spent re-installing

the operating system from scratch.

Sony BMG Corporation briefly used this scheme as copy protection

for music CD's that it marketed.

To discover if you have Sony's DRM ( Digital Rights Management )

XCP ( Extended Copy Protection ) software in your PC, from the Start

menu click 'Run', then type the following into the text box:

cmd /k sc query $sys$aries

If the response is 'STATE: 4 RUNNING', you have the software. If instead

you see, 'The specified service does not exist as an installed service,'

then you're clean.

IF YOU THINK THIS IS INVASIVE WAIT TILL INTEL, AMD, AND THE REST

BEGIN MAKING PROCESSORS WITH DRM HARDWARE BUILT IN TO THE CHIP !

You can also check your browser vulnerability here _

http://bcheck.scanit.be/bcheck


READ MORE ON ROOTKITS HERE _

http://www.pcworld.com/news/article/0,aid,119720,00.asp

http://www.pcworld.com/news/article/0,aid,119814,00.asp

http://www.sysinternals.com/utilities/rootkitrevealer.html

http://www.invisiblethings.org/papers.html

http://www.invisiblethings.org/tools.html

http://kareldjag.over-blog.com/article-895476.html

http://safecomputing.umn.edu/guides/scan_unhackme.html


THIS HAS BEEN A PUBLIC SERVICE ANNOUNCEMENT

.
View user's profile View All Posts By User
Thermal
Harmless
*




Posts: 41
Registered: 31-1-2004
Member Is Offline

Mood: No Mood

[*] posted on 19-10-2006 at 05:32


Orgy - I think you might be looking for something that acts as a layer between a windows program and the windows OS? Similar to how emulators like Wine can run windows software on top of other OS' and soforth?
View user's profile View All Posts By User

  Go To Top