Organikum
resurrected
Posts: 2329
Registered: 12-10-2002
Location: Europe
Member Is Offline
Mood: busy and in love
|
|
another kind of mad science
Windows rootkits.
Anybody in the know on this topic?
And no, I am no skriptkiddie with ambitions,  I am interested in the technique
which is used to hide processes and threads by intercepting api calls. (if I got that right so far...). It looks like a possibility to adapt Windows
(W2k) more to my personal needs. (how far these "needs" are real needed or just weired imaginations of myself is another question)
Related:
I am looking for a real-time enviroment/OS addon for W2k or NT. I know this exists, has someone access to it and would share an evaluation copy
perhaps?
oRg
|
|
|
a_bab
Hazard to Others
Posts: 458
Registered: 15-9-2002
Member Is Offline
Mood: Angry !!!!!111111...2?!
|
|
So you want to hide a little proggie in order to make it invisible from the task manager ? Well, you can make your program into a service process with
the API function RegisterServiceProcess.
Try to be more specific with your needs; maybe I can help you. Also specify the language you are planning to use.
|
|
|
Organikum
resurrected
Posts: 2329
Registered: 12-10-2002
Location: Europe
Member Is Offline
Mood: busy and in love
|
|
No, that is exactly not what I am after - hiding a program to make it invisible is not of much use on ones own machine. And I am not interested in
the usual trojan techniques like running the program as a thread of another, unsuspicious program and what there is more in this direction, not at
least as I don´t want to write trojans. (I am to antisocial to be interested in other peoples machines or harddisk contents. The imagination to be of
any interest for some "hacker" is a overestimation which is so far out as popular).
You might consider to have a look for "rootkit" - it is no trojan not even related to it. It is (so far I know by now) a set of routines
which allowes to intercept OS communication on its own level or even before this in the HAL. This set of routines has to be hooked to another program
(this can be a realtime enviroment or a trojan or something else) for gaining functionality.
Rootkits for UNIX and alike OS are quite common, but for Windows NT there are up to now only three or four known. The applied technique is highly
interesting in my eyes - it is the first appproach known to me where a access is possible which allows true monitoring and steering of the "big
hairball" Windows.
If anybody has asked himself how the nifty software the NSA and in future other agencies too (ab)use will look like and work, here is one possible and
plausible answer
Languages? English and german I would prefer, but C, C++ and assembler might be better adapted. I am no programmer, but it is not necessary to be able
to lay a egg for to cook a omelette.
(reading C at least is necessary, understood)
a_bab, if you are realy interested and willing to lend a helping hand - welcome! The rootkit routines are available - first step woul be to understand
how they work and how to hook them. For me the next step imagible would be to try a simple recording/comparing functionality where a program initiates
certain OS functions to be used and the rootkit allowes the logging and compare of the REAL datastream and not the possibly intercepted output of the
user interface.
A lot of what I think on is to find in realtime OS extensions for NT which are rootkits by itself - it is the only way to get this to work as I
believe.
hiding programs from the task manager? Never! "Nuke_a_bab.exe" is on my desktop! (perhaps I should put it in "autostart"?)
org 
|
|
|
a_bab
Hazard to Others
Posts: 458
Registered: 15-9-2002
Member Is Offline
Mood: Angry !!!!!111111...2?!
|
|
It appears to me that you want to access remotely your computer, isn't it ? In this case, there are some other programs which are using this
rootkit tehnique and these programs will allow you to actually have access to nearly all the resources of the other computer. There are malitious
tools, like trojans, and in this case it's a great start to you to search for a good trojan source, so you can understand how it's actually
working.
Another clue could be these "remote tools" like Carbon Copy, PCAnywhere, etc.
All of these tools are using a certain port to conect to the other computer. The best option is TCP-IP, but the modem could be also used.
|
|
|
Organikum
resurrected
Posts: 2329
Registered: 12-10-2002
Location: Europe
Member Is Offline
Mood: busy and in love
|
|
You got me completely wrong I fear. Probably I didn´t express me right. But how you come to think I want a remote access program isn´t
understandable to me.
Not at all.
|
|
|
Iv4
Hazard to Others
Posts: 312
Registered: 28-5-2003
Member Is Offline
Mood: No Mood
|
|
Most versions of Linux have somehing like that(OS extension).
|
|
|
Organikum
resurrected
Posts: 2329
Registered: 12-10-2002
Location: Europe
Member Is Offline
Mood: busy and in love
|
|
LINUX comes with rootkit as OS extension included? If Linus Torvald hears this he will fall from his chair at transmeta I believe.
On the other side: What a service!
|
|
|
Iv4
Hazard to Others
Posts: 312
Registered: 28-5-2003
Member Is Offline
Mood: No Mood
|
|
I'm still a little dazed(ex GF called again still no to the abortion) but if you'r doubting it I'm still prety sure that they exist.It
was a prety simple command I belive(basically just copying the kernel).
|
|
|
Organikum
resurrected
Posts: 2329
Registered: 12-10-2002
Location: Europe
Member Is Offline
Mood: busy and in love
|
|
Iv4
Regarding your probs (oh shit....) - let it go, rootkits arn´t yours at the moment....
wish you best to get out of the malaise..
ORG
|
|
|
Iv4
Hazard to Others
Posts: 312
Registered: 28-5-2003
Member Is Offline
Mood: No Mood
|
|
Double vodka martini
Weird I can drink more since I decided to stop(second time in weeks).Thanks dude but I dont get the bit about rootkits.
|
|
|
franklyn
International Hazard
Posts: 3026
Registered: 30-5-2006
Location: Da Big Apple
Member Is Offline
Mood: No Mood
|
|
R O O T _ R A T S
FOR THOSE OF YOU WHO REALLY HATE WINDOWS.
Utilities:
System file replacer:
- DUD
Dud is a program that does absolutely nothing. Run it and it will
immediately unload. It can be used as a replacement for annoying
system files, such as C:\Windows\System32. Simply replace the
folder with dud.exe, and you'll never see the offending application
again !
GET IT HERE -> http://www3.telus.net/_/dud
( J U S T . K I D D I N G ! ! )
* WARNING: DO NOT REPLACE C:\Windows\System32 WITH DUD, OR ELSE THEN
YOU REALLY WON'T SEE THOSE OFFENDING WINDOW FILES AGAIN ! !
Actually it does have some very limited use. There are system files
which are very difficult to disable or uninstall. The file extension
of the offending file would first be renamed to '.old ' when logged
in as Administrator in ' Safe Mode '. Then DUD can be renamed as
that file in the system folder, rendering the particular application
inopperative. Windows file protection should be fooled into accepting
this substitute as authentic. The original system file, now appended
' old ' may now be deleted, backed up or archived.
Those knowledgeable will recognize that this behaves much as a
rootkit. Rootkits are particularly insidious forms of malicious
programs that hide by substituting for part of the operating system
and are practically undetectable except by monitoring for it's
characteristic signiture as it pretends to be a service or driver.
There is a body of opinion that holds that removing a rootkit is
forbiddingly impractical. Even if the nature and composition of a
rootkit is known, the time and effort of a system administrator with
the necessary skills or experience would be better spent re-installing
the operating system from scratch.
Sony BMG Corporation briefly used this scheme as copy protection
for music CD's that it marketed.
To discover if you have Sony's DRM ( Digital Rights Management )
XCP ( Extended Copy Protection ) software in your PC, from the Start
menu click 'Run', then type the following into the text box:
cmd /k sc query $sys$aries
If the response is 'STATE: 4 RUNNING', you have the software. If instead
you see, 'The specified service does not exist as an installed service,'
then you're clean.
IF YOU THINK THIS IS INVASIVE WAIT TILL INTEL, AMD, AND THE REST
BEGIN MAKING PROCESSORS WITH DRM HARDWARE BUILT IN TO THE CHIP !
You can also check your browser vulnerability here _
http://bcheck.scanit.be/bcheck
READ MORE ON ROOTKITS HERE _
http://www.pcworld.com/news/article/0,aid,119720,00.asp
http://www.pcworld.com/news/article/0,aid,119814,00.asp
http://www.sysinternals.com/utilities/rootkitrevealer.html
http://www.invisiblethings.org/papers.html
http://www.invisiblethings.org/tools.html
http://kareldjag.over-blog.com/article-895476.html
http://safecomputing.umn.edu/guides/scan_unhackme.html
THIS HAS BEEN A PUBLIC SERVICE ANNOUNCEMENT
.
|
|
|
Thermal
Harmless
Posts: 41
Registered: 31-1-2004
Member Is Offline
Mood: No Mood
|
|
Orgy - I think you might be looking for something that acts as a layer between a windows program and the windows OS? Similar to how emulators like
Wine can run windows software on top of other OS' and soforth?
|
|
|
![[*]](images/xpblue/default_icon.gif){kind=icon}
