This was an idea that I used in the Rootkit idea below.
Just a extract explained.
[ .rar ] Project files
[ C - Source ] PEInfect

Unmodified program shown in PE Explorer.
Unmodified programs entry point shown in ollydbg.

Modified program shown in PE Explorer:

Modified programs entry point shown in ollydbg:

This was the result of me messing around last November.
Shows just how easy a rootkit with simple worm characteristics could be to write, but I got bored with it and it hasnt progressed for the past two months, but I may as well post it.
What needs to be finished, as far as I can see is:
-prevent remodifying the target-files PE-Header.
-the mailbox system. Makes sure only one copy of the file is run at a time to ensure agaisnt driver crashes.
-all the strings need to be encrypted and then decrypted when used and erased.
-all allocated memory needs to be deallocated.
Rootkit:
[ .rar ]Project Files (Driver/Application)
[ C - Source ]Driver
[ C++ - Source ]Main program
ntifs.h

Someone asked me the other-day about writing a simple scripting language, so I got around to playing around a bit, and ended up writing a simple interpreter. In appearance I guess it looks something like a cross between assembly (source, destination) and BASIC:

It supports a simple form of loops, variable storage and retrieval, basic (limited functionality at this point) conditional statements, variable output.
Download:
-source code here.
-Project Files here (contains script file)
-sample script file

A ‘Crude’ method of preventing access to a program is by hooking NtOpenProcess and denying any request for a handle. Simple. The screenshot below shows what happens when I tried to terminate notepad, which at the time was ‘protected’ by this hook. A detour hook would be preferable to an SSDT pointer change as it is less detectable, but I’ll cover that some other time.

[ C - Source ] Driver.c
[ C++ - Source ] DriverControll.cpp
Download the compiled executable.
ntifs.h

Operation:  Once the executable has been run and you’ve entered your target process name (with the .exe!) and you are presented with an arrow (–>), you have three commands. HOOK, UNHOOK, EXIT. They’re fairly explanatory. Unhook before you exit. Make sure you’ve spelt the process name correctly.

Ok, as with many previous things this is XP only. The call number would need to be changed for other OS’s or SP’s. Look here for different call numbers.

So I decided to give DirectX a shot and try and create a Tile Engine (wikipedia link for those who dont know..)

Without much reading or forethought I went ahead and started coding. Not really happy with the results, has a quite a few things which I would do different. A pixel based camera rather than a tile based one, so I’m posting this here and leaving it as is. I’ll salvage bits from this code and recode it and see what I come up with.

Anyway, heres a picture of it:

The values in the map file are stored in little endian format, and the structure of the map file explained here in picture format.

Source Code (.cpp)
Source Code (.h)
PNG #1
PNG #2

I see a few people looking for information on winsock and WINAPI hooks in general.
Well, heres an easily modifiable inline hook.
It works quite simply by replacing the 5 byte preamble at the start of the target function (NOTE: in pre win-xp sp2 systems this will be 3 bytes, and not five, so that would need to be changed) with a jump to our function, doing whatever we need to do then jump back to the original code. However, because we’re replacing that preamble, for things to work we have to add those commands in our hook function.

Hook diagram

C/C++ – Source Code

MSDN – send

So its been just over five months since my last post, which is pretty pathetic but I’m at a sheer loss of idea’s for content.

If you wanna see something specific, write a comment with your thoughts and requests and I’ll see what I can do.

I recently decided to rework a piece of code I wrote earlier this year, and decided to expand upon it.

My intent is to eventually have something resembling a fully fledged rootkit-detector, but I think thats still a while off. I did however add a few new functions to my previous version: amongst them the ability to detect both detour hooks and ssdt-table pointer hooks, that and the ability to detect hidden processes – the latter being something I still need to do a bit of work on, but I’ll include that in my next version.

I also had some fun and reworked the GUI and came up with a cool way of doing so. I thought it came out looking pretty stylish (as you can see in the screenshot below ).

You can download it here:
EXE Download (.zip)
Some screenshots:
In action…
The reworked GUI again

And the original programs post

Note: wont work on pre XP-sp2 systems. Nor do I think it will work on Vista.

Right so this particular post assumes that you’ve got some knowledge as to what DKOM (Direct Kernel Object Manipulation) is and the specifics of the _KPROCESS structure.

Well anyway, you can view the code here.

Enjoy

So I was bored the other day and wanted to code something that would get me back into coding as I’ve had a bit of a break.

This is the result:

I wrote a quick unhook function but its erratic at best and keeps BSOD’ing me… So I’ll update this once I’ve got that working flawlessly.

If it DOES pick something up, make a note of what it is because it may be perfectly legit. For instance various AV’s hook NtOpenProcess to protect its main process. However, if it pics something like NtQueryDirectoryFile chances are you’ve got a rootkit. However, if it doenst pick anything up… thats a good thing.

In the pic I hooked several items, for demonstration purposes.

Driver: 90% inline assembly, 10% C.
GUI: 100% C++.

If you want, you can download it here.

Note: I’m 99.99% sure it wont work on Vista – so its confined to all versions of Windows XP.

I’m sure just about everyone who has used MSN Messenger (WLM) knows about the nudge function, and its time delay between nudges that it enforces. If you were to remove that it would bypass that and allow you to send an infinite amount of nudges. You could potentially disconnect your victim – or just really piss them off.

Anyway, Its quite an easy job to patch it.

I have supplied three possible solutions here:
The source code for an application that will patch your msn permenantly:
Source – C++
The compiled executable for the above source code:
Download – .ZIP
An image explaining how to patch it yourself with a hex editor:
Download – .ZIP

For the compiled executable, just run the application, when it asks if you want to patch msn type either y or n. If you do choose to patch it, it will automatically locate the directory of your msn installation, make a backup of your current messenger and save it as “msnmsgr.exe.backup” and then modifies the current version. Next time you open up MSN it should all work fine, and you should no longer have a nudge-limit. If however, it does screw up just delete the current messenger version and rename by removing the “.backup” suffix.