NEW BUILD 0.43 supports Keyboard Sniffer Posted Feb 03, 2001 by Hoglund [24] In addition to the new features posted yesturday, we have dropped in a keyboard sniffer. The sniffer operates as a device-filter in the kernel, so becomes a skeleton for other types of filters as well. Here is a screenshot of the rootkit-shell with keysniffer: The keyboard sniffer is implemented as a driver hook. We have a single dispatch function which examines all device objects and comapres them against objects we want to sniff. In this example, we are concerned only with the keyboard class driver. There has been stub code in rootkit for a long time for keyboard sniffing - but it was ripped from the sysinternals ctrl2cap example and certainly didn't fit with rootkit design. The old cruft was wiped out of the source tree and replaced with the simpler, rootkit-style version that we have here. Any device hook can be implemented using the same technique used on the keyboard. Because we wanted the rootkit to be able to unload and load dynamically, I had to put some tricky pending-IRP's counter in the UnLoad() routine - you see, you can't unload if there are pending callbacks to the rootkit - that would most certainly cause a BSOD. I added a wait object into the Unload() routine so we can safely unhook filters from other devices. At this point, we can explore hooking other device objects such as the network, USB ports, audio/video, whatever. The cool part is that this is a filter hook - which means we can *alter* the data in transit as well as sniff it. The 0.43 source can be downloaded from here. It goes without saying that you need the NT DDK to compile this. I am not releasing a precompiled version yet. Win2K Rootkit - NEW BUILD 0.42 Posted Feb 02, 2001 by Hoglund [23] Well, I know it has been a while since we have posted any new source, but over the past 6 months I have received some source-code contributions from various team-members. Also, I will be presenting at BlackHat this year on the rootkit project, so I have an excuse to code rootkit for a while. Over the past two days I have integrated some file and directory hiding logic from one of the team-members and begun developing a kernel-mode shell. The current build of the rootkit has an embedded TCP/IP stack of sorts, which enables you to telnet or netcat to the machine that is infected. The rootkit itself supports spoofing of any IP address you choose and can be very flexible in what kind of traffic it will respond to. In a nutshell, I have been telnetting into the rootkit from another machine in the lab. The rootkit supplies a kernel-mode shell and accepts a couple of commands: dump a process list toggle file/directory hiding toggle process hiding issue a kernel-mode debug interrupt Here is a screenshot of the rootkit-shell: Just as before, the stealth techniques are not applied to processes that start with the letters '_root_'. The only exception is EXE-Redirection, which still redirects '_root_' EXE's to calc.exe. The rootkit still needs better support for specifying which files/regkeys/directories/and processes to hide, and also who and what to EXE-redirect. Now that rootkit has a shell, I am hoping it will be easier for people to work with the code and contribute more ;-) !!!! open issue: The kernel-mode shell uses a small hack of TCP/IP which could be improved. It works with netcat and telnet on most of my machines, but I have a couple of Windoze boxes that don't like to cooperate with the rootkit 'stack' - so rootkit still needs some improvement in this area. If you have trouble, use a different machine. Try linux/netcat - I am able to use win2k telnet client w/ no problems on a few machines. Using the concept of a kernel-mode shell, you can add functions to this rootkit that enable you to do many of the things that SoftIce can do, including kernel-memory patching, hardware peeks/pokes, etc. Of course, we have hooked most of the major kernel API's so stealth is not a problem. If you come up with anything creative, please send in your sources!!! The 0.42 source can be downloaded from here. It goes without saying that you need the NT DDK to compile this. I am not releasing a precompiled version yet. No Driver Required - SystemLoadAndCallImage Posted August 29, 2000 by Hoglund [22] For a while there has been a thread on NTBUGTRAQ about kernel-mode protection from this rootkit. This is good - the whole point of this project is to get people thinking about the problem. For example, there is now an ANTI-Rootkit (called Integrity Protection Driver IPD - released open source by Pedestal Software - worth a look). I can tell you that the anti-rootkit doesn't work, and there are a couple of reasons for this. If you want to check out the thread, take a look at Rootkit Gets a Moment of Clarity. At the Blackhat Briefings this year, more than a couple smart people talked about how many ways you can load code into the NT kernel - the obvious reaction to the whole "anti-rootkit" idea. Most of the rootkit developers were in on this - so we decided to change the windows rootkit in response. Check out No Driver Required - SystemLoadAndCallImage. Another Logo! Posted August 24, 2000 by Rick [21] Hey just checked out the new rootkit page and saw u wanted a Logo for it.. so i threw this up in photoshop... Rootkit Update Posted August 23, 2000 by hoglund [20] Well, DefCon was a blast if you didn't make it. As always, Caezar's Challenge r0x0red - with a challenge to write a buffer overflow payload in binary form that would execute on multiple hardware platforms. The room was packed and the walls were covered in op-code charts! People were packed in tight - my favorite op-code chart was the VAX chart in the toilet stall. There were two winners this year - with at least one of them designing a multi-platform payload for x86 and MIPS. Detail's are on the challenge website. http://www.caezarschallenge.org/. Also of note - for some reason the registrant for this domain name appears as Tripwire - I would like to point out first that this website has nothing to do with tripwire. No-one from Tripwire is a member of the rootkit development team!. The reason that the domain name appears that it was registered by Tripwire is because ** I ** was working at Tripwire when I founded this site. I no longer work for Tripwire - or have anything to do with them. Rootkit.com is a public project managed by a couple of really good hackers for the sole purpose of showing the world that it completely does not understand that when the OS is not secure, nothing is. Tripwire is not interested in this. Tripwire is interested in the filesystem, and we are interested in the kernel. To make the claim that Tripwire is at all interested in publishing a kernel modification rootkit when their product is a user-mode filesystem protection scheme is a gross misstep in logic. Whew! More News! The rootkit list is a bit active lately - and at least one developer has some new code. We are exploring the possibility of removing the windows driver model completely from the rootkit. What this means is that the rootkit can be injected into the kernel without using a driver - it will not show up in the driver list - and programs which protect the 'loading' of drivers will not stop the rootkit. We are also exploring some basic configuration file stuff so that it is easy to manage the rootkit - the 'ini' file will allow you to specify which files to hide, which registry keys to hide, and which executables to trojan. We are also adding support for process and driver hiding. Yes, you can hide anything. Do not be fooled by people who say you cannot hide a process under NT - you can hide a mack truck in a hyundai dealership when you have kernel access. -Greg DEFCON IS HERE!!!! Posted July 19, 2000 by hoglund [19] See you all at DEFCON!!!! Hope to see you at Caezars Challenge. DEF CON 2000 will be July 28th- 30 @ the Alexis Park  NEW WIN2K ROOTKIT LOGOS! Posted July 19, 2000 by hoglund [18] All these people have sent logo's for the Windows 2000 rootkit! Take a look and let me know your favorites. NEW BUILD Posted December 15 13:16 PST, 1999 by hoglund [17] We are pleased to announce build 0.31 of the Windows NT rootkit. This build has debug messages built in, so download DbgView from sysinternals.com to check that out. This build is exciting because it includes an easy to use deploy.exe to install and start the rootkit for you. It also has been tested under Windows 2000 as well as 4.0. This build is testing a new technique called EXE Redirection which can hide any trojan from the user. If you open, hash, CRC, or scan the file under an X-Ray - and you see the original file. But, if you execute the file, you get the trojan. This is a very powerful stealth technique. Also, this build sports the ability to hide registry keys and values. And, source is included so you don't need CVS to check it out! Weeee. New Paper Posted Dec 8, 1999 by Caezar [16] Posted white paper on Lysine Deficiencies. Abstract This is a quick description of Lysine deficiencies, why they're important in "white hat" projects, and what components must be in place to correctly implement one. NEW HOSTING Posted Nov 8, 1999 by hoglund [10] The site has been moved! Big thanks to DEFCON for hosting our rootkit project. We now have serious bandwidth. DEF CON 2000 will be July 28th- 30 @ the Alexis Park  update Posted Wednesday, October 25, 1999 - 20:30 by hoglund [4] Vacuum has checked in Versioner. Versioner will allow you to snapshot a filesystem and detect changes, as well as inventory which file versions you have installed. Versioner will report: filename creation time last access time last write time MD5 Checksum PE Resource strings (company name, version, etc). Versioner will also output to csv format for Excel, which is cool. So far, if a kernel binary is patched with a rootkit, versioner will detect the intrusion. However, once the NT rootkit is complete, it should be able to hide it's own image such that file-integrity assesment tools will no longer detect the violation. REVERSING WIN32 Check out the WinFree Console source code. The source is an attempt to reverse engineer the NT kernel in order to run console win32 apps. The author reversed many structures - too bad its so old. Worth a look. update Posted Wednesday, October 10, 1999 - 23:23 by hoglund [3] Vacuum has been busy w/ WinfingerPrint. You are a mad coder! The rootkit project has a new build engineer - Jon Gary will be running builds out of the CVS server and posting binary releases. Ryan (talis) just wrote the Blowfish encryption for the rootkit (he also wrote the blowfish plug-in for BO2K). Also, special thanks to _jussi for alpha-testing the rootkit on so many platforms!. update Posted Tuesday, August 17, 1999 - 14:06 by hoglund [2] Today I changed the look & feel of the site. I am pleased to announce the participation of several new developers. Shout outs to vacuum, barns, and the old crew (are you having fun in germany?). This site hosts the development of NTRoot & RogueX. NTRoot is a rootkit for the Windows NT operating system. NTRoot is a package of tools which allow covert administration of Windows NT networks. The package includes modified binaries and patches to hide system processes, install and remove mobile code, and bypass security mechanisms. NTRoot is released under the terms of the GNU Public license. New Build Posted August 11, 1999 by hoglund [1] DOWNLOAD RogueX Alpha Release 0.3 (binary, NT Only) 518Kb. Fixes a couple of bugs and the frag-router is really working this time (duh, IP fragments must be at least 8 bytes.. erm ;-) Be aware that the method I use to build ARP tables may result in your local IP stack from being disabled. This is because windows NT is brain-dead about the source of a packet, and thinks you are having an IP address conflict w/ another machine. Remember this is alpha code. The conflict should not effect the ability of RogueX to scan.