Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: how to hide files, services and process in windows 2k/xp/2k3 box

From: khaalel <khaalel () gmail com>
Date: Sun, 10 Jul 2005 15:53:27 +0200
Hi,

for the tips... sorry but i don't know which suggestions to give you,
but i advise you to study AFX rootkit, when I wrote my first rootkit
this code helped me a lot because it can hide

"""
a) Processes
b) Handles
c) Modules
d) Files & Folders
e) Registry Keys & Values
f) Services
g) TCP/UDP Sockets
h) Systray Icons
"""

There is an article that is well writen (about win32 rootkit):  it's
"Analysis of a win32 userland rootkit  " by Kdm, it's really  a good
paper.

Nzeka Gilbert aka khaalel


PS: If you want, i own the code of hxdef but this rootkit is known by
everybody so for invisibility, hwdef is not the right tool !!! but the
code is great for learning how to code a win32 rootkit.



On 7/10/05, fatb <fatb () security zz ha cn> wrote:

hi all guys

    I'm trying to write a rootkit to hide files,services and process

in windows 2k/xp/2k3 box ,and it would not be detected by icesword,rkdetector

and so on.

    Anybody could be kind enough to give me some tips or suggestions , thx alot!


BTW: I heard that golden hxdef could be avoid from icesword,rkdetector

and any other anti-rootkit software ,anybody knew something about the golden hxdef ?


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: