Hi, I'm trying to make a well known NT root kit undetected from AV.
I've sorted out all the executables, all that remain is to make some of the resources clean. It's a .sys file (driver), so I can't use packers since its not executable. Aside from hexing it and hoping that my changes do not stop it from functioning properly, are there any tools that might help me?
How to become unseen on Windows NT @ :: worthy :: Dec 01 2003, 23:56 (UTC+0)
hxdef writes: How to become unseen on Windows NT Invisibility on NT boxes
In this version of this text are described methods of hiding files, processes, keys and values in registry, system services and drivers, allocated memory and handles.
this should help...
tibbar
Jan 22 2004, 07:36 PM
a very interesting paper, explaining the inner workings of HxDef.
Unfortuntely, it doesn help on the issue of how to make hxdef undetected by AV.
I'll be more specific. In hxdef, there are several files you need to make undetected. The .exe's which is simple with a good packer, and also driver.res.
In driver.res there is a resource called driver.sys. To make hxdef completely undetected, you need to extract this from the resource, modify to make undetected, and then put the undetected version back in the resources.
Now, im asking if anyone knows a method of making a .sys undetectable to AV other than random hexing.
starsky32
Jan 22 2004, 09:20 PM
Hello :-)
"To make hxdef completely undetected, you need to extract this from the resource, modify to make undetected, and then put the undetected version back in the resources"
That's not exact. Of course, it's a possibility, but what's the point in "extracting" the driver from the ressources, as holy father make the sources availables ? Take a look in the archive taken from his site, ALL the sources are in the zip file. You have Delphi main prog, very well COMMENTED , and you have the original driver.res, What I want to say is that you just have to recode certain part , then compile and it's ok :-) So, take a look at the source, and start to code your OWN personnal hxdef :-)
(that's what I did , I recoded hxdef100 main prog and driver, and I have a working totally undetectable rootkit,-- but don't ask me to upload, it was only for testing purposes --, and it's not too hard to make your own version)
So, the answer to your question: "im asking if anyone knows a method of making a .sys undetectable to AV other than random hexing. "
Code your own driver and that's it :-)
Starsky32
tibbar
Jan 23 2004, 12:29 PM
i was kindof guessing that would be the way forward.
it does seem the best rootkit out there for NT. Ive done lots of self testing and it seems very stable.
One thing, when you recompile the driver, do you need to make significant changes to the structure of the source, to achieve beat AV on the compiled version, or is a minor change sufficient?
starsky32
Jan 23 2004, 03:42 PM
Hi again
Well, some minor modifications were enough for me, and no antivirus was able (and i made a quick test, it seems it's always the fact as i'm writing this post-but it's not surprising, this version never came out of my box, so of course it's not detected yet and probably won't be detected in the future-) to catch the "new" hxdef driver. So don't worry, it's not very difficult. The only "difficult" thing is to obtain the m$ ddk, i searched a long time before founding a site with download available. So maybe this should help you: It's in the Windows 2000 SP1 DDK (for WinME and Win2k), or you can download it here : http://www.vckbase.com/tools/drv/win2kddk.exe
Good luck :-)
Starsky32
P.S.:For sure, hxdef100 is best rootkit ever made for NT os, I tested a lot, and no one is as good/stable/handy as hxdef is. HF did a really good work, and even give us the sources ! Wonderful. But don't forget to take a look at his work, as he's working on a new concept rootkit for NT, and for sure it will rocks :-)))
DCLXVI
Jan 25 2004, 02:42 AM
thank you for the link to win2kddk Starsky32 , i've been looking in all the wrong places for it and i agree with you that hxdef100 is the best , works perfect
tibbar
Jan 25 2004, 10:58 AM
ahh thanx for the DDK link. I had to ask a friend at M$ to ftp it to me, but that was not gonna happen for a few days!
In case anyone's interested, I'm going to heavily mod hxdef into a fully fledged RAT, with a proper client. Once it's done, maybe I will post it in the downloads section...
strohunter
Mar 29 2004, 03:30 PM
Hi everybody ^^
first, i must say thanks for the chinese link, because i was looking for soooo long for the NT4 DDK (which is almost impossible to find ^^)
well, i have recompiled the driver.sys but:
- the file size is now 500kb instead of 4kb - i don't know how to create a new .res file from the driver.
but now even KAV doesn't detect the drivers.
TeXT
Mar 29 2004, 10:48 PM
You need undetected *.sys files?.. -)))))) i can do it.. file size will be ... 4kb + 2kb...
strohunter
Mar 29 2004, 11:11 PM
i don't need undetect .sys file i already have it; i just wonder why after recompiling its 500kb now O_o
in order to make the hxdef rootkit undetected, ya have to remake the driver.res from my new driver.sys, but i don't how ^^
erk, damned delphi program ^^
btw, most trick to fake AV dont work with KAV.
TeXT
Mar 30 2004, 08:19 PM
Because you methot is not.. right.. =))))..........
strohunter
Mar 30 2004, 08:47 PM
ok, pm me your not recompiled but modified driver.sys file, i want to see with my own eyes KAV misses it
btw, do you know how to make a new driver.res from the sys file ?
Progressor
Mar 31 2004, 12:10 PM
Thank you a lot for DDK link
withdraw
Apr 6 2004, 04:44 AM
thanks man ive been looking for ddk forever.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
i already have it; i just wonder why after recompiling its 500kb now O_o