Ok, I shortly described what needs to happen to modify your hxdef in jimmy's post of his modified version, but I think that everyone should do their own and keep it private because public versions like that will be grabbed in a matter of days (for testing purposes if people upload to KAV then KAV checks the content of all files which get stored on their servers so DONT USE ONLINE CHECKING).
It's not hard, and I'm no guru, but I will help out as much as I can.
Thanks goes to:
george (for helping with compiling and hiding from av)
darkranger (for scanning the files)
holy_father (author of the rootkit, without him nothing could be done)
OK, the things you need are:
XP DDK (filemirrors.com -> xp_ddk.iso)
Visual C++ _or_ Visual Studio .NET
Delphi 7 (borland.com then search for crack on cracks.am)
HxDef 1.00 Source Code (http://rootkit.host.sk)
Winsock 2.2 API for Delphi (http://home.earthlink.net/~akonshin/files/winsock2.zip)
ntifs.h (http://www.insidewindows.info/ntifs.h)
PE Resource Explorer (http://www.wilsonc.demon.co.uk/d7resourceexplorer.htm)
Ok, so download the 1.00 release from rootkit.host.sk, then inside there is a .zip file called src.zip, extract that wherever you want.
The file hxdef100.dpr is the main source of the code, this is where the majority of the work takes place.
First of all, use the replace function (ctrl+r) to replace "hxdef" with any other 5 character string. It must be 5 characters or you need to change offsets later on (which I don't know how to do ).
Here your hxdef will already be changed thanks to the first step, but the "-rk*" needs to be changed to a "-**" where "**" is any 2 character string.
Lastly in this file, all we change is all "RK_" references to any "**_" reference where "**" is any 2 character string.
Now, in order to compile, you extract the Winsock 2.2 API you downloaded to the _same_ directory that contains your hxdef source code, and also you need to copy all files from the "units" directory (found in src.zip from hxdef release) to your source code directory.
Then hit CTRL+F9 to compile.
All done? Not yet . This compiles our new .exe which is now hidden from all AV, but we need to hide the driver also (to read up on how rootkits actually work hit http://www.rootkit.com). What we do now is edit the driver sources.
Edit driver.c and driver.h in your driver dir from src.zip, and yet again change all references of "hxdef" to another 5 character string the same as in your hxdef100.dpr file.
Next, edit the sources file and change this line
CODE
INCLUDES=c:\ddk\inc
To your inc dir of your DDK installation.
Finally, copy the ntifs.h file to your DDK\inc\wxp directory, choose Start -> Programs -> Development Kits -> Windows DDK 2600 -> Build Environments -> Win XP Free Environment.
This opens up a command window, navigate to the dir with your driver sources, and type build. You should now have your driver.sys file in objfre\i386\ (relative to your driver source directory).
IF you get errors in VS.NET with something to do with "jvc" copy your driver directory to your DDK root folder, and proceed.
Next, open up PE Resource Explorer, select Import -> RC Data, open your .sys file, and then choose Save As -> driver.res in the folder of your hxdef100.dpr file. Now you have updated your driver =D Hit CTRL+F9 in Delphi again to recompile your new hxdef with your new driver.
To hide rdrbs100.dpr just change the reference of hxdef to another 5 character string. I haven't tested this myself, but it should work. Finally to hide your backdoor client from AV (not necessary if you connect from a PC with no AV) just change all references of "hxdef" to another 5 character string. Hit CTRL+F9 for both, and you are done =D. Then follow the instructions in readmeen.txt provided by holy_father in the main hxdef100.zip release file to setup your ini (use the characters to hide the values such as [/"<S>/"tar"<//t<up>"]// so to hide the .ini from AV.
Voila! You are all done. I MAY have missed something, if it doesn't work for you let me know. Hope you enjoy my first tut.
FiNaLBeTa
Jan 30 2004, 05:18 PM
Thank you for this tutorial on making it undetected. I didn't know enough programming yet to know how to do it myself. Tho i don't know if just changing the haxxdef refrences is enough, i maen, the antivir looks at other codes two. The driver is the weak point. I'll test this later.
If it works, i ow you one
RFlash
Jan 30 2004, 05:22 PM
Well, I really don't know if I'll have the time to test the entire enviroment requested, but the reading was really interestin, many thanks for you effort phaeton!
RFlash
phaeton
Jan 30 2004, 05:56 PM
FinalBeta, it works 100% like a dream here (note the thanks to darkranger for the scanning ). I have it tested on:
Norton Panda Trend Micro Kaspersky
All without Morhpine or UPX
Enjoy
nolimit
Jan 30 2004, 07:29 PM
Intresting read, I think I'll wanna add a backdoor listening port and some other stuff of my own to change it more, but I was wondering how to change the .sys, very helpful.
phaeton
Jan 30 2004, 09:00 PM
I'm satisfied it binding to any open port, that way box has webserver, I connect to port 80, its all smooth sailin
tibbar
Jan 30 2004, 10:18 PM
i did this recently, in a similar way, but im having problems connecting to it!
No matter what port i try to connect to, it simply tells me hxdef is not installed...
I'm thinking it may be because i'm behind a router, although i tried on DMZ mode and it still didnt work.
daguilar01
Jan 30 2004, 11:26 PM
really gj explaining it phaeton, gonna do this soon as jimmy's gets detected, , or i have some free time, lol
phaeton
Jan 30 2004, 11:34 PM
tibbar, is the hxdef hiding files? If so are you sure that you didn't change the length of any of the strings? My backdoor was broken when I used "abc" instead of "hxdef"... I don't know what else it could be, make sure port 80 is open on the haxed boxed too
Jipsu
Jan 30 2004, 11:37 PM
Just what I have been looking for!
Thanks very much, great work you have done there!
jimmy
Jan 31 2004, 02:12 AM
if mine got detected you can do more changes and fix checksum afterwards, should prolly also fix the problem when you change to hxdef to a 3 character string
phaeton
Jan 31 2004, 03:32 AM
Heh, I'm no guru and the last time I fixed the checksum was back in hxdef 0.7.* If you can help me out with that, it would be much appreciated.
jimmy
Jan 31 2004, 12:15 PM
you needed to fix checksum in 0.73 ? strange wasn't necesary there, cause in 0.83 the problem was the sys driver when you didn't fix the checksum
UnDeRTaKeR
Jan 31 2004, 01:51 PM
10x a lot man! great post !
tibbar
Jan 31 2004, 01:54 PM
out of curiousity, does the cracks.am site install any trojans when you agree to run the crack.zip file!
my HD whirled around like made when i did click yes (against my normal wisdom). A full scan of KAV found nothing, but then that doesnt mean much does it!
I am always suspicous when a site tries to install something, especially a site like crack.am.
FiNaLBeTa
Jan 31 2004, 04:20 PM
I tested part one, changing the exe. i build it, and now :
// edit, all exe's are still found bye norton after the changes, the driver is not. But it's doubtfull this will last more then a week.
dos not seem to work. scanned bye norton.
Double-=V=-
Jan 31 2004, 05:13 PM
QUOTE (tibbar @ Jan 31 2004, 01:54 PM)
out of curiousity, does the cracks.am site install any trojans when you agree to run the crack.zip file!
my HD whirled around like made when i did click yes (against my normal wisdom). A full scan of KAV found nothing, but then that doesnt mean much does it!
I am always suspicous when a site tries to install something, especially a site like crack.am.
Get a spyware scanner, like ad-aware, it's free and fast Then remove the spy crap and never press yes again
Jackson
Jan 31 2004, 07:00 PM
ohh nice i will test them and have many thx for taht tutorial
phaeton
Jan 31 2004, 09:44 PM
QUOTE (tibbar @ Jan 31 2004, 01:54 PM)
out of curiousity, does the cracks.am site install any trojans when you agree to run the crack.zip file!
my HD whirled around like made when i did click yes (against my normal wisdom). A full scan of KAV found nothing, but then that doesnt mean much does it!
I am always suspicous when a site tries to install something, especially a site like crack.am.
Heh, don't ever click yes. It probably installed a dialer or something (not too bad) get Lavasoft's Adaware, it should fine some spyware and remove it.
FinalBeta ->
Are you sure you modified EVERYTHING? You also need to change the hxd infront of the logfile name... I may have missed that . I just tested mine with NAV again last night, again no problems. the -rk has to be changed and the RK_ has to be changed you may have missed on or the other. If it doesn't work still, email me your source and I'll take a look.
phaeton
Jan 31 2004, 09:53 PM
Wait FinalBeta!
hxdef100.exe It may seem simple, but that will trigger AV if you have the same exe name lol Try again lemme know how it works out.
FiNaLBeTa
Jan 31 2004, 10:13 PM
I did everything in the tutorial, now i renamed the exe to cewl.exe and norton still finds it right away.
phaeton
Feb 1 2004, 04:35 AM
I don't know why, can you email me your source? Mine is not detected.
FiNaLBeTa
Feb 1 2004, 09:25 AM
QUOTE (phaeton @ Feb 1 2004, 04:35 AM)
I don't know why, can you email me your source? Mine is not detected.
sure, pm me youre e-mail.
jimmy
Feb 1 2004, 11:28 AM
finalbeta download mine in downloads section and see what it does
Trojan^kid
Feb 1 2004, 12:55 PM
nice tut thanx man keep up the good work
epoke
Feb 1 2004, 03:44 PM
same here,kasperky detected the exe but sys it's undetectable I did everything ,renamed etc and use the hxdef-builder-3 ...(both methode upx morphine and not ) did someone know which sign or string search kasperky ??? thx for the tuto
phaeton
Feb 1 2004, 05:46 PM
Do you guys check your hxdef online with KAV? That is not a good idea since they check the files, and they might start looking for strings other than the ones changed
FiNaLBeTa
Feb 1 2004, 05:47 PM
i don't use online antivirs.
I'll send you my code later, but its like in the tutorial
tibbar
Feb 1 2004, 07:09 PM
just a quick point to note. if you use the delphi 7 evaluation version, once it expires, the compiled .exe's will also expire! (as i just found out)
temp
Feb 1 2004, 07:16 PM
very nice tut.. thank you
tibbar
Feb 2 2004, 12:30 AM
hi ppl. ive successfully compiled the driver and hxdef prog. the only problem, is when i try to connect, it accepts pwd, then when it tries to bring up cmd.exe, all i get is blank screen with flashing cursor.
i know other ppl have had this problem b4, so if anyone has got an idea of what causes this, i'd be grateful for any tips.
btw, it works fine with original hxdef prog.
oh and i tried the posted file in the downloads section, while it scans clean, i found it didnt work on some remote pc's - you could see it did run ok, as the .sys file appeared, but it was not possible to connect. as a comparision, i ran the plain hxdef prog, packed using morphine, and this ran fine, and i got remote shell.
temp
Feb 2 2004, 03:45 AM
any1 got a working crack for delphi 7 trial? all those from crackz.am are not working :/
phaeton
Feb 2 2004, 01:42 PM
Tibbar: You changed the length of your strings somewhere. I had this exact same problem, make sure the strings are correct or else you need to fix the checksum of the compiled exe (I can't help you there). I don't know about the version in the downloads section, but it if runs it would seem to me it runs fine. Possibly ask jimmy about this, but I have tested my versions on 7 different computers and all run without a hiccup.
Temp: Get the one that says "Trial to Enterprise" or something like that, it works perfect over here.
Krogoth
Feb 2 2004, 04:46 PM
that's a good find, phaeton. always good to see a tool that is undetected by AV. i'll do a test if i'm free over the weekend. thank you, phaeton.
Train25
Feb 2 2004, 10:34 PM
QUOTE (temp @ Feb 1 2004, 11:45 PM)
any1 got a working crack for delphi 7 trial? all those from crackz.am are not working :/
Hmmm...do i forsee a warning here....this is not a crack board ask these questions elsewhere
globe7
Feb 2 2004, 11:29 PM
tnx alot dude! good post
tibbar
Feb 3 2004, 12:47 AM
well i would like to thank everyone for the help on this one. i got it working perfectly now.
regarding the issue of the trial version. if you compile in trial version, the .exe. produced WILL SELF TERMINATE after trial period expires - if you dont believe me, open it up with PE module explorer, and check out the string table!
even if you do use the crack, this will still occur.
moral of this story, buy full version, dont pirate it.
netbar9
Feb 3 2004, 09:55 AM
Nice work...
But where can i download a working version ? download section ? i am new here... where is it ?
tonyilluminati
Feb 3 2004, 10:24 AM
nice i'm gonna try this out soon, dling ddk + installing c++ now
Nikscap
Feb 3 2004, 06:24 PM
Really Good Post ! Thx Man !
But i've not really the time to download all this tools
Many personnes how have read this post, have understand the manipulation and he don't forget this for futur modification since source code ! ( Great Work )
Someone how have Compiled a personnal version and can post this in download section or link ? Please.
Thanks in advance.
phaeton
Feb 3 2004, 07:25 PM
jimmy has posted one in the Downloads Section.
tibbar
Feb 3 2004, 08:44 PM
has anyone managed to compile hxdef in delphi 8 (i have legit copy of delphi 8, but not of delphi 7!!)
i get a number of errors - i think delphi 8 is very different, so its probably not easily possible. but if anyone thinks otherwise, pls let me know.
netbar9
Feb 3 2004, 10:18 PM
OK instep of waiting somone post here the link for the download section i did all steps from the initial post.
After compiling (no errors) i check it with NAV. hxdef100.exe and rdrbs100.exe gets from NAV dedectet. doesnt matter about filenames.... new Driver.sys and bdcli100.exe doesnt get dedectet.
The only point i am unsure is that step: My TestVersion: ServerMailslotNamePart='\\.\mailslot\blade-uk100s'; ClientMailslotNamePart='\\.\mailslot\blade-ukc';
Blade, that step looks perfect. I don't know how come your EXEs are getting detected, my hxdef100.exe (renamed of course) is not detected with definitions from 01-29-04 for NAV 2004 Pro. Did you rename all RK_? Change all hxdef strings? Did you change the name of the log file?
netbar9
Feb 3 2004, 11:36 PM
Yes i did. I changed the Variable Backdoor and mailslot to anything else... from then on it was fine and doesnt got dedectet anymore.
Now i have to find out how that thing works i never used it yet =)
HArd2Burn
Feb 4 2004, 03:00 PM
hi nice tut... But i cannt find XP DDK (filemirrors.com -> xp_ddk.iso)... Can you check that link??? I think it doesn't work...
MFG
phaeton
Feb 4 2004, 07:48 PM
I think something is messed up with FM. Sorry, you will have to locate the DDK on your own *hint* its not hard to find... read around, all the tools needed for compiling hxdef are on a page somewhere that you can access from this thread...
HArd2Burn
Feb 4 2004, 08:06 PM
THX nice tutorial...
tibbar
Feb 4 2004, 10:54 PM
well this was all a waste of time really. this "modified" version is now detected by KAV.
back to the drawing board of figuring out what new changes to make to hide it again.
this time no public discussion...
[edit] hahaha this is funny. the undetectable version is that made by trial version of delphi 7, which makes .exe's that expire after 30 days or so.
the real delphi 7, compiles it into a proper .exe without time countdown...but it is then detected. i.e. the suggested changes are not enough to beat KAV.
phaeton
Feb 5 2004, 01:34 AM
What is the countdown on the Trial Delphi 7? How many days?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
).
). I have it tested on:
