URGENT!!!!

Remeber to edit this
@cDriverDeviceName : db '\',000h, '?',000h, '?',000h, '\',000h
db 'H',000h, 'x',000h, 'D',000h, 'e',000h
db 'f',000h, 'D',000h, 'r',000h, 'i',000h
db 'v',000h, 'e',000h, 'r',000h,000h,000h

You see the instance of HxDef ??! (I think this is the problem with the backdoor but i have no idea!)

yeah you are right.
this one wasn't easy to see.
thx for that information. now AV keeps silent and everything is working again

Kav maybe but nav still alarms me when starting the exe and detects the .sys driver

thats why I recompiled the sys driver. its now completely undetected. only takes 5 minutes too.
download the hxdef builder its somewhere on this board. download the hxdef source and extract it into the hxdef builder directory.
edit the driver.c and driver.h. replace hxdef with something of your choice.
example in driver.c:

PDEVICE_OBJECT HxDefDriverDeviceObject = NULL;
ULONG out_size;
replace it with
PDEVICE_OBJECT MYDriverDeviceObject = NULL;
ULONG out_size;

and

NTSTATUS HxDefDriverIO(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
with
NTSTATUS MYDriverIO(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)

and so on.
save it and open driver.h

#define NT_DEVICE_NAME L"\\Device\\HxDefDriver"
with
#define NT_DEVICE_NAME L"\\Device\\MYDriver"
...
got the idea? if not turn on your brain

now open hxdef100 sourcefile and edit everything like befor. replace hxdef, hackerdefender and RK (stands for rootkit) with something you like. don't use the autoreplace funktion for RK you will break the code.

recheck if everything is right and use the bats to create the executable.
now test the rootkit on your system first (well I did it cause I know what I do).
if you know the service name of your rootkit trying on your own system is no problem.

after all hxdef etc variables are gone even KAV didn't find anything in my recompiled version. (with some more changes too)

Yeeah, did that all with the original tutorial.
I think it detects just my modified version
Gonna make a new one then! Tnx for the info!
-speak ya on irc

well I changed that much that I don't actually know why its now undetected
I looked for anything like hacker defender, def, defender, rootkit, rk, hxdef,hxd ..
so for example also:
HxdefLogFileName='c:\hxdlogex.txt'
the logfile name has to be replaced

HackerIdentificator='kernel32.dll'+#00;
replace

after that it should work fine

Thanks for the tutorial, works just great !

I only changed what was mentioned in this topic and neither KAV nor Norton nor McAffee Server Edition recognized the hxdef100.exe

and it even works

pav still detects hackerdefender ini

to change that, look for the 9 things that are in the ini file in hxdef.dpr

like hidden table and change it to something else (dont forget to change it in the .ini too)

i want know how modifying to hidden by klister?
klister can show this backdoor's hidden process.

i've tried all but still get detected by KAV but is undetected by mcafee and norton

Mcafee Enterprise 7.1.0
Scan Engine 4.3.20
VirusDefinitions 4350
Created on 8 April

Use this scanner, hxdef compiles good, driver isnt. Gives a hxdef warning. Compiling with driver.res from source is good, compiling with own driver.res gives a virus warning again. Someone any idea? I changed 'hxdef' in the drivers.h and drivers.c to 'dream'

i can't find xp_ddk.iso

I have the DDK for Windows XP Release Candidate 1, can i use it?

Hmm ok, gonna try again.
I place the driver.h and driver.c in hxdef-builder-3\driver\ dir?
Because i did that but no driver is genarated.
Btw youre never on irc? Youre nick is there but no respons hehe

That was it all the time, delphi made it detectable...
With the hxdef builder it compiles good. Mcafee doesnt detect it now!
And sure where gonna chat sometime on irc, i know now that youre just working, not ignoring me hehe
Tnx for all the help Killaloop!

Hmm... I will say that this tutorial is obsolete for KAV, it'll still pick it up after the modifications specified in this tutorial.

Edit: Hmm i was wrong wasnt updated with lattest virus defs....gets detected

I don't know if this is the place to ask it, but when you made the sys-file, what should you do next ??
->Can you run the sys file without an exe (using net start or sth ? like that) ??
->How comes that the versions without source don't contain a sys-file?? Is it embedded in an exe file ?

the driver.sys gets unpacked when you run hxdef.exe, you can see that when you edit your config so it doesnt hide any files

ah.thanks a lot.

hmm weird... I've never seen this tutorial before on this board...


Thanks a lot for the nice explanation... I'm gonna try this on my home network first, and then I might try it on some remote servers, just for fun...
It's nice to see how you can easily bypass an AV...


Z

Very nice post
Thanks man it's interessant

Nice TUT, many thx. It works fine!

Another question *g*
Is the Backdoor started automatically if hxdef100.exe is started or
is it necessary to start the backdoor seperate.

what have i to do that the backdoor is activated ?

backdoor is built into the hxdef, it starts right away.

So after using bdcli100.exe host port pass. It checks backdoor and activates it but how do I use this backdoor... I don't really get it. Can somebody tell me a bit about this 'backdoor'?

great tut gonna test that later.
many thnx

yeah wodnerful thx it looks great haven`t tested yet but really sounds good !!!!!


hmmm i can`t find xp ddk on filemirror...as it seems ddk ( driver development kit) is only availibele from msdn now ? and u have ti register a .net passport for that...any othe sources ?

Hmmmmmmm, This topic is kinda old, can anyone say if this "trick" works against [up to date] AVP, even.

just this wont work anymore, you have to find out some things yourself and modify it, and dont use online checking to test it.

someone should really update this tut, since it is "obsolete" right now

thx :-)

ok, hxdef undetected by avs, but when i connect backdoor in any valid port prompt isnt shown,screen looks black, what happens? anyone solved this problem?

yes, i changed @cDriverDeviceName in hxdef100.dpr , but in bdcli100.dpr that string isnt found, in which line of bdcli100.dpr is the string to change? i dont found it

when following the first posts instructions, you are just editing it to where a new definition update can find it. posting it onto a public forum like this is just giving the antivirus software programmers exactly what to look for.

i dont know if anyone has allready mentioned this, because i only read the first post, which was what the author had to say about the thread's topic.

but seriously, this thread is dumb, why it is such a hot topic is beyond comprehension to me... the more people that use it, the faster AV companies know about it.

Keep open-source open-source, but keep personal tricks to yourself.

Especially in this instance.

Thanks a lot:-) i need to try that sometime.
Its a great kit and was getting detected lately.

Hi

thx for this n1ce tut ich works good ^^ i tested it on my own system how can ich stop hxdef100.exe ich didn´t find any possibility


mfg

burton

lol please will the admin kill this thread...it's getting ridiculous.

oh and im sure KAV are finding this really useful...

im not going to tell you how to keep it undetected...oh maybe i will...hmm no

die thread die!

thank you phaeton, nice tutorial, and it was nice of you to share this info

the point of my post-
why would you want it closed? noone's making you stay here to keep responding... it's making a large discussion.. isn't that the whole point? if this gets closed, it'll die and noone will ever bother with it again!

I'd second what tweakz20 said, it's a forum, that's what forums are for. We just have a nice ongoing discussion about this, and hopefully it'll create some insight in development/modding of source code for other users. You don't have to post or read this thread if you don't want to.

There's a const named ComSpec in the source which is badly detetected by a lot of AV.

ComSpec='COMSPEC';

this is used to call the default command interpreter, which is stored in a system variable named compsec. To add another variable with a different name in the system but with the same value (%SystemRoot%\system32\cmd.exe) and to report it in the source (dont forget the db for the push) will defeat enough AV.

And you should definitively forget about the trial delphi version...

Can you be more specific? I didn't understand it all...

Intresting read, I think I'll wanna add a backdoor listening port and some other stuff of my own to change it more, but I was wondering how to change the .sys, very helpful.

My AV still detect it, it´s getting very annoying
I use McAfee