main menu


    Show me new threads!


post article

view blogs


you must be level 2 to upload files to your vault


you must be logged to access downloads
search the site


Hacker Defender
This is the Hacker Defender rootkit for Windows. This is more of a 'blackhat' tool than a training example. It is the most popular and wide spread rootkit today.
description | homepage
message board

This is the Russian rootkit, HE4HOOK. This code is very complete.
description | download
message board

This is the set of basic windows rootkits used for training purposes in the class 'Offensive Aspects of Rootkit Technology'. Good for starters.
message board

Vanquish is a DLL injection based Romanian rootkit that hides files, folders, registry entries and logs passwords.
description | changelog | download
message board

NT Rootkit
The original and first public NT ROOTKIT - has not been updated for many years but is good for ideas.
description | download
message board

The FU rootkit can hide processes, elevate process privileges, fake out the Windows Event Viewer so that forensics is impossible, and even hide device drivers (NEW!) All this without any hooking.
description | changelog | download
message board

Winlogonhijack injects a dll into winlogon.exe and hooks msgina.WlxLoggedOutSAS, logging every login in plaintext.
description | changelog | download
message board

klister is a simple set of utilities for Windows 2000, designed to read the internal kernel data structures, in order to get reliable information about the system state (like list of all processes, including those "hidden" by rootkits, even by 'fu').
description | download
message board

Patchfinder implements Execution Path Analysis technique for Windows 2000 systems. EPA is intended to detect various kernel and DLL rookits in the system.
description | changelog | download
message board

An ethernet bridge / VPN program for windows.
description | download
message board

A driver that will identify writable memory chips / FlashRAM / EEPROM on the motherboard.
message board

A driver that stores data in 'bad blocks' or unallocated clusters on an IDE drive/NTFS partition.
message board

A driver that can store executable code in a FLASH or EEPROM and submit this code to be executed from the video processor in order to patch kernel memory.
message board

VICE - Catch hookers! VICE is a tool to find hookers!
description | download
message board

Klog demonstrates how to use a kernel filter driver to implement a simple key logger.
description | download
message board

A portable Win32 userland rootkit.
NtIllusion is an userland rootkit for win 2000/XP systems. It uses Dll injection and API entry point rewriting to perform its stealth. This is more a proof of concept than a true hax0r tool.
description | homepage | changelog
message board

AFX Rootkit 2005
This OPEN SOURCE Delphi rootkit uses code injection and hooks Windows native API to hide processes, modules, handles, files, ports, registry keys, etc.
description | homepage | download
message board

A Cross architecture Solaris rootkit the development of which is aimed to both increase understanding of the Solaris OS and to show that it's not just the external threats that a Solaris Admin should worry about.
description | homepage
message board

Shadow Walker
Shadow Walker as seen at Black Hat and Phrack 63.
message board

BootRootkit (eEye)
eEye BootRoot is a project presented at Black Hat USA 2005 by researchers Derek Soeder and Ryan Permeh, as an exploration of technology that custom boot sector code can use to subvert the Windows kernel as it loads. The eEye BootRootKit is a boot sector-b
description | homepage | download
message board

CHAZ - Nima Bagheri
"Chaz" is a tool that allows network administrators and Manegements to quickly and easily perform a network security audit. Chaz By "Nima Bagheri"
description | homepage | changelog | download
message board

Clandestine File System Driver
Cfsd is a driver project for misrepresenting and protecting various aspects of the underlying file systems.
description | homepage | changelog | download
message board

FUTo is the successor of FU.
description | download
message board

Windows Memory Forensic Toolkit
Windows Memory Forensic Toolkit (WMFT) is a collection of utilities intended for forensic use. WMFT can be used to perform forensic analysis of physical memory images acquired from Windows 2003/XP machines.
description | homepage | download
message board

RAIDE stands for Rootkit Analysis Identification Elimination. RAIDE is a rootkit detection/removal tool.
description | download
message board


A news back-end to implement RootKit news into your website is here or more advanced version here.

An XML/RSS feed that includes both NEWS and BLOGS for RootKit is here: XML/RSS.

[Valid RSS]

Bypassing your testbox's login password
Aug 10 2006, 10:21 (UTC+0)
bugcheck writes: After living out of a duffle bang for 2 months now i've finally got all my stuff back and have settled into a new apartment and finally have dev PC's again, W00h00! So this isnt the first have had to do this to recover an install with a forgotten password but figured id share it incase you are able to take advantage of it (thx to a friend for pointing out what function did the trick). As stupid as I am I always pick those unique but easy to remember passwords that of course ill never forget, use it once and shelf the image for months at a time and then of course, forget it. In my case today its my dev box!!! Luckly i had been using it as a test machine when i first got it so i happened to already have a boot.ini entry to kernel debug on 1394 and of course had my laptop handy. I know there are better ways to recover a forgotten password but of course its not as cool as this! =P It doesnt reset it but at least you can log in again...

Happy debugging,

kd> !process 0 0 winlogon.exe
PROCESS 817bb978 SessionId: 0 Cid: 0260 Peb: 7ffdc000 ParentCid: 0168
DirBase: 05e40060 ObjectTable: e148a858 HandleCount: 455.
Image: winlogon.exe

kd> .process /p /r 817bb978
Implicit process is now 817bb978
.cache forcedecodeuser done
Loading User Symbols
kd> u msv1_0!MsvpPasswordValidate l3
77c79927 ?? ???
^ Memory access error in 'u msv1_0!MsvpPasswordValidate l3'

kd> .pagein msv1_0!MsvpPasswordValidate
You need to continue execution (press 'g' ) for the pagein to be brought in. When the debugger breaks in again, the page will be present.

kd> g
Break instruction exception - code 80000003 (first chance)
80526da8 cc int 3

kd> u msv1_0!MsvpPasswordValidate l3
77c79927 8bff mov edi,edi
77c79929 55 push ebp
77c7992a 8bec mov ebp,esp

kd> eq msv1_0!MsvpPasswordValidate cccc000cc201b0

kd> u msv1_0!MsvpPasswordValidate l3
77c79927 b001 mov al,0x1
77c79929 c20c00 ret 0xc
77c7992c cc int 3


kd> g

read comments (5) / write comment

recent comments:
possibility to erase it on-disktoto2213.Aug:05:26
woohoo !MohammadHosein10.Aug:15:33

printer-friendly version


The Software Security Boxed Set
By: McGraw, Viega, and Hoglund

Get the premiere collection of titles on software security.

Software Security: Building Security In
By: Gary McGraw

Get Gary's new book! Beginning where the best-selling book Building Secure Software left off, Software Security teaches you how to put software security into practice.

logged users

active for last 5 minutes

Normal user

Untrusted stranger

registered users:50013

There are currently 2 registered users and 11 guests browsing the website.

Welcome our latest registered user: ort

recent board posts
subject author date
Hooking Wi... cools Oct / 16
Spoof pack... ljoel Oct / 15
PEB questi... wang111222 Oct / 15
NEED HELP gamesoldier34 Oct / 14
Need help ... questions Oct / 14
Use ZwQuer... hsly110 Oct / 14
How to Use gamesoldier34 Oct / 13
safer hack... majimojo Oct / 13
how bypass... cosuroca Oct / 12
send signa... daos Oct / 12
send signa... daos Oct / 12
send signa... daos Oct / 12
hii brij Oct / 11
how make o... cosuroca Oct / 10
SEH not ca... linden Oct / 08

recently replied posts
subject author date
Hooking Wi... bugcheck Oct/16
Ring 0 Ent... redskin Oct/16
ACPI BIOS ... gory Oct/16
Use ZwQuer... warl0ck Oct/16
Spoof pack... bugcheck Oct/15
NtAllocate... bugcheck Oct/15
PEB questi... Orkblutt Oct/15
NEED HELP metro_mystery Oct/14
hii zeroknock Oct/14
how bypass... zeroknock Oct/14
SEH not ca... zeroknock Oct/14
Need help ... zeroknock Oct/14
How to Use Kurt123 Oct/14
safer hack... majimojo Oct/14

recent blog entries
hoglund Oct 13, 07:29
hoglund Oct 08, 11:59
phew Oct 04, 13:36
bugcheck Oct 04, 09:54
hoglund Oct 03, 18:10
Best Screenshots / Analog
Oct 02, 2006

punked.jpg /

click on the picture to enlarge and see description

GOT TO LOVE ie6 ohday

read comments (0)
write comment

view archive(76) :

Analog(42) / Best Screenshots(34)

submit a picture to gallery

the most active news users
based on the number of news posts for last 30 days

user nr. of posted news
SC_Modder 1
admin 1

select skin

"I can't believe it!", says Luke.
"That is why you fail", responds Yoda.