main menuhome
forums Show me new threads!
bookmarks
post article
view blogs
vault you must be level 2 to upload files to your vault
downloads you must be logged to access downloads
projects:
Hacker Defender This is the Hacker Defender rootkit for Windows. This is more of a 'blackhat' tool than a training example. It is the most popular and wide spread rootkit today. description | homepage message board HE4Hook This is the Russian rootkit, HE4HOOK. This code is very complete. description | download message board BASIC CLASS This is the set of basic windows rootkits used for training purposes in the class 'Offensive Aspects of Rootkit Technology'. Good for starters. description message board Vanquish Vanquish is a DLL injection based Romanian rootkit that hides files, folders, registry entries and logs passwords. description | changelog | download message board NT Rootkit The original and first public NT ROOTKIT - has not been updated for many years but is good for ideas. description | download message board FU The FU rootkit can hide processes, elevate process privileges, fake out the Windows Event Viewer so that forensics is impossible, and even hide device drivers (NEW!) All this without any hooking. description | changelog | download message board WinlogonHijack Winlogonhijack injects a dll into winlogon.exe and hooks msgina.WlxLoggedOutSAS, logging every login in plaintext.
description | changelog | download message board klister klister is a simple set of utilities for Windows 2000, designed to read the internal kernel data structures, in order to get reliable information about the system state (like list of all processes, including those "hidden" by rootkits, even by 'fu'). description | download message board Patchfinder2 Patchfinder implements Execution Path Analysis technique for Windows 2000 systems. EPA is intended to detect various kernel and DLL rookits in the system. description | changelog | download message board MyNetwork An ethernet bridge / VPN program for windows. description | download message board MTDWin A driver that will identify writable memory chips / FlashRAM / EEPROM on the motherboard. description message board NTFSHider A driver that stores data in 'bad blocks' or unallocated clusters on an IDE drive/NTFS partition. description message board VideoCardKit A driver that can store executable code in a FLASH or EEPROM and submit this code to be executed from the video processor in order to patch kernel memory. description message board VICE VICE - Catch hookers!
VICE is a tool to find hookers! description | download message board Klog Klog demonstrates how to use a kernel filter driver to implement a simple key logger. description | download message board NtIllusion A portable Win32 userland rootkit. NtIllusion is an userland rootkit for win 2000/XP systems. It uses Dll injection and API entry point rewriting to perform its stealth. This is more a proof of concept than a true hax0r tool. description | homepage | changelog message board AFX Rootkit 2005 This OPEN SOURCE Delphi rootkit uses code injection and hooks Windows native API to hide processes, modules, handles, files, ports, registry keys, etc. description | homepage | download message board SInAR A Cross architecture Solaris rootkit the development of which is aimed to both increase understanding of the Solaris OS and to show that it's not just the external threats that a Solaris Admin should worry about. description | homepage message board Shadow Walker Shadow Walker as seen at Black Hat and Phrack 63. description message board BootRootkit (eEye) eEye BootRoot is a project presented at Black Hat USA 2005 by researchers Derek Soeder and Ryan Permeh, as an exploration of technology that custom boot sector code can use to subvert the Windows kernel as it loads. The eEye BootRootKit is a boot sector-b description | homepage | download message board CHAZ - Nima Bagheri "Chaz" is a tool that allows network administrators and Manegements to quickly and easily perform a network security audit.
Chaz By "Nima Bagheri"
description | homepage | changelog | download message board Clandestine File System Driver Cfsd is a driver project for misrepresenting and protecting various aspects of the underlying file systems. description | homepage | changelog | download message board FUTo FUTo is the successor of FU. description | download message board Windows Memory Forensic Toolkit Windows Memory Forensic Toolkit (WMFT) is a collection of utilities intended for forensic use. WMFT can be used to perform forensic analysis of physical memory images acquired from Windows 2003/XP machines. description | homepage | download message board
A news back-end to implement RootKit news into your website is here or more advanced version here.
An XML/RSS feed that includes both NEWS and BLOGS for RootKit is here: XML/RSS.
|
4.5 million copies of EULA-compliant spyware
Oct 05 2005, 23:07 (UTC+0) | hoglund writes:
I recently performed a rather long reversing session on a piece of software written by Blizzard Entertainment, yes - the ones who made Warcraft, and World of Warcraft (which has 4.5 million+ players now, apparently). This software is known as the 'warden client' - its written like shellcode in that it's position independant. It is downloaded on the fly from Blizzard's servers, and it runs about every 15 seconds. It is one of the most interesting pieces of spyware to date, because it is designed only to verify compliance with a EULA/TOS. Here is what it does, about every 15 seconds, to about 4.5 million people (500,000 of which are logged on at any given time):
The warden dumps all the DLL's using a ToolHelp API call. It reads information from every DLL loaded in the 'world of warcraft' executable process space. No big deal.
The warden then uses the GetWindowTextA function to read the window text in the titlebar of every window. These are windows that are not in the WoW process, but any program running on your computer. Now a Big Deal.
I watched the warden sniff down the email addresses of people I was communicating with on MSN, the URL of several websites that I had open at the time, and the names of all my running programs, including those that were minimized or in the toolbar. These strings can easily contain social security numbers or credit card numbers, for example, if I have Microsoft Excel or Quickbooks open w/ my personal finances at the time.
Once these strings are obtained, they are passed through a hashing function and compared against a list of 'banning hashes' - if you match something in their list, I suspect you will get banned. For example, if you have a window titled 'WoW!Inmate' - regardless of what that window really does, it could result in a ban. If you can't believe it, make a dummy window that does nothing at all and name it this, then start WoW. It certainly will result in warden reporting you as a cheater. I really believe that reading these window titles violates privacy, considering window titles contain alot of personal data. But, we already know Blizzard Entertainment is fierce from a legal perspective. Look at what they have done to people who tried to make BNetD, freecraft, or third party WoW servers.
Next, warden opens every process running on your computer. When each program is opened, warden then calls ReadProcessMemory and reads a series of addresses - usually in the 0x0040xxxx or 0x0041xxxx range - this is the range that most executable programs on windows will place their code. Warden reads about 10-20 bytes for each test, and again hashes this and compares against a list of banning hashes. These tests are clearly designed to detect known 3rd party programs, such as wowglider and friends. Every process is read from in this way. I watched warden open my email program, and even my PGP key manager. Again, I feel this is a fairly severe violation of privacy, but what can you do? It would be very easy to devise a test where the warden clearly reads confidential or personal information without regard.
This behavior places the warden client squarely in the category of spyware. What is interesting about this is that it might be the first use of spyware to verify compliance with a EULA. I cannot imagine that such practices will be legal in the future, but right now in terms of law, this is the wild wild west. You can't blame Blizz for trying, as well as any other company, but this practice will have to stop if we have any hope of privacy. Agree w/ botting or game cheaters or not, this is a much larger issue called 'privacy' and Blizz has no right to be opening my excel or PGP programs, for whatever reason.
-Greg
. . . |
| |
The Software Security Boxed Set
By: McGraw, Viega, and Hoglund
Get the premiere collection of titles on software security.
|
Software Security: Building Security In
By: Gary McGraw
Get Gary's new book! Beginning where the best-selling book Building Secure Software left off, Software Security teaches you how to put software security into practice.
|
active for last 5 minutes
Normal user _phil
registered users:44281
There are currently 1 registered users and 7 guests browsing the website.
Welcome our latest registered user: siegbrian
Jun 01, 13:14 |
May 24, 16:47 |
May 06, 21:16 |
Apr 25, 19:56 |
Apr 24, 01:55 |
Best Screenshots / Analog |
Jun 01, 2006
heart_rootkit.jpg / click on the picture to enlarge and see description
funny t-shirt I found for sale on web Analog(37) / Best Screenshots(31) |
the most active news users |
based on the number of news posts for last 30 days
|