rootkit.com

main menu

home

forums
Show me new threads!

bookmarks

post article

view blogs

vault

you must be level 2 to upload files to your vault

downloads

you must be logged to access downloads

projects:

Hacker Defender
This is the Hacker Defender rootkit for Windows. This is more of a 'blackhat' tool than a training example. It is the most popular and wide spread rootkit today.
description | homepage
message board

HE4Hook
This is the Russian rootkit, HE4HOOK. This code is very complete.
description | download
message board

BASIC CLASS
This is the set of basic windows rootkits used for training purposes in the class 'Offensive Aspects of Rootkit Technology'. Good for starters.
description
message board

Vanquish
Vanquish is a DLL injection based Romanian rootkit that hides files, folders, registry entries and logs passwords.
description | changelog | download
message board

NT Rootkit
The original and first public NT ROOTKIT - has not been updated for many years but is good for ideas.
description | download
message board

FU
The FU rootkit can hide processes, elevate process privileges, fake out the Windows Event Viewer so that forensics is impossible, and even hide device drivers (NEW!) All this without any hooking.
description | changelog | download
message board

WinlogonHijack
Winlogonhijack injects a dll into winlogon.exe and hooks msgina.WlxLoggedOutSAS, logging every login in plaintext.
description | changelog | download
message board

klister
klister is a simple set of utilities for Windows 2000, designed to read the internal kernel data structures, in order to get reliable information about the system state (like list of all processes, including those "hidden" by rootkits, even by 'fu').
description | download
message board

Patchfinder2
Patchfinder implements Execution Path Analysis technique for Windows 2000 systems. EPA is intended to detect various kernel and DLL rookits in the system.
description | changelog | download
message board

MyNetwork
An ethernet bridge / VPN program for windows.
description | download
message board

MTDWin
A driver that will identify writable memory chips / FlashRAM / EEPROM on the motherboard.
description
message board

NTFSHider
A driver that stores data in 'bad blocks' or unallocated clusters on an IDE drive/NTFS partition.
description
message board

VideoCardKit
A driver that can store executable code in a FLASH or EEPROM and submit this code to be executed from the video processor in order to patch kernel memory.
description
message board

VICE
VICE - Catch hookers! VICE is a tool to find hookers!
description | download
message board

Klog
Klog demonstrates how to use a kernel filter driver to implement a simple key logger.
description | download
message board

NtIllusion
A portable Win32 userland rootkit.
NtIllusion is an userland rootkit for win 2000/XP systems. It uses Dll injection and API entry point rewriting to perform its stealth. This is more a proof of concept than a true hax0r tool.
description | homepage | changelog
message board

AFX Rootkit 2005
This OPEN SOURCE Delphi rootkit uses code injection and hooks Windows native API to hide processes, modules, handles, files, ports, registry keys, etc.
description | homepage | download
message board

SInAR
A Cross architecture Solaris rootkit the development of which is aimed to both increase understanding of the Solaris OS and to show that it's not just the external threats that a Solaris Admin should worry about.
description | homepage
message board

Shadow Walker
Shadow Walker as seen at Black Hat and Phrack 63.
description
message board

BootRootkit (eEye)
eEye BootRoot is a project presented at Black Hat USA 2005 by researchers Derek Soeder and Ryan Permeh, as an exploration of technology that custom boot sector code can use to subvert the Windows kernel as it loads. The eEye BootRootKit is a boot sector-b
description | homepage | download
message board

CHAZ - Nima Bagheri
"Chaz" is a tool that allows network administrators and Manegements to quickly and easily perform a network security audit. Chaz By "Nima Bagheri"
description | homepage | changelog | download
message board

Clandestine File System Driver
Cfsd is a driver project for misrepresenting and protecting various aspects of the underlying file systems.
description | homepage | changelog | download
message board

FUTo
FUTo is the successor of FU.
description | download
message board

Windows Memory Forensic Toolkit
Windows Memory Forensic Toolkit (WMFT) is a collection of utilities intended for forensic use. WMFT can be used to perform forensic analysis of physical memory images acquired from Windows 2003/XP machines.
description | homepage | download
message board

backends
A news back-end to implement RootKit news into your website is here or more advanced version here.

An XML/RSS feed that includes both NEWS and BLOGS for RootKit is here: XML/RSS.

4.5 million copies of EULA-compliant spyware
Oct 05 2005, 23:07 (UTC+0)

hoglund writes:
I recently performed a rather long reversing session on a piece of software written by Blizzard Entertainment, yes - the ones who made Warcraft, and World of Warcraft (which has 4.5 million+ players now, apparently). This software is known as the 'warden client' - its written like shellcode in that it's position independant. It is downloaded on the fly from Blizzard's servers, and it runs about every 15 seconds. It is one of the most interesting pieces of spyware to date, because it is designed only to verify compliance with a EULA/TOS. Here is what it does, about every 15 seconds, to about 4.5 million people (500,000 of which are logged on at any given time):

The warden dumps all the DLL's using a ToolHelp API call. It reads information from every DLL loaded in the 'world of warcraft' executable process space. No big deal.

The warden then uses the GetWindowTextA function to read the window text in the titlebar of every window. These are windows that are not in the WoW process, but any program running on your computer. Now a Big Deal.

I watched the warden sniff down the email addresses of people I was communicating with on MSN, the URL of several websites that I had open at the time, and the names of all my running programs, including those that were minimized or in the toolbar. These strings can easily contain social security numbers or credit card numbers, for example, if I have Microsoft Excel or Quickbooks open w/ my personal finances at the time.

Once these strings are obtained, they are passed through a hashing function and compared against a list of 'banning hashes' - if you match something in their list, I suspect you will get banned. For example, if you have a window titled 'WoW!Inmate' - regardless of what that window really does, it could result in a ban. If you can't believe it, make a dummy window that does nothing at all and name it this, then start WoW. It certainly will result in warden reporting you as a cheater. I really believe that reading these window titles violates privacy, considering window titles contain alot of personal data. But, we already know Blizzard Entertainment is fierce from a legal perspective. Look at what they have done to people who tried to make BNetD, freecraft, or third party WoW servers.

Next, warden opens every process running on your computer. When each program is opened, warden then calls ReadProcessMemory and reads a series of addresses - usually in the 0x0040xxxx or 0x0041xxxx range - this is the range that most executable programs on windows will place their code. Warden reads about 10-20 bytes for each test, and again hashes this and compares against a list of banning hashes. These tests are clearly designed to detect known 3rd party programs, such as wowglider and friends. Every process is read from in this way. I watched warden open my email program, and even my PGP key manager. Again, I feel this is a fairly severe violation of privacy, but what can you do? It would be very easy to devise a test where the warden clearly reads confidential or personal information without regard.

This behavior places the warden client squarely in the category of spyware. What is interesting about this is that it might be the first use of spyware to verify compliance with a EULA. I cannot imagine that such practices will be legal in the future, but right now in terms of law, this is the wild wild west. You can't blame Blizz for trying, as well as any other company, but this practice will have to stop if we have any hope of privacy. Agree w/ botting or game cheaters or not, this is a much larger issue called 'privacy' and Blizz has no right to be opening my excel or PGP programs, for whatever reason.

-Greg

read comments (54) / write comment

recent comments:
Cry me a river derm2 07.Nov:02:13
More Bias please Hero 31.Oct:17:42
Secure Windows? esvmjb 31.Oct:11:56
Federal Privacy Violations pinion 27.Oct:19:58
Blizzard might have problems Lutrian 18.Oct:12:54
. . .

printer-friendly version

The Software Security Boxed Set
By: McGraw, Viega, and Hoglund

Get the premiere collection of titles on software security.

Software Security: Building Security In
By: Gary McGraw

Get Gary's new book! Beginning where the best-selling book Building Secure Software left off, Software Security teaches you how to put software security into practice.

logged users

active for last 5 minutes

Normal user
_phil

registered users:44281

There are currently 1 registered users and 7 guests browsing the website.

Welcome our latest registered user: siegbrian

recent board posts
subject author date
whoa knilb May / 30
anybody a ... cyffler May / 28
Re: RegEnu... wing May / 28
Re: RegEnu... wing May / 28
capturing ... scrotch May / 28
Drivers fo... MohammadHosein May / 28
Kernel Mod... TomVeeYes May / 26
disabling ... scheisskopf May / 24
compromise... thrival May / 23
wich proce... cyffler May / 21
Userlevel ... zgrp May / 21
Buggy soft... baiyuanfan May / 21
Help with ... 19841204 May / 20
Interestin... Glich May / 20
using vc8 ... birchoff May / 17

recently replied posts
subject author date
Buggy soft... warl0ck Jun/02
compromise... zeroknock Jun/01
Kernel Mod... sd_ Jun/01
RegEnumera... toto22 Jun/01
whoa knilb May/31
Anyone can... merlvingian May/31
anybody a ... sd_ May/29
Hijacking ... blackd0t May/29
capturing ... sd_ May/29
Drivers fo... Eternal_Idol May/28
disabling ... scheisskopf May/26
Userlevel ... warl0ck May/25
DLL inject... Eternal_Idol May/25
The genera... sd_ May/25

recent blog entries
hoglund Jun 01, 13:14
merlvingian May 24, 16:47
uniter May 06, 21:16
hoglund Apr 25, 19:56
bugcheck Apr 24, 01:55

Best Screenshots / Analog
Jun 01, 2006
heart_rootkit.jpg /
click on the picture to enlarge and see description
funny t-shirt I found for sale on web
read comments (0)
write comment
view archive(68) :
Analog(37) / Best Screenshots(31)
submit a picture to gallery

the most active news users
based on the number of news posts for last 30 days

user nr. of posted news

neocrackr 1
rjacksix 1
hoglund 1

select skin

Float like a butterfly, sting like a bee - hands can't hit what eyes don't see.