.: Hacker defender 0.3.3 :.
Released 19 years, 11 months ago. Sep 2002By Holy_Father
- From: Czechoslovakia
- Coded by: Holy_Father
- Version: Hacker defender 0.3.3
- Released date: Sep 2002, 19 years, 11 months ago.
- Coded in: Delphi & Assembly
- Family: Hacker defender
- Category: Remote Access
Hacker defender v0.3.3 ====================== Hacker defender is rootkit for Windows NT 4.0, Windows 2000 and Windows XP. Main code was written in Delphi 6. Functions for new thread are written in assembler. program uses adapted LDE32 LDE32, Length-Disassembler Engine, 32-bit, (x) 1999-2000 Z0MBiE special edition for REVERT tool version 1.05 program uses Superfast/Supertiny Compression/Encryption library Superfast/Supertiny Compression/Encryption library. (c) 1998 by Jacky Qwerty/29A. Usage ----- >hxdef033.exe [inifile] default hxdef033.ini is used if run without specifying the inifile Idea ---- The Main idea of this program was to use some API functions e.g. WriteProcessMemory and CreateRemoteThread to create a new thread in all running processes. New thread will rewrite some functions in system modules (mostly kernel32.dll) and inject fake code which will check API results and change this result in specific cases. Program must be absolutely hidden for all others. Now the user is able to hide files, process, system services, registry keys. Program installs hidden backdoors and register as hidden system service. Licence ------- Till version 1.0.0 it is freeware. It can be spread but not changed and all copies must includes all files (including original readme files). Only exception is when target person (and computer owner) wouldn't know about the copy. This project will be open source in version 1.0.0. Version ------- TODO - running root process on system level - add wildcard in names of hidden files, process and services - make possible to edit lists during running 0.3.3 + stability realy improved x fixed all bugs for Windows XP x found and fixed bug in hiding in registry x found and fixed bug in backdoor with more clients 0.3.0 + connectivity, stability and functionality of backdoor improved + backdoor shell runs always on system level + backdoor shell is hidden + registry keys hiding x found and fixed bug in root processes - bug in XP after reboot 0.2.6 x fixed bug in backdoor 0.2.5 + fully interactive console + backdoor identification key is now only 256 bits long + improved backdoor installation - bug in backdoor 0.2.1 + always run as service 0.2.0 + system service installation + hiding in database of installed services + hidden backdoor + no more working with windows 0.1.1 + hidden in tasklist + usage - possibility to specify name of inifile x found and then fixed bug in communication x fixed bug in using advapi - found bug with debuggers 0.1.0 + infection of system services + smaller, tidier, faster code, more stable program x fixed bug in communication 0.0.8 + hiding files + infection of new processes - can't infect system services - bug in communication Hooked API ---------- List of API functions which are changed: Kernel32.FindFirstFileExW Kernel32.FindNextFileW Kernel32.CreateProcessW Kernel32.CreateProcessInternalW Ntdll.NtQuerySystemInformation (class 5) WS2_32.recv WS2_32.WSARecv WSOCK32.recv Kernel32.ReadFile Advapi32.EnumServicesStatusW Advapi32.EnumServicesStatusA Advapi32.RegEnumKeyW Advapi32.RegEnumKeyA Advapi32.RegEnumKeyExW Advapi32.RegEnumKeyExA Inifile ------- Again, there are more settings in this version. Inifile must contain four parts: [Hidden Table], [Root Processes], [Hidden Services] and [Hidden RegKeys]. Hidden Table is a list of files and directories which should be hidden. There is no chance to find those files and directories. Programs in this list will be hidden in tasklist. Root Processes is a list of programs which will be immune against infection. You can see hidden files, directories and programs only with these root programs. So, root processes are for rootkit admins. Hidden Services is a list of service names which will be hidden in the database of installed services. Service name for the main rootkit program is HackerDefender033. Hidden RegKeys is a list of registry keys which will be hidden. Rootkit has two keys in registry: HackerDefender033 and LEGACY_HACKERDEFENDER033. Backdoor -------- Rootkit hooks some API functions connected with receiving packets from the net. If incoming data equals to 256 bits long key the copy of a shell named "~ --/EMAIL REDACTED BY SUB7CREW.ORG FOR YOUR SAFETY\--" is created in a temp, its instance is created and next incoming data are redirected to this shell. Because rootkit hooks all process in the system all TCP ports on all servers will be backdoors. This backdoor will work only on servers where incoming buffer is larger or equal to 256 bits. But this feature is on almost all standard servers like Apache, IIS, Oracle. So, backdoor is created and it is hidden because its packets go through common servers on the system. So, you are not able to find it with classic portscanner and this backdoor can easily go through firewall. Exception in this are classic proxies which are protocol oriented for e.g. FTP or HTTP. During tests on IIS services was found that HTTP server does not log any of this connection, FTP and SMTP servers log only disconnection at the end. You have to use special client if want to connect to the backdoor. Program bdcli033.exe is used for this. usage: bdcli033.exe host port Client for version 0.3.3 is not compatible with servers in older version than 0.3.0. Tests ----- Following table shows successfulness of rootkit during tests. Main MS Windows XP [Verze 5.1.2600] - 100% MS Windows 2000 5.00.2195 SP2 - 100% MS Windows NT 4.0 SP6 - 100% Backdoor Infection MS Windows XP [Verze 5.1.2600] IIS 5.1 WWW - 100% IIS 5.1 FTP - 100% IIS 5.1 SMTP - 100% MS Windows 2000 5.00.2195 SP2 IIS 5.0 WWW - 100% IIS 5.0 FTP - 100% IIS 5.0 SMTP - 100% MS Windows NT 4.0 SP6 IIS 3.0 WWW - 100% Connectivity MS Windows XP [Verze 5.1.2600] IIS 5.1 WWW - 100% IIS 5.1 FTP - 100% IIS 5.1 SMTP - 100% MS Windows 2000 5.00.2195 SP2 IIS 5.0 WWW - 100% IIS 5.0 FTP - 100% IIS 5.0 SMTP - 100% MS Windows NT 4.0 SP6 IIS 3.0 WWW - 100% Known Bugs ---------- One bug is known at the moment. 1) Processes, which are debugged at the moment, can't be infect, because their debugger has exclusive rights for them. The infection will lose if the process is debugged during infection. So, it will not be changed and see everything. I think this is not a serious bug, because there is only small chance to apply this. I need help with solving this problem. It is not serious, but i have no idea how to fix it. Files ----- original archive contains these files: hxdef033.exe 46 592 b - program Hacker defender v0.3.3 hxdef033.ini 997 b - inifile bdcli033.exe 29 696 b - backdoor client readmecz.txt 7 548 b - czech version of help file readmeen.txt 7 285 b - this help file Holy_Father
URL's and mails were automatically redacted (filtered) for reader's safety. However the filter is not perfect and can't find all harmful elements. If you find something dangerous including file link, website, mail address, profanity... contact me immediately at email@example.com, thank you in advance.