Thanks everyone for your reply
I'm still in the development of the framework and I'm still sharing the idea to see what do you think about the main idea ... and how we could develop it to make everyone happy
First I want to say, it's not related with rootkits for malware ... I mean the kernel-mode applications that gives you the total control of the OS ... could be for firewalls or antiviruses or parental control ... or could be for penetration testing like IP spoofing or KernelBot or sniffer or anything like that.Like Ollybone ... it's in my opinion a rootkit ... it uses the Kernel-Mode to do things that he can't do in the user-mode.
The second is, I saw many kernel-mode developers waste their time on writing a standard code like in the Filesystem Filters or NDIS or TDI or anything ... and face dozens of bluescreens and all of these things and don't have time for the main goal of their rootkit. or they take the FsFilter code that created by microsoft or NDIS passthru from the WDK to modify it and begin using it. this raise another problem ... what if they decide to use the two with each other (FsFilter and Passthru) or they need to monitor the keystroke with a FileSystem Filter ... how they will modify the FsFilter of Microsoft. so they face a huge problem.
So,a development framework could solve the problem. they will automate all this shit standard code for you so no waste of time. If you need to use a new technique or use a standard technique for something ... you can focus on your needs ... spend all your time on the main goal of your rootkit and waste time any more.
Also, the framework will solve the problem of using Filesystem filter with keystroke monitor ... the two receives IRPs in the major functions. but you have a dispatcher for these IRPs. there's a dispatcher detects which thing this IRP related to ... if this IRP related to FsFilter ... so it will call to the appreciate function for handling the IRP and so on. so it's very easy to use Key Monitor with Sniffer with Filesystem Filter with more than one control device driver without any interference :)
The Third thing, after rootkit.com went down ... I decided to build a new community for rootkits ... help the beginners with articles and an easy to use Framework and also help the Pentesters with customizable rootkits like metasploit for exploits.
I need to create an application contains all the open source rootkits inside and recollect them again (after rootkit.com it becomes hard to see the open source rootkits in the internet). and create a community for rootkit developers to learn from each other and raise their creativity. I really hope to see new techniques like the Art of Bootkits or anything ... and I really hope to collect all of these creative developers and all of these open source rootkits in one community and one application. Don't waste your time again in Standard code, everything becomes easy ... just create and develop.
is it support x64? still not ... you can make it support ... the application is not for me ... for all developers ... if anyone need to help his friends in the rootkit field .. just join and add to it.
is it a demo? still under development ... still in the middle ... I need your advices to develop it as you need :)
That's an example code of a rootkit implemented in it (just an example)
Code: Select all//just shit namespaces :(
using namespace RDF;
using namespace RDF::FileManager;
using namespace RDF::RegistryManager;
SSDTDevice* Amr; //a Device Class used for SSDT Hooking
FileFilterDevice* Amr2; //a Device That used in Filesystem Filters
PDRIVER_OBJECT DriverObject; //your driver
typedef NTSTATUS ZwSetValueKeyPtr(
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN ULONG TitleIndex OPTIONAL,
IN ULONG Type,
IN PVOID Data,
IN ULONG DataSize
);
ZwSetValueKeyPtr* oldZwSetValueKey;
int _cdecl MJCreate(FileFilterDevice* FFDevice,__in PDEVICE_OBJECT DeviceObject,__in PIRP Irp); // a decleration for a the Create Major Function of the Filesystem Filter
//------------------------------------------------------------------
NTSTATUS newZwSetValueKey(IN HANDLE KeyHandle,IN PUNICODE_STRING ValueName,IN ULONG TitleIndex OPTIONAL,IN ULONG Type,IN PVOID Data,IN ULONG DataSize)
{
DbgPrint("Yes %wZ\n",ValueName);
return (*oldZwSetValueKey)(KeyHandle,ValueName,TitleIndex,Type,Data,DataSize);
}
//------------------------------------------------------------------
NTSTATUS Driver::DriverMain(IN PDRIVER_OBJECT pDriverObject,IN PUNICODE_STRING theRegistryPath){
DbgPrint("HideProc DriverEntry Called\n");
DriverObject = pDriverObject;
//Creating the class in memory and add it to the Driver chain of the devices inside it.
Amr2=(FileFilterDevice*)CreateClass(sizeof(FileFilterDevice));
Amr2->Initialize(this);
AddDevice(Amr2);
Amr=(SSDTDevice*)CreateClass(sizeof(SSDTDevice));
Amr->Initialize(this);
AddDevice(Amr);
//Create The Control Devices ... optional (you could have more than one control device for your driver)
Amr->CreateDevice(L"\\Device\\rootkit03",L"\\DosDevices\\rootkit03");
Amr2->CreateDevice(L"\\Device\\rootkit02",L"\\DosDevices\\rootkit02");
int old = Amr->GetRealAddress(L"ZwSetValueKey"); //Get the Address of this function from the SSDT
DbgPrint("Real Address : 0x%x",old);
SetValue(oldZwSetValueKey,old); //save the old address
Amr->AttachTo(L"ZwSetValueKey",(DWORD)newZwSetValueKey); //change the address of this function in the SSDT Table (HOOKED)
Amr->UserComm.Write(1,STATUS_SUCCESS,"I'm the Kernel Mode",sizeof("I'm the Kernel Mode")); //very easy to write to the User-Mode :)
Amr2->BeginHooking(true); //Hook the whole volumes in the Filesystems and the Newly Attached devices (you have the ability
//to attach to one of them or two ... you have the ability to cutomize
// Set the Create Major Function for filesystem Filter to our function.
SetValue(Amr2->FilteredMajorFunction[IRP_MJ_CREATE].PreModification,MJCreate);
//this code uses the FileManager to read file from the disk (like user-mode applications :) )
//don't worry about IRQL ... it creates a system thread to handle the read and write ... and your thread will wait until your read or write finish
FileToRead* readfile = (FileToRead*)CreateClass(sizeof(FileToRead));
NTSTATUS ntStatus = readfile->open(L"\\DosDevices\\c:\\KeyLog2dfdfdf.txt");
if (ntStatus != STATUS_SUCCESS)DbgPrint("02.cpp : Failed To ReadFile");
else DbgPrint("02.cpp : ReadFile Opened Successfully");
char* data;
DWORD size;
readfile->read(data,size);
DbgPrint("FileData at : %x ... and FileSize is : %x",data,size);
DbgPrint("Text: %s",data);
readfile->close();
//And that's for writing a file :)
FileToWrite* s = (FileToWrite*)CreateClass(sizeof(FileToWrite));
s->open(L"\\DosDevices\\c:\\NewData.txt",false);
s->write("I'm Happy ... From KernelMode\n",strlen("I'm Happy ... From KernelMode\n"));
s->close();
//Reading a registry entry ... very easy.
char* buf = RegRead(L"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion",L"ProgramFilesDir",size);
//if(buf != 0)DbgPrint("Registry Read : %x",buf);
s = (FileToWrite*)CreateClass(sizeof(FileToWrite));
s->open(L"\\DosDevices\\c:\\Reg.txt",false);
s->write(buf,size);
s->close();
//Write to registry
RegWrite(L"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion",L"AmrThabet",(char*)L"AmrThabet",REG_SZ,strlen("AmrThabet")*2);
return STATUS_SUCCESS;
}
VOID Driver::DriverUnload()
{
Amr->Detach();
}
int _cdecl MJCreate(FileFilterDevice* FFDevice,__in PDEVICE_OBJECT DeviceObject,__in PIRP Irp)
{
PFILE_OBJECT pFileObject = IoGetCurrentIrpStackLocation(Irp)->FileObject;
DbgPrint("File Created !!!");
DbgPrint("%wZ\n", &pFileObject->FileName);
return FILTER_SKIP;
}
I waiting for your replies :)
