Looking for userland rootkits Win7 !!x64!!
PostPosted:Sat Dec 01, 2012 3:20 pm
Hi there, all!
I'm a student 23 yrs old and I recently got back interested in rootkits again, when the incredibly famous TDL series begun to appear.
After trying to get a sample of them I was leaded to sysinternals.com and shortly after to kernelmode.in.
However, those are real world RKs and they are of course quite dangerous for a newbie like me, as they can do and mess up easily everything their makers even think about, so I decided to not just download a TDL4+ sample, but to make an attempt to get a userland rootkit first.
So I'm looking for some (tame) userland rootkits which basically are capable of running on a x64 machine as I own one.
That means, the MUST be able to inject their dll into a legit x64 process (I will provide admin rights, that is not a big deal) OR run as an x64 process.
It's btw not important that they don't have any payload, however I'm going to make an attempt to take that out by code redirects or so.
And if you HAD a kernel rootkit which runs on x64 too and is REALLY REALLY HARMLESS, you would be invited to let me know as well.
But why all that? I will try to take you back to WinXP x86 time.
Someone of sure might remember back in early times (2005..2007), when a demo rootkit called "vanquish" appeared.
It was based on dll injection technique and it really was extremely powerful even though it only used to run in user mode! And it was so tame, because its only intention it had was to hide itself and all of its traces througout the whole system.
I can remember so clearly: I started vanquish loader, it unpacked its dll and injected it into all processes it had access to, and like magic the loader exe was disappeared.
Then in a hacker book I was told to rename some normal files into something like uvwgug94vanquish7tgn7, and when I tried that, they also pretended to not be on the system anymore. You could mess around with tools like process explorer and taskmgr but none of them seemed to be able to show neither the rootkit process (as it was only the vanquish.dll) nor any hidden files or even registry entries (regedit). It was something outstanding spectacular in my opinion.
Then I launched IceSword, it forced its .sys into the kernel and revealed that vanquish.dll in fact existed at my hard disk and also that it has been injected into lots of legit processes.
Nowadays, both OS and platforms have changed and until now I wasn't able to see vanquish.dll working again, since it's obvious that it doesn't affect explorer.exe, if the vanquish.dll is injected into an explorer.exe *32 which has been started only for that reason -__-. Thus, no hidden files.. :( :(
If you have read until here, you might have understood why the vanquish was so awesome in my guess.
And possibly...for some reason someone even might have source code of vanquish.dll, then I will try to understand what makes it that powerful...
You know, I'm quite new to this community and I hope that my request isn't to much against the forum rules, although I maybe better asked in the malware request forum.
And of course, you might not be interested in lame ring3 RK stuff.... ;)
But give me a chance, I want to experience the amazing vanquish feeling again.
Best regards
Microwave89
I'm a student 23 yrs old and I recently got back interested in rootkits again, when the incredibly famous TDL series begun to appear.
After trying to get a sample of them I was leaded to sysinternals.com and shortly after to kernelmode.in.
However, those are real world RKs and they are of course quite dangerous for a newbie like me, as they can do and mess up easily everything their makers even think about, so I decided to not just download a TDL4+ sample, but to make an attempt to get a userland rootkit first.
So I'm looking for some (tame) userland rootkits which basically are capable of running on a x64 machine as I own one.
That means, the MUST be able to inject their dll into a legit x64 process (I will provide admin rights, that is not a big deal) OR run as an x64 process.
It's btw not important that they don't have any payload, however I'm going to make an attempt to take that out by code redirects or so.
And if you HAD a kernel rootkit which runs on x64 too and is REALLY REALLY HARMLESS, you would be invited to let me know as well.
But why all that? I will try to take you back to WinXP x86 time.
Someone of sure might remember back in early times (2005..2007), when a demo rootkit called "vanquish" appeared.
It was based on dll injection technique and it really was extremely powerful even though it only used to run in user mode! And it was so tame, because its only intention it had was to hide itself and all of its traces througout the whole system.
I can remember so clearly: I started vanquish loader, it unpacked its dll and injected it into all processes it had access to, and like magic the loader exe was disappeared.
Then in a hacker book I was told to rename some normal files into something like uvwgug94vanquish7tgn7, and when I tried that, they also pretended to not be on the system anymore. You could mess around with tools like process explorer and taskmgr but none of them seemed to be able to show neither the rootkit process (as it was only the vanquish.dll) nor any hidden files or even registry entries (regedit). It was something outstanding spectacular in my opinion.
Then I launched IceSword, it forced its .sys into the kernel and revealed that vanquish.dll in fact existed at my hard disk and also that it has been injected into lots of legit processes.
Nowadays, both OS and platforms have changed and until now I wasn't able to see vanquish.dll working again, since it's obvious that it doesn't affect explorer.exe, if the vanquish.dll is injected into an explorer.exe *32 which has been started only for that reason -__-. Thus, no hidden files.. :( :(
If you have read until here, you might have understood why the vanquish was so awesome in my guess.
And possibly...for some reason someone even might have source code of vanquish.dll, then I will try to understand what makes it that powerful...
You know, I'm quite new to this community and I hope that my request isn't to much against the forum rules, although I maybe better asked in the malware request forum.
And of course, you might not be interested in lame ring3 RK stuff.... ;)
But give me a chance, I want to experience the amazing vanquish feeling again.
Best regards
Microwave89