lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon Jul 11 16:19:26 2005
From: cosmin at cti.depaul.edu (Stejerean, Cosmin)
Subject: how to hide files,	services and process

There are a lot of papers and examples on how to hide processes, registry keys, etc in Windows NT based systems. The problem comes when you are trying to hide these things from programs such as icesword which are specifically designed to detect hidden things by using low level calls instead of using the windows API. If anyone knows any good papers or examples on how to keep things hidden from these ?rootkit? detectors (which is what hxdef golden claims to do) I would be interested as well. I am doing some research comparing rootkits, rootkit detectors and anti-rootkit detections techniques.

 

 

> Hi,

 

> for the tips... sorry but i don't know which suggestions to give you,

> but i advise you to study AFX rootkit, when I wrote my first rootkit

> this code helped me a lot because it can hide

 

> """

> a) Processes

> b) Handles

> c) Modules

> d) Files & Folders

> e) Registry Keys & Values

> f) Services

> g) TCP/UDP Sockets

> h) Systray Icons

> """

 

> There is an article that is well writen (about win32 rootkit):  it's

> "Analysis of a win32 userland rootkit  " by Kdm, it's really  a good

> paper.

 

> Nzeka Gilbert aka khaalel

 

 

> PS: If you want, i own the code of hxdef but this rootkit is known by

> everybody so for invisibility, hwdef is not the right tool !!! but the

> code is great for learning how to code a win32 rootkit.


-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.8.12/46 - Release Date: 7/11/2005
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050711/262ba654/attachment.html

Powered by blists - more mailing lists