A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2578  by kareldjag/michk
 Wed Sep 01, 2010 11:46 am
Hi,

First a few demos:

-HideProc (CMDLine)
http://www.rohitab.com/discuss/index.ph ... opic=23880

With a Gui
http://www.iterati.org/Developers/HideProc/Default.aspx

-HideExec
http://code.kliu.org/misc/hideexec/

-Spodek

http://spodek.sourceforge.net/

http://sourceforge.net/projects/spodek/

A kind of brother of CodeProject full of interesting codes:

http://s.pudn.com/search_hot_en.asp?k=rootkit

http://s.pudn.com/search_hot_en.asp?k=HOOK

Some interesting code like Zion rootkit for instance:

http://blogs.technet.com/b/secure/archi ... nload.aspx

And to laugh with AV detection stats it's better to use NoVirusthanks with the option "do not distribute the sample"
http://scanner2.novirusthanks.org/

To be continued of course :)

Rgds
 #2597  by Meriadoc
 Wed Sep 01, 2010 6:00 pm
Require register & upload to Pudn 5 unique source codes/papers.
Last edited by Meriadoc on Thu Sep 02, 2010 6:29 am, edited 1 time in total.
 #2600  by CloneRanger
 Wed Sep 01, 2010 7:54 pm
@ kareldjag

You sure know some places etc ;)

s.pudn.com etc - your ip XX.XXX.XXX.XXX is blocked, send email to ........... :o
 #2602  by xqrzd
 Wed Sep 01, 2010 10:19 pm
Thanks for these :)
HideProc and Spodek are just trivial SSDT hooks. Haven't tried Zion yet but it looks interesting. :)
Edit: s.pudn.com blocks my IP address as well :(
 #2603  by EP_X0FF
 Wed Sep 01, 2010 11:11 pm
Not sure, but Zion seems to be very old stuff.

edit: yes, 2008 year, SSDT hooks. Trash.
 #2710  by kareldjag/michk
 Thu Sep 09, 2010 12:57 am
Hi

I doubt that you can get a great collection of rootkits without efforts (learn a few words of chinese and russian, register here and there etc).
Yes Zion is not intented to be a super stealth demo rootkit, but a fully functionnal attacker tool (as its grand father HKDoor: http://www.yythac.com/softdown/hkdoor12public.rar ): from an insecurity perspective, i'm more interested in rootkit that have in the wild career oppotunities than rootkits that are limited to test labs environment.
An interesting demo is for instance Damouse (in the same site APIMonitor is an interesting tool):

http://www.rohitab.com/discuss/index.ph ... 8440&st=20

Rgds