Hi Community,
After long time experimenting and messing around with a lot of problems and bugs I would like to present my second small rootkit.
The rootkit solely consists of a kernel driver loaded at system start time.
After it has been loaded it copies itself into executable nonpaged memory, removes its path from unloaded module list and throws an error leading to unloading it.
Before unloading again, two threads are started, one of them will later set a read IRP hook on kbdclass.sys and initialize the read dispatch routines.
It also tries to detect a shutdown, so it can install itself in both registry and filesystem again. This installation is performed using a different random name for service key and file.
The service name is written into the safeboot keys too, so the driver will be loaded in safe mode too.
The service file itself is hidden by NTFS driver by misusing the C:\$Extend\$RmMetadata\ path for storing the file.
This prevents the driver from too easily being detected when not loaded / analyzed when offline.
The second thread, a worker thread, simply opens a log file in order to save the intercepted keystrokes into. The log file is hidden by ntfs.sys too.
Whether logging should be on or off can simply be controlled by using a file named "LOGGING_ON" in your C:\ root.
Issues:
- With certain keyboards you will have problems using IRP hooks, say the keyboard won't be working correctly anymore.
- I had to made a lots of compromises between not being detectable and not being removable as I'm not using sophisticated techniques such as direct registry file editing and so on.
- Some unnecessary debug output...
Hence, I cannot guarantee for the rootkit to be fully undetectable, but at least I tried so.
Best regards
Microwave89
P.S. Some code taken from KLOG rootkit by Clandestiny
P.P.S. I know that hooking is lolkit technique, but for this job I've found it more suitable than creating a fake driver and device object and building a real filter driver
After long time experimenting and messing around with a lot of problems and bugs I would like to present my second small rootkit.
The rootkit solely consists of a kernel driver loaded at system start time.
After it has been loaded it copies itself into executable nonpaged memory, removes its path from unloaded module list and throws an error leading to unloading it.
Before unloading again, two threads are started, one of them will later set a read IRP hook on kbdclass.sys and initialize the read dispatch routines.
It also tries to detect a shutdown, so it can install itself in both registry and filesystem again. This installation is performed using a different random name for service key and file.
The service name is written into the safeboot keys too, so the driver will be loaded in safe mode too.
The service file itself is hidden by NTFS driver by misusing the C:\$Extend\$RmMetadata\ path for storing the file.
This prevents the driver from too easily being detected when not loaded / analyzed when offline.
The second thread, a worker thread, simply opens a log file in order to save the intercepted keystrokes into. The log file is hidden by ntfs.sys too.
Whether logging should be on or off can simply be controlled by using a file named "LOGGING_ON" in your C:\ root.
Issues:
- With certain keyboards you will have problems using IRP hooks, say the keyboard won't be working correctly anymore.
- I had to made a lots of compromises between not being detectable and not being removable as I'm not using sophisticated techniques such as direct registry file editing and so on.
- Some unnecessary debug output...
Hence, I cannot guarantee for the rootkit to be fully undetectable, but at least I tried so.
Best regards
Microwave89
P.S. Some code taken from KLOG rootkit by Clandestiny
P.P.S. I know that hooking is lolkit technique, but for this job I've found it more suitable than creating a fake driver and device object and building a real filter driver
Attachments
Password: phoenixKit_64
(9.59 KiB) Downloaded 196 times
(9.59 KiB) Downloaded 196 times
