Monday, July 16, 2012
Tuesday, July 10, 2012
Windows rootkits Collection
rootkits collection:
http://ping-of-death.blogspot.com/2009/07/edmunds-rootkit-collection-downloads-w.html
I was thinking of posting them individually, but I didn’t want it to be seen as “spamming”, so here’s all the rootkits I have. These are all RS downloads.
Almost all files are zipped.
Some are tar.gz and others .rar.
Happy Hacking.
http://ping-of-death.blogspot.com/2009/07/edmunds-rootkit-collection-downloads-w.html
I was thinking of posting them individually, but I didn’t want it to be seen as “spamming”, so here’s all the rootkits I have. These are all RS downloads.
Almost all files are zipped.
Some are tar.gz and others .rar.
Happy Hacking.
Legend:
Rootkit name
Description
download link
————————————–
Vanquish Rootkit
Vanquish is a DLL injection based Romanian rootkit that hides files, folders, registry entries and logs passwords.
Rootkit name
Description
download link
————————————–
Vanquish Rootkit
Vanquish is a DLL injection based Romanian rootkit that hides files, folders, registry entries and logs passwords.
http://rapidshare.com/files/214735218/vanquish-0.2.1.zip
NT Rootkit
The original and first public NT ROOTKIT – has not been updated for many years but is good for ideas.
The original and first public NT ROOTKIT – has not been updated for many years but is good for ideas.
http://rapidshare.com/files/214735636/rk_044.zip
FU Rootkit
The FU rootkit can hide processes, elevate process privileges, fake out the Windows Event Viewer so that forensics is impossible, and even hide device drivers (NEW!). (Look, Mom, no hands!) It does all this by Direct Kernel Object Manipulation (TM); no hooking! This project has been evolving other time. It was originally conceived as a proof-of-concept. FU is a play on words from the UNIX program “su” used to elevate privilege.
The FU rootkit can hide processes, elevate process privileges, fake out the Windows Event Viewer so that forensics is impossible, and even hide device drivers (NEW!). (Look, Mom, no hands!) It does all this by Direct Kernel Object Manipulation (TM); no hooking! This project has been evolving other time. It was originally conceived as a proof-of-concept. FU is a play on words from the UNIX program “su” used to elevate privilege.
http://rapidshare.com/files/214736334/FU_Rootkit.zip
WinLogonHijack Rootkit
Winlogonhijack injects a dll into winlogon.exe and hooks msgina.WlxLoggedOutSAS, logging every login in plaintext.
Winlogonhijack injects a dll into winlogon.exe and hooks msgina.WlxLoggedOutSAS, logging every login in plaintext.
http://rapidshare.com/files/214736739/winlogonhijack-v0.3-src.rar
MyNetwork Rootkit
This ethernet bridge allows many subnets to connect to one another, supports a central server, and watches ARP and ethernet traffic to maintain a MAC-router table. (windows vc7++) requires winpcap
This ethernet bridge allows many subnets to connect to one another, supports a central server, and watches ARP and ethernet traffic to maintain a MAC-router table. (windows vc7++) requires winpcap
http://rapidshare.com/files/214737889/MyNetwork.zip
Vice Rootkit
VICE is a tool to find hooks.
Features include:
1. Looks for people hooking IAT’s.
2. Looks for people hooking functions in-line aka detouring.
3. Looks for hooks in the System Call Table. Thanks to Tan perhaps it will fix the table in the future.
4. Looks for detour hooks in the System Call Table functions themselves.
5. Looks for people hooking IRP_MJ table in drivers. This is configurable by driver.ini.
VICE is a tool to find hooks.
Features include:
1. Looks for people hooking IAT’s.
2. Looks for people hooking functions in-line aka detouring.
3. Looks for hooks in the System Call Table. Thanks to Tan perhaps it will fix the table in the future.
4. Looks for detour hooks in the System Call Table functions themselves.
5. Looks for people hooking IRP_MJ table in drivers. This is configurable by driver.ini.
http://rapidshare.com/files/214738213/vice.zip
KIog Rootkit
Klog demonstrates how to use a kernel filter driver to implement a simple key logger.
[code]http://rapidshare.com/files/214738979/Klog_1.0.zip[/code
Klog demonstrates how to use a kernel filter driver to implement a simple key logger.
[code]http://rapidshare.com/files/214738979/Klog_1.0.zip[/code
]AFX Rootkit '05
This OPEN SOURCE Delphi rootkit uses code injection and hooks Windows native API to hide processes, modules, handles, files, ports, registry keys, etc.
This OPEN SOURCE Delphi rootkit uses code injection and hooks Windows native API to hide processes, modules, handles, files, ports, registry keys, etc.
http://rapidshare.com/files/214739475/AFXRootkit2005.zip
SinAR Rootkit
A Cross architecture Solaris rootkit.
A Cross architecture Solaris rootkit.
http://rapidshare.com/files/214740016/SInAR-0.1.tar.gz
Shadow Walker Rootkit
Shadow Walker as seen at Black Hat and Phrack 63.
Shadow Walker as seen at Black Hat and Phrack 63.
http://rapidshare.com/files/214740632/Shadow_Walker_1.0.rar
CFSD Rootkit
FUTo Rootkit
FUTo is the successor of FU. Its accompanying research paper can be found at
FUTo is the successor of FU. Its accompanying research paper can be found at
www.uninformed.org
. FUTo currently hides from Blacklight and IceSword as of the initial release.
http://rapidshare.com/files/214741940/FUTo_enhanced.zip
WMFT
WMFT Rootkit
Windows Memory Forensic Toolkit (WMFT) is a collection of utilities intended for forensic use. WMFT can be used to perform forensic analysis of physical memory images acquired from Windows 2003/XP machines.
Windows Memory Forensic Toolkit (WMFT) is a collection of utilities intended for forensic use. WMFT can be used to perform forensic analysis of physical memory images acquired from Windows 2003/XP machines.
http://rapidshare.com/files/214742116/wmftv02.zip
RAIDE Rootkit remover
RAIDE stands for Rootkit Analysis Identification Elimination. RAIDE is a rootkit detection/removal tool.
RAIDE stands for Rootkit Analysis Identification Elimination. RAIDE is a rootkit detection/removal tool.
http://rapidshare.com/files/214742492/RAIDE_BETA_1.zip
BootKitBasic RootKit
BOOT KIT is a project related to custom boot sector code subverting Windows NT Security Model.The sample presented currently keeps on escalating cmd.exe to system privileges every 30 secs.
It has several features
1) It's very small.The basic framework is just about 100 lines of assembly code.It supports 2000,XP,2003
2) It patches the kernel at runtime(no files are patched on disk).
3) BOOT KIT is PXE-compatible.
4)It can even lead to first ever PXE virus
5)It also enables you to load other root kits if you have physical access(Normally root kits can only be loaded by the administrator.
BOOT KIT is a project related to custom boot sector code subverting Windows NT Security Model.The sample presented currently keeps on escalating cmd.exe to system privileges every 30 secs.
It has several features
1) It's very small.The basic framework is just about 100 lines of assembly code.It supports 2000,XP,2003
2) It patches the kernel at runtime(no files are patched on disk).
3) BOOT KIT is PXE-compatible.
4)It can even lead to first ever PXE virus
5)It also enables you to load other root kits if you have physical access(Normally root kits can only be loaded by the administrator.
http://rapidshare.com/files/214742926/bootkitbasic.zip
Defrag Rootkit
Windows NT/2K/XP Defragmentierer fuer FAT12/16/32/NTFS-Partitione.
Windows NT/2K/XP Defragmentierer fuer FAT12/16/32/NTFS-Partitione.
http://rapidshare.com/files/214743554/defragger30b_src.zip
Keyboard Hook
Ps/2 Keyboard Hook with only 1-bit in the Keyboard Controller.
Ps/2 Keyboard Hook with only 1-bit in the Keyboard Controller.
http://rapidshare.com/files/214744072/Ps2_Keyboard_Polling.zip
And...
For fun...
For fun...
CheatEngine
Cheat Engine is a tool designed to give you the upper hand in games, but also contains other usefull tools to help debugging games and even normal applications.
Cheat Engine is a tool designed to give you the upper hand in games, but also contains other usefull tools to help debugging games and even normal applications.
http://rapidshare.com/files/214744668/CheatEngine54src.rar
Just got done uploading all of these today, so there shouldn't be any broken links.
But if there is, let me know.
But if there is, let me know.
**THESE DO NOT CONTAIN VIRUSES**
THEY CONTAIN INACTIVE ROOTKITS
Until you activate them, that is...
Wouldn't run these on your PC.
THEY CONTAIN INACTIVE ROOTKITS
Until you activate them, that is...
Wouldn't run these on your PC.
All files should contain tutorials.
I'm not held responsible for what you do with these rootkits.
I'm not held responsible for what you do with these rootkits.
author : indounderground n phphack
Thursday, July 5, 2012
set SVN repository II
Login into your server
mkdir svnrepos
cd svnrepos
mkdir ProjectName
svnadmin create ProjectName
Login into your local working machine
svn co svn+ssh://username@servername/home/username/svnrepos/ProjectName ProjectName
cd ProjectName and do whatever you want
mkdir svnrepos
cd svnrepos
mkdir ProjectName
svnadmin create ProjectName
Login into your local working machine
svn co svn+ssh://username@servername/home/username/svnrepos/ProjectName ProjectName
cd ProjectName and do whatever you want
Monday, June 25, 2012
Find 8 bits CPU ID from IO APIC redirection table entry
Find the CPU ID from IO APIC redirection table
use read and write everything tool. Specify index register:
FEC00000, and Data register: FEC00010
First of all, you need to find out where is the IO APIC memory
address, which is FEC00000 in our case, Then the address + 0x10 is the data
register,
The first IRQ has indexes 0x10 and 0x11, the second 0x12 and 0x13,
the third 0x14 and 0x15
CPU ID is the 56 – 63 bits of the redirection table entry
Packet Generator Tool
PackETH: ethernet packet generator
It can generate any raw packet.
Download from:
http://packeth.sourceforge.net/
http://sourceforge.net/projects/packeth/
The default file is for Windows, and Linux version need to Click on Browser all link
Install:
cd to packet directory
./configure
make
sudo make install
Usage:
Run it as root
Define packet header, payload, and interface, and click send
It can generate any raw packet.
Download from:
http://packeth.sourceforge.net/
http://sourceforge.net/projects/packeth/
The default file is for Windows, and Linux version need to Click on Browser all link
Install:
cd to packet directory
./configure
make
sudo make install
Usage:
Run it as root
Define packet header, payload, and interface, and click send
Friday, June 8, 2012
How to Limit the Amount of Memory Available to OS
Linux:
set the mem=2000m as the boot arguments, then the Linux only use first 2000MB memory. If the total RAM is 2G, it reserves 48MB.
http://fengweizhang.blogspot.com/2012/06/boot-arguments-on-linux.html
Windows:
Add line
MaxPhyPage=0x7D000
at [386enh] section of C:\WINDOWS\system.ini
0x7D000 * 4KB = 2000MB
http://support.microsoft.com/kb/181862
set the mem=2000m as the boot arguments, then the Linux only use first 2000MB memory. If the total RAM is 2G, it reserves 48MB.
http://fengweizhang.blogspot.com/2012/06/boot-arguments-on-linux.html
Windows:
Add line
MaxPhyPage=0x7D000
at [386enh] section of C:\WINDOWS\system.ini
0x7D000 * 4KB = 2000MB
http://support.microsoft.com/kb/181862
Boot Arguments on Linux
http://tldp.org/HOWTO/BootPrompt-HOWTO-3.html
The next (and hardly used) purpose is to specify
The original BIOS call defined in the PC specification that returns the amount of installed memory was only designed to be able to report up to 64MB. (Yes, another lack of foresight, just like the 1024 cylinder disks... sigh.) Linux uses this BIOS call at boot to determine how much memory is installed. A newer specification (e820) allows the BIOS to get this right on most machines nowadays. If you have more than 64MB of RAM installed on an older machine, you can use this boot argument to tell Linux how much memory you have. Here is a quote from Linus on the usage of the
``The kernel will accept any `mem=xx' parameter you give it, and if it turns out that you lied to it, it will crash horribly sooner or later. The parameter indicates the highest addressable RAM address, so `mem=0x1000000' means you have 16MB of memory, for example. For a 96MB machine this would be `mem=0x6000000'. If you tell Linux that it has more memory than it actually does have, bad things will happen: maybe not at once, but surely eventually.''
Note that the argument does not have to be in hex, and the suffixes `k' and `M' (case insensitive) can be used to specify kilobytes and Megabytes, respectively. (A `k' will cause a 10 bit shift on your value, and a `M' will cause a 20 bit shift.) A typical example for a 128MB machine would be "
In some cases, the memory reported via e820 can also be wrong, and so the
for a 1GB machine with the usual 384k of ISA memory mapped I/O space excluded from use.
The `mem=' Argument
This argument has several purposes: The original purpose was to specify the amount of installed memory (or a value less than that if you wanted to limit the amount of memory available to linux).The next (and hardly used) purpose is to specify
mem=nopentium which tells the Linux kernel to not use the 4MB page table performance feature. If you want to use it for both purposes, use a separate mem= for each one.The original BIOS call defined in the PC specification that returns the amount of installed memory was only designed to be able to report up to 64MB. (Yes, another lack of foresight, just like the 1024 cylinder disks... sigh.) Linux uses this BIOS call at boot to determine how much memory is installed. A newer specification (e820) allows the BIOS to get this right on most machines nowadays. If you have more than 64MB of RAM installed on an older machine, you can use this boot argument to tell Linux how much memory you have. Here is a quote from Linus on the usage of the
mem= parameter.``The kernel will accept any `mem=xx' parameter you give it, and if it turns out that you lied to it, it will crash horribly sooner or later. The parameter indicates the highest addressable RAM address, so `mem=0x1000000' means you have 16MB of memory, for example. For a 96MB machine this would be `mem=0x6000000'. If you tell Linux that it has more memory than it actually does have, bad things will happen: maybe not at once, but surely eventually.''
Note that the argument does not have to be in hex, and the suffixes `k' and `M' (case insensitive) can be used to specify kilobytes and Megabytes, respectively. (A `k' will cause a 10 bit shift on your value, and a `M' will cause a 20 bit shift.) A typical example for a 128MB machine would be "
mem=128m".In some cases, the memory reported via e820 can also be wrong, and so the
mem=exactmap was added. You use this in conjunction with specifying an exact memory map, such as:mem=exactmap mem=640K@0 mem=1023M@1M
for a 1GB machine with the usual 384k of ISA memory mapped I/O space excluded from use.
Subscribe to:
Posts (Atom)