by Holy_Father
Written in Delphi and Assembly
Released in august 2002
Made in Czechoslovakia
Hacker defender v0.2.1 - english readme
=======================================
Main
----
Hacker defender v0.2.1 by Holy_Father
Hacker defender is rootkit for Windows NT 4.0, Windows 2000 and Windows XP.
Main code was written in Delphi 6. Functions for new thread are written
in assembler.
program uses adapted LDE32
LDE32, Length-Disassembler Engine, 32-bit, (x) 1999-2000 Z0MBiE
special edition for REVERT tool
version 1.05
Usage
-----
>hxdef021.exe [inifile]
default hxdef021.ini is used if run without specifying the inifile
Idea
----
Main idea of this program was to use API functions WriteProcessMemory
and CreateRemoteThread to create a new thread in all running processes.
New thread will rewrite some functions in system modules (mostly kernel32.dll)
and inject fake code which will check API results and change this result
in specific cases.
Program must be absolutely hidden for all others. Program installs
hidden backdoors and register as hidden system service.
Version
-------
TODO - extend backdoor (create admin part)
- net functions for backdoor
- run root process on system level
0.2.1 + always run as service
0.2.0 + system service installation
+ hiding in database of installed services
+ hidden backdoor
+ no more working with windows
0.1.1 + hidden in tasklist
+ usage - possibility to specify name of inifile
x found and then fixed bug in communication
x fixed bug in using advapi
- found bug with debuggers
0.1.0 + infection of system services
+ smaller, tidier, faster code, more stable program
x fixed bug in communication
0.0.8 + hiding files
+ infection of new processes
- can't infect system services
- bug in communication
Hooked API
----------
List of API functions which are changed:
Kernel32.FindFirstFileExW
Kernel32.FindNextFileW
Kernel32.CreateProcessW
Ntdll.NtQuerySystemInformation (class 5)
WS2_32.recv
WS2_32.WSARecv
WSOCK32.recv
Kernel32.ReadFile
Advapi32.EnumServicesStatusW
Advapi32.EnumServicesStatusA
Inifile
-------
There are more settings in this version. Inifile must contain three
parts: [Hidden Table], [Root Processes] and [Hidden Services].
Hidden Table is a list of files and directories which should be hidden.
There is no chance to find those files and directories. Programs in this list
will be hidden in tasklist.
Root Processes is a list of programs which will be immune against
infection. You can see hidden files, directories and programs only with these
root programs. So, root processes are for rootkit admins.
Hidden Services is a list of service names which will be hidden
in the database of installed services. Service name for the main rootkit
program is HackerDefender021.
Backdoor
--------
Rootkit hooks some API functions connected with receiving packets
from the net. If incoming data equals to 512 bits long key the shell instance
is created and next incoming data are redirected to this shell.
Because rootkit hooks all process in system all TCP ports on servers
will be backdoors. This backdoor will work only on servers where incoming
buffer is larger or equal to 512 bits. But this feature is on almost all
standard servers like Apache, IIS, Oracle. So, backdoor is created and it is
hidden because its packets go through common servers on the system. So, you are
not able to find it with classic portscanner and this backdoor can easily go
through firewall. Exception in this are classic proxies which are protocol
oriented for e.g. FTP or HTTP.
During tests on IIS services was found that HTTP server does not log
any of this connection, FTP and SMTP servers log only disconnection at the end.
You have to use special client if want to connect to the backdoor.
Program bdcli021.exe is used for this.
usage: bdcli021.exe host port
Known Bugs
----------
Only one bug is known. Processes, which are debugged in the moment,
can't be infect, because their debugger has exclusive rights for them.
The infection will lose if the process is debugged during infection. So,
it will not be changed and see everything. I think this is not a serious bug,
because there is only small chance to apply this. I need help with solving this
problem. It is not serious, but i have no idea how to fix it.
Files
-----
original archive contains these files:
hxdef021.exe 37 888 b - program Hacker defender v0.2.1
hxdef021.ini 809 b - inifile
bdcli021.exe 25 088 b - backdoor client
readmecz.txt 4960 b - czech version of help file
readmeen.txt 4751 b - this help file
Holy_Father
MegaSecurity