|
There are a lot of papers
and examples on how to hide processes, registry keys, etc in Windows NT based
systems. The problem comes when you are trying to hide these things from programs
such as icesword which are specifically designed to detect hidden things by
using low level calls instead of using the windows API. If anyone knows any
good papers or examples on how to keep things hidden from these ‘rootkit’
detectors (which is what hxdef golden claims to do) I would be interested as
well. I am doing some research comparing rootkits, rootkit detectors and
anti-rootkit detections techniques. > Hi, > for the tips... sorry
but i don't know which suggestions to give you, > but i advise you to
study AFX rootkit, when I wrote my first rootkit > this code helped me a
lot because it can hide > """ > a) Processes > b) Handles > c) Modules > d) Files & Folders > e) Registry Keys &
Values > f) Services > g) TCP/UDP Sockets > h) Systray Icons > """ > There is an article
that is well writen (about win32 rootkit): it's > "Analysis of a
win32 userland rootkit " by Kdm, it's really a good > paper. > Nzeka Gilbert aka
khaalel > PS: If you want, i own
the code of hxdef but this rootkit is known by > everybody so for
invisibility, hwdef is not the right tool !!! but the > code is great for learning how to code a win32
rootkit. -- |
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
