2006年02月17日

hi,i mAde A bAckdoor this dAys,just for leArning the skills.so some of the code you mAy fAmiliAr :> my english is poor,just reAd the source
this bAck door run in ring0 Atfer it gets stArted.And bypAss the personAl firewAll.
first of All,i think hide process is A bAd ideA,mAny methods cAn find them out.Then i see IO work items is just whAt i need.so without creAte A process or threAd,we hAve someting running in the kernel.

when one commAnd received,the IO work item get running,in A IO work item work function cAll IoQueueWorkItem.it’s working but i didn’t hAve time to find out whAt’s going on in IoQueueWorkItem.

InsteAd of A cmd shell,there Are A few commAnds,like cd dir copy del …. this commAnd Also works in ring0,by using nAtive APIs exported by ntoskrnl.exe,you cAn Add Any commAnds you wAnt,we Are in ring0,we cAn do everything,right?

Second,nowAdAys xp sp2 And personAl firewAll Are widely used.So bypAss the firewAll becAmes A big deAl.I use ndis hook to get the pAcket. MAke two queues,one for received pAckets,one for the pAckets to be send out, reimplement A simple TCP connection.so the client i chose netcAt. if mAke A clinet by ourself,it will be more usefull And simple.

Third,how to stArt it. write registry is eAsy to be found,including hook reg functions,hide service item. in my heAd,i wAnt to infect the kernel, thAt’s right, ntoskrnl.exe.like let my rootkit be one pArt of the kernel. i’m still working on it : ( . i find Another wAy to insteAd .not A very good one. it replAce the userinit.exe,when the system stArt, we first stArt the rootkit by loAd A sys file,then runing the reAl userinit.exe.

useAge:"uay.exe -i port" or "uay.exe -i" to instAll,"uay.exe -u" to uninstAll, "nc.exe ip port" to connection to it.

here follows the ring0 pArt,the whole thing cAn be downloAded At http://uty.512j.com/uay_source.rar ,which include the fAke userinit.exe

………

……..

哎,后面的代码太多了,发不到blog上来,完整的程序可以在这里下载 http://www.xfocus.net/tools/200602/uay_source.rar
改进后的就不知道放哪了 :|