from the doc: Hacker defender v0.2.1 -
english readme Main Hacker defender v0.2.1
by Holy_Father Hacker defender is rootkit for
Windows NT 4.0, Windows 2000 and Windows XP. Main
code was written in Delphi 6. Functions for new
thread are written in assembler. program uses
adapted LDE32 LDE32, Length-Disassembler Engine,
32-bit, (x) 1999-2000 Z0MBiE special edition for
REVERT tool version
1.05 Usage >hxdef021.exe [inifile]
default hxdef021.ini is used if run without
specifying the inifile Idea Main idea of
this program was to use API functions
WriteProcessMemory and CreateRemoteThread to
create a new thread in all running processes. New
thread will rewrite some functions in system
modules (mostly kernel32.dll) and inject fake code
which will check API results and change this
result in specific cases. Program must be
absolutely hidden for all others. Program installs
hidden backdoors and register as hidden system
service. Version TODO - extend backdoor
(create admin part) - net functions for backdoor -
run root process on system level 0.2.1 + always
run as service 0.2.0 + system service
installation + hiding in database of installed
services + hidden backdoor + no more working with
windows 0.1.1 + hidden in tasklist + usage -
possibility to specify name of inifile x found and
then fixed bug in communication x fixed bug in
using advapi - found bug with debuggers 0.1.0 +
infection of system services + smaller, tidier,
faster code, more stable program x fixed bug in
communication 0.0.8 + hiding files + infection
of new processes - can't infect system services -
bug in communication Hooked API List of API
functions which are
changed: Kernel32.FindFirstFileExW
Kernel32.FindNextFileW Kernel32.CreateProcessW
Ntdll.NtQuerySystemInformation (class 5)
WS2_32.recv WS2_32.WSARecv WSOCK32.recv
Kernel32.ReadFile Advapi32.EnumServicesStatusW
Advapi32.EnumServicesStatusA Inifile There
are more settings in this version. Inifile must
contain three parts: [Hidden Table], [Root
Processes] and [Hidden Services]. Hidden Table is
a list of files and directories which should be
hidden. There is no chance to find those files and
directories. Programs in this list will be hidden
in tasklist. Root Processes is a list of programs
which will be immune against infection. You can
see hidden files, directories and programs only
with these root programs. So, root processes are
for rootkit admins. Hidden Services is a list of
service names which will be hidden in the database
of installed services. Service name for the main
rootkit program is
HackerDefender021. Backdoor Rootkit hooks
some API functions connected with receiving
packets from the net. If incoming data equals to
512 bits long key the shell instance is created
and next incoming data are redirected to this
shell. Because rootkit hooks all process in system
all TCP ports on servers will be backdoors. This
backdoor will work only on servers where incoming
buffer is larger or equal to 512 bits. But this
feature is on almost all standard servers like
Apache, IIS, Oracle. So, backdoor is created and
it is hidden because its packets go through common
servers on the system. So, you are not able to
find it with classic portscanner and this backdoor
can easily go through firewall. Exception in this
are classic proxies which are protocol oriented
for e.g. FTP or HTTP. During tests on IIS services
was found that HTTP server does not log any of
this connection, FTP and SMTP servers log only
disconnection at the end. You have to use special
client if want to connect to the backdoor. Program
bdcli021.exe is used for this. usage:
bdcli021.exe host port Known Bugs Only one
bug is known. Processes, which are debugged in the
moment, can't be infect, because their debugger
has exclusive rights for them. The infection will
lose if the process is debugged during infection.
So, it will not be changed and see everything. I
think this is not a serious bug, because there is
only small chance to apply this. I need help with
solving this problem. It is not serious, but i
have no idea how to fix it. Holy_Father
