Any body interested in rootkit.i have made a rootkit with a backdoor it's simple.i coded in vb6.The running backdoor process do not view in 'Task Manager' and any other process viewer.The backdoor just open 2 TCP port in ur computer (9800,9898),one for command passing and another File Sending.
I used a Kernel Mode drivers for changing _EPROCESS structure(for hiding the process).because it has an administrative privileged.
The Structure Of _EPROCESS is given below.
typedef struct _EPROCESS
{
/*000*/ KPROCESS Pcb;
/*06C*/ NTSTATUS ExitStatus;
/*070*/ KEVENT LockEvent;
/*080*/ DWORD LockCount;
/*084*/ DWORD d084;
/*088*/ LARGE_INTEGER CreateTime;
/*090*/ LARGE_INTEGER ExitTime;
/*098*/ PVOID LockOwner;
/*09C*/ DWORD UniqueProcessId;
/*0A0*/ LIST_ENTRY ActiveProcessLinks;
the ...
list goes on... }
EPROCESS;
and the LIST_ENTRY is
typedef struct _LIST_ENTRY
{
struct _LIST_ENTRY *Flink;
struct _LIST_ENTRY *Blink;
}
LIST_ENTRY;
hear the Flink is forword to the next PID of the Process which will be hidden
and backword to previous PID of the porcess.
4 comments:
Its posible to get the source code of the rootkit in vb?
Regards
yup ..its possible but procedur is too long .. after work m deeply define ..
Where can i download the source code?
http://rapidlibrary.com/index.php?q=vb+source+rootkit
rootkit.com
spoon fedding :P
Post a Comment