readme

rootkit工具

Program:    fu.exe and msdirectx.sys
Written by: fuzen_op
Email:      fuzen_op@yahoo.com or fuzen_op@rootkit.com

Description: 
	fu.exe and msdirectx.sys work as one. fu.exe passes down parameters as IOCTL's
	to the msdirectx.sys driver. As such, once the driver is loaded, you do not need any 
	special privilege to run fu.exe. msdirectx.sys is the driver and does all the work 
	of fu.exe. The driver is never unloaded until reboot. You can use whatever methods 
      you like to load the driver such as SystemLoadAndCallImage suggested by Greg Hoglund. 
      The driver is named msdirectx.sys. It is a play on Microsoft's DirectX and is named
      this to help hide it. (A future tool will hide it completely!) 

	The FU rootkit can now hide any named driver in a manner similar to the way it hides
	processes. All the code to do this is in the user land program (fu.exe) and the
	corresponding driver (msdirectx.sys). This functionality is not exposes to the regular
	user when showing the Usage of FU. You must read the fu.exe code yourself to determine
	the parameters to pass to hide drivers. The reason for this is that it uses a hard coded
	address that has only been tested on two machines. Look for MyPsLoadedModuleList in the
	fu.exe code. Change it as necessary. If you want to send IOCTL's to a driver, you need
	a handle to it. FU makes no effort to hide or delete the symbolic link used to open a 
	handle to the driver to be hidden. You could add this code easily though if you wanted.
	The msdirectx.sys driver should just delete the symbolic link while it is hiding the driver.



	The driver has many uses. It can change the groups on any process. So,
	you could give your process System by typing:
		fu -pss #process_pid System

	It can also hide a process. Type:
		fu -ph #process_pid

	At times you may want to "adjust" the privileges on a particular process. You can do
	this by typing something like:
		fu -prs #process_pid SeDebugPrivilege
	You will need to type the specific privileges you want, but no worries I have listed
	them in ListPrivileges.txt.  

	Another feature is msdirectx.sys can change the AUTH_ID on any process. This can be used 
	to impersonate another logon session so that Windows Auditing etc. does not know what 
	user really performed the actions you choose to take with the process. Type:
		fu -pas #process_pid
	The process specified now looks like System in the Event Viewer, etc. You can recompile 
	it to use Anonymous_Logon, LocalService, or NetworkService instead of System. See 
	Rootkit.h.

	The driver does all this by Direct Kernel Object Manipulation (TM)!! No worries about do I have 
      permission to that process, token, etc. If you can load a driver once, you are golden! 
	Also, it does not use "hooking" techniques. Hooking is easily detectable. FU is much 
	better. It just writes directly to memory because it understands the structures inside
	and out.

Program Usage: 
   fu
        [-pl]  #number   to list the first #number of processes
        [-ph]  #PID      to hide the process with #PID
        [-pas] #PID      to set the AUTH_ID to SYSTEM on process #PID.
				 Use this to impersonate other people when you
				 do things. 
				 Note: You can recompile it to use Anonymous_Logon, 
				       LocalService, or NetworkService instead of
					 System. See Rootkit.h.
        [-prl]           to list the available privileges
        [-prs] #PID #privilege_name to set privileges on process #PID
        [-pss] #PID #account_name to add #account_name SID to process #PID token



Caveat:
	The binaries I have included will only run on Windows 2000/XP. See above. You
	will definitely have to recompile for NT because the kernel in 2000/XP exports 
	except_handler3 and NT does not so the driver is not compatible across all three.

	See the note above if you wish to hide drivers.

	WE ARE MODIFYING KERNEL STRUCTURES (OBJECTS) DIRECTLY IN MEMORY. AS SUCH, AT TIMES
	IT CAN CAUSE A BLUESCREEN. I HAVE SEEN IT HAPPEN, BUT I WOULD SAY IT IS 98% TO 99%
	STABLE. IT ALL DEPENDS ON WHAT YOU ARE DOING AT THE TIME. 

	IF YOU FIND A PROBLEM OR A BUG, PLEASE EMAIL ME AT THE ABOVE ADDRESS. PROVIDE
	AS MUCH DETAIL AS POSSIBLE ABOUT THE SEQUENCE OF EVENTS. WE MAY ALSO ARRANGE TO SEND 
	ME YOUR PHYSICAL DUMP OF MEMORY, BUT DON'T SEND THAT IMMEDIATELY AS MY EMAIL WILL NOT
	HOLD IT.

Thanks:
	Greg Hoglund - the father of Windows rootkits and a code guru.
	Joe          - who made NDIS cry.
	Contagion    - if its on the wire, he knows what to do.
	m0ribundi    - my mentor.