📄 29a-7.006
字号:
HaX0R'Z KiT
===========
v1.05
CONTENTS
~~~~~~~~
0. About & Credits
1. Process manager
1.1. System process list
1.2. Process inheritance
1.3. Module list
1.4. SFP enabling & disabling
1.5. Dumping process's memory contents
1.6. Dumping physical memory
1.7. Kill & patch process
2. Service manager
3. Packet-related (crcpkt & spoofer)
4. Sniffer
5. ICMP Pinger/Scanner/Spoofer/Flooder
6. Registry
7. Disassembler/trojanizer (previously REVERT tool, MISTFALL-based)
8. Binary --> source/echo conversion
9. FakeExec
10. API<-->CRC conversion
11. Other shit
0. About & Credits
HaX0R'Z KiT is just an all-in-one collection of some tiny security-related
programs... just because its hard to publish all that stuff separately... ;-)
Since we all hate scr1pt kiddi3z, this is not a trojan nor rootkit,
and there is no autorun or stealth features here.
HKIT were designed for 2K/XP systems, it doesnt uses own driver(s),
all network io is performed using raw-sockets, and mostly all
features requires system/admin privileges.
I should thank Ratter/29A for writing Insider and FakeExec,
since these great tools were (maybe partially) used in this project.
Also, greets goes to unknown author(s) of the PasswordReminder tool
(www.smidgeonsoft.com ?), because its source were used here.
The following text shows some aspects of hkit usage.
Detailed information can be obtained from sources, for sure.
1. Process manager
1.1. System process list
In the Win2K/XP systems, process list can be obtained by means of
NTDLL::NtQuerySystemInformation.
More information can be found in the 2K INTERNALS book.
Each process is described by the SYSTEM_PROCESS_INFORMATION structure,
which contains many interesting entries, including:
- ImageName (ptr to wide-char string -- main exe's full name),
- UniqueProcessId (PID),
- InheritedFromUniqueProcessId (PPID).
Using these three entries, process inheritance tree can be built.
Use "hkit /process /list" to show system process list.
1.2. Process inheritance
Each process has been executed by another process.
As such, for each process there exists process id (PID),
and parent process id (PPID).
So, if your process spawns another process, relation can be found.
Lets do the following:
- run cmd.exe
- in the command line, type 'calc' and watch how calc is executed
- go to task manager (taskmgr), right-click on just-executed cmd.exe,
and run 'End Process Tree'
- calc is died
Now, lets do the following:
- run cmd.exe
- type 'cmd' to run another cmd
- type 'calc'
- type 'exit
- now, go to task manager, choose cmd and kill process tree
- calc is NOT died
This means, that you can hide that fact, that your process is
parent of another process(es),
by means of executing temporary processes.
And here exists lil feature.
What if parent process already died,
but some new process got the same pid as parent's ?
This problem can be solved by means of SYSTEM_PROCESS_INFORMATION::CreateTime,
i.e. if parent process has been executed after the child process,
this is not the real parent, but just a process with equal pid.
Use "hkit /process /tree" to show system process tree.
1.3. Module list
Module list can be obtained using PSAPI, even in 9X systems having psapi.dll.
This is useful if you want to find out which modules (DLL's)
are used by some process,
including ones absent within imports but loaded using LoadLibrary.
Use "hkit /process /mod" to show all processes and used modules.
Use "hkit /process /mod far.exe" to show all modules for process specified
by pid or name.
1.4. SFP enabling & disabling
Here are two sets of instructions, which corresponds to enabled (original)
and disabled (patched) SFP states.
This code is located in the 2K::SFC.DLL or XP::SFC_OS.DLL
--- ENABLED --- --- DISABLED ---
re:
xx xx xx xx xx 68E8030000 push 1000
xx xx xx xx xx B800000000 mov eax, offset k32.Sleep()
xx xx FFD0 call eax
waitcycle:
6A 00 push 0 9090 nop's
6A 01 push 1 9090 nop's
6A 01 push 1 9090 nop's
FF 33 push [ebx] 9090 nop's
FF 73 04 push [ebx+4] 909090 nop's
FF 15 xx xx xx xx call NtWaitForMultipleObjects nop's
xx xx EBE1 jmp re
As you can see, patch is written in such way that SFP can be enabled or
disabled at any moment w/o risk of breaking normal sfc code execution.
Use "hkit /process /sfpdisable" to disable sfp.
Use "hkit /process /sfpenable" to enable sfp.
1.5. Dumping process's memory contents
Use "hkit /process /dump process.exe process.dmp" to
dump all process's memory into file.
Process can be specified by pid or by name.
Process dump file format consists of HEADER entrie(s),
possibly followed by DATA entrie(s).
Header block has the following format:
DWORD 0x11111111 ; id
DWORD 0x1C ; sizeof(mb)
BYTE*sizeof(mb) MEMORY_BASIC_INFORMATION mb ; see WIN32.HLP for details
Data block has the following format:
DWORD 0x22222222 ; id
DWORD va ; 4k-aligned
DWORD datasize ; 4k-aligned, max=64k
BYTE*datasize data ; dumped data
1.6. Dumping physical memory
Physical memory size can be found using GlobalMemoryStatus() api.
Physical memory can be mapped into virtual addresses using
NtMapViewOfSection() native function.
Use "hkit /process /physmem memory.dmp" to dump physical memory into file.
Physical memory dump file format is just a plain binary file
containing physical pages.
Here (probably) is a bug, or feature, in cases when physical memory
could not fit into virtual addresses. This should be fixed in future.
1.7. Kill & patch process
Use "hkit /process /kill process.exe" to terminate some process, specified
by pid or by name.
Use "hkit /process /patch process.exe 00401234 CC C3" to
insert some code at the specified address into some process,
specified by pid or by name.
This can help in cases when s-ice doesnt worx properly.
2. Service manager
Use for example "hkit /service /create Fuck c:\winnt\system32\fuck.sys /auto"
to register service.
Use "/createkd" instead to register kernel driver.
Use "hkit /service /start|stop|pause|continue|delete ServiceName" to control
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -