FU-Rootkit

From aldeid
Jump to: navigation, search

Description

Fu is one of the most widely utilized rootkits in the wild. Other malware, such as rbot and sdbot variants, have used its features to hide themselves. Fu is a kernel-mode rootkit that modifies kernel data structures, which allows it to hide e.g. processes.

fu.exe and msdirectx.sys work as one. fu.exe passes down parameters as IOCTL's to the msdirectx.sys driver. As such, once the driver is loaded, you do not need any special privilege to run fu.exe. msdirectx.sys is the driver and does all the work of fu.exe. The driver is never unloaded until reboot.

Installation

Usage

Syntax

Usage: fu.exe [options]

Options

-pl <#number>
to list the first #number of processes
-ph <#PID>
to hide the process with #PID
-pld
to list the named drivers in DbgView
-phd <DRIVER_NAME>
to hide the named driver
-pas <#PID>
to set the AUTH_ID to SYSTEM on process #PID
-prl
to list the available privileges
-prs <#PID> <#privilege_name>
to set privileges on process #PID
-pss <#PID> <#account_name>
to add #account_name SID to process #PID token

Examples

List processes

Fu-rootkit-list-processes.png

Hide process

In the below screenshot, we have hidden process 1272 (-ph 1272). As shown by the tasklist command, calc.exe does not appear anymore though the GUI is still active.

Fu-rootkit-hide-process.png

List privileges

C:\FU>fu -prl
SeCreateTokenPrivilege
SeAssignPrimaryTokenPrivilege
SeLockMemoryPrivilege
SeIncreaseQuotaPrivilege
SeUnsolicitedInputPrivilege
SeMachineAccountPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeChangeNotifyPrivilege
SeRemoteShutdownPrivilege
SeUndockPrivilege
SeSyncAgentPrivilege
SeEnableDelegationPrivilege

Comments

blog comments powered by Disqus