Silent Running
|
So, being stealth is somewhat trickier than you might think. Modern linux spits out data that is uniquely identifiable about
your computer at regular intervals, bluetooth, mac addresses, the wireless ssids you like to connect to, dns traffic. This is fine, except
when you are trying to be stealthy on a hostile network, or trying to ensure all your traffic is tunnelled. Thus, silent_running.py. I use it on Ubuntu Hardy, so it's only currently tested on that, feel free to send me patches for other systems. Features
|
|||||||
| Construction: | Early 2k8 | Status: | Done, in use | Availability: | src | Links: | source |
|
Most people have this idea that privesc on win32 is ludicrously easy. For the most part that is true, but there aren't that many
tools that help you do it. Dark Elevator provides you a method for doing escalation without all the boring. Details are on the
separate project page.
|
|
|||||||
| Construction: | Late 2k7 | Status: | Working, in dev | Availability: | src and bin | Links: |
details | |
DDefyM - Memory Antiforensics Rootkit
|
After doing ddefy for disk, it became pretty obvious that the solution that would be implemented was parsing an image of
memory, as was becoming popular at the time, to check for malicious code in memory such as ddefy. Of course, being live
forensics it relied on trusting an untrusted kernel, once again no-one thought it was feasible, so i put my code where my
mouth was. Essentially the code is just standard crap SSDT hook on ZwMapViewOfSection. There are better places to do it,
but it proves the point. I have lots of thoughts for this technique and how it could be implemented better, but nothing
except one commercial tool i know of resolves or detects it so I haven't been motivated to update.
I talked about this stuff at Blackhat Japan. The code is available now, but it's not that interesting (unless you are
trying to hide malicious code from forensics dudes that is). Update Jun08: I'm considering releasing this with some updates due to some newfound interest in this stuff. I've fixed the link to the old source/binary. A warning, this code is pretty shockingly bad. |
|||||||
| Construction: | Mid 2k6 | Status: | PoC no current dev | Availability: | src and binary | Links: | source |
DDefy - Disk Antiforensics Rootkit
|
DDefy was written in response to bunch of forensics work i was doing for various companies. Due to criticality of the servers
we weren't allowed to take the machines offline, which led to live disk forensics. It occured to me that this was an awful
idea, and research showed that while the technique was theoretically flawed, it was widely considered best practice. A couple
of vendors had the gall to state that creating a rootkit to mess with live disk forensics was impossible. I took it on as a
challenge to increase my windows kernel fu and prove a point. The name comes from the tool it originally set out to defeat
the commonly used windows forensic version of dd. Turned out it defeated most
of the commercial tools such as FTK and ProDiscover (a couple of runs in a debugger make it pretty obvious the commercial tools
just copied george's code).
The code is a upper disk filter driver, would probably be cleaner as an IRP hook, but this was a PoC not rootkit
technique demo. It intercepts disk reads just above the disk driver, calculates drive offset into something NTFS and hides
data based on file name. It's not that exciting, but it still hasn't been resolved in the commercial tools, still works, and probably is a nice sample of how to mess with NTFS for antiforensics manually. Sorry no source release for this one, the code is awful, maybe i'll clean it up on a rainy day sometime soon. |
|||||||
| Construction: | Early 2k6 | Status: | PoC | Availability: | not released | Links: | presentation |
pwnsaver - Anti-Workmate Screen Saver
| So, if you work in a workplace with malicious individuals such as I do, you will be familiar with the common practice of hijacking a fellow employees workstation when he forgets to lock it, and sending emails to colleagues, girlfriends, bosses confessing your undying love, coming out, or stating unlikely sexual preferences. I decided to reverse the game and put this together in a couple of hours one friday avo. It's a windows screensaver, written in .NET, that allows you to specify a picture of your desktop, which appears as if you are logged in. If someone tries to type or move your mouse it displays a separate series of pictures of your choosing. People have been known to have been goatsed via this method in retribution for past sins. | |||||||
| Construction: | Early 2k6 | Status: | Finished | Availability: | src and bin | Links: | source |
cidspoof - CID Spoofing Script for Asterisk
|
Cidspoof is just a quick asterisk script for setting up an asterisk box with a OFX card as a gateway. I use it so I can spoof my
caller id when i'm on the town. I use my mobile to call home to my asterisk box, which answers, asks for a pin, asks me what I want
my Caller ID to be, then asks what number I want to call. It's pretty handy, calling mates from their girlfriends number when they're
flirting with another chick is always fun. This requires a VoIP service that gives you the ability to CID spoof, such as VoipJet. All these scripts dois walk you through the prompts and join the calls. |
|||||||
| Construction: | 2k5 | Status: | Finished | Availability: | src | Links: | source |