Rootkit Creation and DLL Injection Techniques
What is a Rootkit?
Well, I think if you’re reading this, it’s because you know what a rootkit is and you are interested in scheduling one. But for the clueless, I have just a clarification.
A rootkit, broadly speaking, is a tool that lets you hide the administrator of an information system from the same, whether the processes that are running on your computer, established connections, files… Imagine the potential of such a tool; we can take full control of a system without the user knowing if you want. We can store a 50GB file in a server (which we accessed through techniques not discussed here) without the administrator knowing. The limit is where our imagination is the limit.
For those who want more information on rootkits and their types, consult Wikipedia.
2008 E0N Productions
How Can We Do This?
Here the manual starts taking a bit of seriousness, and after outlining the technique that we use to enter the important thing: create your rootkit.
The first concept that must be clear is that in order to modify the behavior of a file, you have to be in your memory space. For convenience, we will use DLL injection because we could make a shot without a DLL, but it is much more comfortable (quiet, when I put one-time examples of each, you will see what I mean).
Once we are in the executable memory space and objective, we will be able to change, and API hooking will be our tool. Thanks to her, we will succeed in changing the behavior of the program to make calls to APIs. As an example, we can make the task manager not show the processes that start with a certain string or make explorar.exe not display folders with an X name.
If now the technique to follow is not very clear, do not worry, keep reading, and you will see how it all starts to fit.
DLL Injection
Introduction
Some may wonder, why would we want to inject a DLL? The answer is simple. Thanks to API hooking, we are able to make any process call a determined API and actually call a function that we want. And to do this, we need to meet in the memory space of that process; we cannot make a JMP and go to the memory space of the svchost, for example, xD.
As a final review, the injection of DLLs gives more play to modify the memory of a process, such as bypassing the firewall (useful for Trojans) or making an immortal process by putting a couple of examples. This is not discussed in this manual, but once you have learned to inject DLLs and understood the mechanism, let’s fly just a little imagination.
2008 E0N Productions
Methods of Injection
Among injection methods, we could distinguish two main groups: those who use a DLL and those who do not. For convenience, we will use a technique that requires a DLL.
This technique has the great advantage that we can set the DLL as if it were an ordinary executable, whereas if we try to inject without a DLL, the code is not complicated enough. As a disadvantage compared to other methods, it requires the DLL, but you can bind the DLL to the executable, not that it comes between what I want to show in this tutorial. If you are curious, in number three of the e-zine published by myself, Insecurity, there is a tutorial to create Joiners in VB6, but if you only program in C or any other language, it will be a hard time adapting.
Injection by CreateRemoteThread
This is one of the simplest methods of injecting a DLL and the most documented on the network; therefore, it is the most detected by antivirus and firewalls. But this manual is purely educational, so that does not cause any problems… All however, if someone has a problem, you can always take a look at the manual on DLL injection by MazarD and dodge the firewall and antivirus (or take a little imagination and make this same method undetectable, which is not very difficult =P).
The aim of this method is simple: create a remote process thread and make that thread call the API LoadLibrary to load our DLL. Once the skip load automatically calls DllMain in our DLL, we can make this process do for us what we want.
To implement this method, we need to have some prior knowledge of some APIs that right now I am going to describe.
2008 E0N Productions
Required APIs
To implement this injection, we will use seven total APIs. Below, I describe them in detail, but if you want more detailed information (in English), you can obtain it in Microsoft’s MSDN.
OpenProcess: