fengjixuchui / n00bk1t Goto Github PK

NOTE: I am not the author of n00bk1t.

n00bk1t
-------

0x01 About
----------

n00bk1t is a user-mode (ring3) rootkit. It is very similar to hxdef but it's written 
completely in C (well, 99% of it). It has the ability to hide processes/files/regkeys/
ports/services/.... It also logs windows login (local,via TS and runas) information and
ftp/pop3 (plain/ssl) password(s). It's not perfect but it fool's alot of users ;)

0x02. Configuration
-------------------

n00bk1t uses string resources instead of a configuration file. This leaves us with one file.
Resources are easily editted with a resource editor like PE Explorer or ResHacker. 
That's why i advise you to use a packer/crypter on the final exe. ;)
Multiple configuration items in one string must be delimited by ; (fe. root.exe;shit.exe)
For ports you can use ranges, fe. 1001-1050;666;10-20.
Space regkey contains a string value in the form of "DISK"="SPACE_TO_HIDE_IN_BYTES", 
fe. "C"="100000000". (you can use 64-bit numbers). 
Regkey must start with: \\Registry fe. \\Registry\\Machine\\Test

String values:

String 01 -> Root process(es)
String 02 -> Hidden process(es)
String 03 -> Hidden driver(s)
String 04 -> Hidden file(s)/directory(-ies)
String 05 -> Hidden local tcp port(s)
String 06 -> Hidden remote tcp port(s)
String 07 -> Hidden udp port(s)
String 08 -> Hidden regkey(s)
String 09 -> Hidden regkey value(s)
String 10 -> Hidden service(s)
String 11 -> Hidden space regkey
String 12 -> Login/ftp/smtp/pop3... logfile
String 13 -> Run as service ? (0=No/1=Yes)
String 14 -> Service name
String 15 -> Service display name
String 16 -> Service description
String 17 -> Shell name (unused for now)

0x03 Usage:
-----------

If you set String 13 to 1, n00bk1t wil try to install and start itselfs as a service. If that fails
or String 13 is set to 0, n00bk1t will run as a normal process.

Parameters:
-ui: uninstall, unstable (does not delete service)
-ud: update (you can edit the resources and then perform an update)

0x04. Thanks to:
----------------
 
 - Holy Father, creator of hxdef. RIP
 - z0mbie, creator of a lots of things, i'm using his LDE 1.05, thx dude, wherever you are ;)
 - Greg & Jamie, the guys from rootkit.com, and not to forget the rootkit.com community !
 - Agner Fog, creator of the random c lib i use
 - Ratter, also creator of a lots of thing, i thank him for his work on the lsalogonuser hook ;)
 - Einstein, for his work on the raw registry stuff
 - PE386, for the blacklight file hiding idea