n00bk1t ------0x01 About ---------n00bk1t is a user-mode (ring3) rootkit. It is very similar to hxdef but it's wri tten completely in C (well, 99% of it). It has the ability to hide processes/files/re gkeys/ ports/services/.... It also logs windows login (local,via TS and runas) informat ion and ftp/pop3 (plain/ssl) password(s). It's not perfect but it fool's alot of users ; ) 0x02. Configuration ------------------n00bk1t uses string resources instead of a configuration file. This leaves us wi th one file. Resources are easily editted with a resource editor like PE Explorer or ResHacke r. That's why i advise you to use a packer/crypter on the final exe. ;) Multiple configuration items in one string must be delimited by ; (fe. root.exe; shit.exe) For ports you can use ranges, fe. 1001-1050;666;10-20. Space regkey contains a string value in the form of "DISK"="SPACE_TO_HIDE_IN_BYT ES", fe. "C"="100000000". (you can use 64-bit numbers). Regkey must start with: \\Registry fe. \\Registry\\Machine\\Test String values: String String String String String String String String String String String String String String String String String 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> Root process(es) Hidden process(es) Hidden driver(s) Hidden file(s)/directory(-ies) Hidden local tcp port(s) Hidden remote tcp port(s) Hidden udp port(s) Hidden regkey(s) Hidden regkey value(s) Hidden service(s) Hidden space regkey Login/ftp/smtp/pop3... logfile Run as service ? (0=No/1=Yes) Service name Service display name Service description Shell name (unused for now)0x03 Usage: ----------If you set String 13 to 1, n00bk1t wil try to install and start itselfs as a ser vice. If that fails or String 13 is set to 0, n00bk1t will run as a normal process. Parameters: -ui: uninstall, unstable (does not delete service)-ud: update (you can edit the resources and then perform an update) 0x04. Thanks to: ---------------- Holy Father, creator of hxdef. RIP - z0mbie, creator of a lots of things, i'm using his LDE 1.05, thx dude, wherev er you are ;) - Greg & Jamie, the guys from rootkit.com, and not to forget the rootkit.com co mmunity ! - Agner Fog, creator of the random c lib i use - Ratter, also creator of a lots of thing, i thank him for his work on the lsal ogonuser hook ;) - Einstein, for his work on the raw registry stuff - PE386, for the blacklight file hiding idea