home >> userland >> dwtf

dwtf v1.0 and its Features

TOP

dwtf creates a fake.dll from real.dll

Features:

1- It exports all symbols of real.dll (also Forwarder).

2- It imports all exports of real.dll (also Forwarder).

3- It creates an area code with a JMP DWORD [ADDRESS] for each export.

4- The exports of fake dll is assigned to a JMP area which jumps to original export of real.dll.

Working of dwtf v1.0

TOP

If you are making PEB HOOKING, when the APP calls to fake dll export it jumps to original export, everything works fine:
Before PEB HOOKING:
APP -> IAT OF APP -> REAL DLL EXPORT

After PEB HOOKING:
APP -> IAT OF APP -> FAKE DLL EXPORT -> IAT OF FAKE DLL -> REAL DLL EXPORT

---

You can add or remove payloads with any IAT HOOKING in the IAT of the fake dll:
APP -> IAT OF APP -> FAKE DLL EXPORT -> IAT OF FAKE DLL -> PAYLOAD STACK -> (or never) REAL DLL EXPORT

---

Syntax: dwtf.exe fake_dll real_dll

---

Example: dwtf.exe k32.dll c:\windows\system32\kernel32.dll

---

All .exes are in bin folder:
You can execute the: Generate fake kernel32.bat
This bat executes dwtf creating a fake kernel32.dll called k32.dll from c:\windows\system32\kernel32.dll

After, you can make a pebhooking executing: PEB hooking poc with fake kernel32.bat

IMPORTANT: You need the NETCAT for send commands to the console:
This bat inject a console.dll in the poc.exe process using InjectorDll.exe
This console listen by default in 127.0.0.1 1234, This console is the interface to do

PEB Hooking:
Next, the bat connect to 127.0.0.1 1234 using nc command (netcat)

In the console with netcat you can write:
pebhook kernel32.dll k32.dll
resume
exit
---

In this moment poc.exe is running and it is waiting a user enter:
poc.exe try creates files with two APIs of kernel32.dll: CreateFileW and CreateFileA
When you press enter all works fine (good lucky) and the process exits creating files.

In this scenario all works by this way:
poc.exe -> IAT of POC.EXE -> k32.dll (fake kernel32.dll) -> IAT of k32.dll -> kernel32.dll

Loading payloads dynamically:
For this scenario:
poc.exe -> IAT of POC.EXE -> k32.dll (fake kernel32.dll) -> IAT of k32.dll -> payload/s
Remember: You can add a payload stack with IAT HOOKING over IAT HOOKING ...
The payloads can calls to original kernel32.dll export.

You need:
Generate fake kernel32.bat
PEB hooking poc with fake kernel32.bat
command: pebhook kernel32.dll k32.dll

Add a payload for CreateFileW, inserting a iat hook in k32.dll:
Inject the dll:
InjectorDll.exe poc_dll.dll -p PID_OF_POC_EXE

In the POC.EXE you can see:
Creating files... press enter
DLL INJECTED! ADDR OF OwnCreateFileA: 0x70651030 < --- For EXAMPLE
It is the time of IAT hooking of CreateFileA of k32.dll to OwnCreateFileA of poc_dll.dll

Example of searching CreateFileA IAT ADDR in k32:
Using peview (google: download peview):
Search the oridinal of CreateFileA like this image:

*To zoom in - click the image*

Search IAT ADDR in k32 of CreateFileA like this image:

*To zoom in - click the image*

In the IMAGE the IAT ADDR is: 0x1000C1A6
Change the IAT to payload addr:
write_process_memory.exe PID_OF_POC_EXE 0x1000C1A6 0x70651030
0x70651030 is the addr of OwnCreateFileA of poc_dll.dll injected in POC.exe
In the console with netcat you can write:
resume
exit

Demo of dwtf v1.0

TOP


Download dwtf v1.0

TOP

Click the following to download:

Download dwtf v1.0

Credits for dwtf v1.0

TOP

dwtf 1.0 (MIT License) engine by Dreg, from evil fingers:

- making FULL dll (PEB/file) hooking more easy...
- Greetz: Lacon 2k9 Spain & Hispasec team.
- Note: Use with real DLLs, a lot of bugs in this version
contact me: dreg@fr33project.org

EvilFingers Arsenal




Socialize with RootkitAnalytics

Twitter Feed Blogspot

Links

Rootkits & Enterprise: Enterprise is a major victim to rootkits. What could rootkits do to them?[read more]

Rootkits & Home-users: Do home-users know the seriousness of rootkits? What should a home-user know about rootkits?[read more]

Rootkits & Information Warfare: What does the silent war of intelligence and national security, got to do with rootkit analysis?[read more]

Userland Rootkits: What should one know about userland rootkits?[read more]

Kernelland Rootkits: What should one know about kernelland rootkits?[read more]

ElfStat: ElfStat is a tool designed for detecting any kernel malware that modifies the text segment of the kernel in memory...[read more]

Syscall/Kernel function interception: This is a more stealth method of syscall hijacking without having to directly modify the syscall table; instead the first several bytes of the syscall are overwritten with a jump to the new code...[read more]

Syscall Interception: What should you know about Syscall interception by directly modifying the Syscall table?[read more]

KsiD [Kernel Symbol Interception Detection]: This tool is designed to detect kernel rootkits and kernel malware which hijack syscalls and kernel functions ...[read more]

IDT /dev/kmem rootkit method: This can be done using several methods including overwriting the first several bytes of the syscall with a jump to other code, or modifying the function pointers.[read more]

Hidden Process Detection: Hidden Process Detection [HPD] using Direct NT System Call Implemenation, PIDB (Process ID Bruteforce) method, CSRSS Process Handle Enumeration and other methods...[read more]

Hidden Registry Detection: Reason for Hiding the Registry Entries, Rootkit techniques to hide, and Detecting Hidden Registry Entries Using Direct NT System Call Method and Directly Reading Hives Method...[read more]

Hidden Service Detection: Hidden Rootkit Services Detection Methods...Enumerating Processes with 'NtControlPipe', Hook Bypass Method through Mapped Image, Services Enumerating Child Processes of Services.exe, Enumerating Services Registry Key...[read more]

Syscall Handler Checker [SHC]: This tool simply verifies whether or not the system call handler system_call() has been patched to call a phony sys_call_table. If a phony sys_call_table appears to be in use, a tool like elfstat can be used for further analysis...[read more]

Firmware Rootkits: Firmware is a small static code that runs on devices ranging from consumer electronics to anything that controls heavy machinery...[read more]

Hypervisor Rootkits: This comes under both firmware and hardware rootkits. The reason being, hypervisor is a virtual environment that runs on the hardware, but basically it is a firmware. Hence, we have drawn the line and dropped this rootkit in the firmware category of rootkits...[read more]

Publications: In this section, we are planning to list all the papers that we have published so far that are rootkit related.

Backdoor Ultimate Defender: In this paper (Backdoor.Win32.UltimateDefender.gtz - Reversing) we analyze install.exe that presents the typical structure of an Medium Evoluted Malware, with basical Obfuscated-Dummy Code...[read more]

Socialize: You could socialize with us by many ways...[read more]

About: Learn about rootkit analytics here...[read more]

Contact us: How can you reach us...[read more]

Our Team: Read more about the rootkit analytics team...[read more]

dwtf v1.0: dwtf is a DLL copying engine ... [read more]

Exploring ADS: Alternate Data Stream (ADS) is the lesser known feature of Windows NTFS file system which...[read more]

Installations [from RootkitAnalytics.com]

ToolsCount
~~~~~~~~~~~~~~~~~~~
Elfstat4210
dwtf3356
KsiD2891
SHC2164

NOTE: Our tools are listed in many sites and torrents, which makes it hard for us to track all downloads. Hence, we are listing only the total installations from our website.

Socialize with EvilFingers

Twitter Feed Blogspot LinkedIn Delicious Google

Tweets