IAT patching lame-rootkit with s/c

[taos]

download:hxxp://www.cybertech.net/~sh0ksh0k/projects/


info:
Hooking tools:
* tinjectdll (Windows)
Does DLL injection on a live process
Use with: BasicHookDLL or HeapHookDLL
Depends on: stoolkit.lib, win32toolkit.lib, x64dis.lib, x86hook.lib, cpu.lib
* thookproc (Windows)
Starts a new process and injects DLL while process is still suspended
Use with: BasicHookDLL or HeapHookDLL
Depends on: stoolkit.lib, win32toolkit.lib, x64dis.lib, x86hook.lib, cpu.lib
* BasicHookDLL (Windows)
DLL injected via thookproc or tinjectdll
It will establish communication back to thookproc or tinjectdll and is able to log to the console, a file, or using OutputDebugString (viewable via tools like DbgView from SysInternals)
Depends on: stoolkit.lib, win32toolkit.lib, x64dis.lib, x86hook.lib, cpu.lib
* HeapHookDLL (Windows)
DLL injected via thookproc or tinjectdll
It does what BasicHookDLL does, plus it hooks RtlAllocateHeap and RtlFreeHeap
Depends on: stoolkit.lib, win32toolkit.lib, x64dis.lib, x86hook.lib, cpu.lib
* dotNetHook
Inject MSIL bytecode into a .NET assembly
Does not work against assemblies that are signed or using native bytecode
This happened been maintained since 2002, so it probably doesn't work with new .NET frameworks
Depends on: none

Reverse engineering tools:
* tdepends
Automated PE import/export discovery (e.g., used for automated searching)
Used to:
1. Find all DLLs exporting a certain function
2. Used to find all executables importing a certain DLL
3. Used to find all executables importa a certain function from a certain DLL
Can also handle delayed imports and forwarded exports (e.g., forwarders)
* tdisasm (Windows--should work on Linux)
Frontend to x64dis (16/32/64-bit x86 disassembler that supports the full IA32/x64 instruction set)
Input source can be hex strings, hex files, binary files, base64 file, C source file, etc.
Depends on: stoolkit.lib, x64dis.lib
* tcodetrace (Windows)
Single-step tracer... allows tracing through code on-the-fly (e.g., tcodetrace -x "90 cc")
Depends on: stoolkit.lib, x64dis.lib
* tcodeparse (Windows--should work on Linux)
A minimal C parser that extract C variables from C source code and saves them as binary files.
* dumpcpu
Dumps x86 structures (LDT, GDT, IDT, etc.) on Windows

File/Text tools:
* tline (Windows and Linux)
Combines functionality of the Unix tools wc, sort, and uniq ni one
Depends on: stoolkit.lib
* tfind (Windows and Linux)
An advanced file find that supports perl regex (greedy and ungreedy) and GNU regex matching
Depends on: stoolkit.lib
* tgrep (Windows and Linux)
An advanced grep supports perl regex (greedy and ungreedy) and GNU regex searching within a text file or multiple test files (combines Unix find and grep tools)
Depends on: stoolkit.lib

Binary extraction tools:
* tbase64 (Windows--should work on Linux)
Encode/decode base64
Depends on: stoolkit.lib
* tuuencode (Windows--should work on Linux)
uuencode/uudecode
Depends on: stoolkit.lib
* thexdump (Windows--should work on Linux)
Supports hexdump in 1, 2, 4 and 8 byte chunks
Depends on: stoolkit.lib

Networking tools:
* PortRedirect (Windows and Linux)
TCP/UDP port redirector
Depends on: none
* enc2alnum (Windows--should work on Linux)
Not networking per se, but using for generating polymorphic alphanumeric shellcode, intended for network exploits that has a very narrow input filter--allow numeric characters are usually allowed through such filters without any trouble.
Depends on: none

Kernel tools:
* ObjProfiler
Proof-of-concept Windows kernel driver for hooking the callback of executive object types.

Base libraries:
* stoolkit (Windows--should work on Linux)
General purpose C utilities like graph, hash table, linked list, priority queue, efficient search, efficient sort, etc. implementation
* win32toolkit (Windows)
Depends on: stoolkit.lib, cpu.lib
A lot of useful Win32 specific functions like finding the name of a process, finding loaded modules, security ACLs, mapping physical memory, etc.
* cpu (Windows)
Depends on: stoolkit.lib
Useful functions for x86 (e.g., dump context, task/interrupt/call gates, etc.)
* x64dis (Windows--should work on Linux)
Depends on: stoolkit.lib, cpu.lib
A 16, 32, and 64-bit x86 disassembler that supports the full IA32/x64 instruction set (SSE/SSE2/SSE3/3DNow/FPU/etc)
* x86hook (Windows--should work on Linux)
Depends on: stoolkit.lib, x64dis.lib, win32toolkit.lib, cpu.lib

[heXer]

strange words in readme.txt:
niu2bi1 hou2zi, wo3 ai4 ni3!

Quote:

Originally Posted by heXer

strange words in readme.txt:
niu2bi1 hou2zi, wo3 ai4 ni3!

that's should be chinese "han yu pin yin"....