#1
|
||||
|
||||
IAT patching lame-rootkit with s/c
download:hxxp://www.cybertech.net/~sh0ksh0k/projects/
info: Hooking tools: * tinjectdll (Windows) Does DLL injection on a live process Use with: BasicHookDLL or HeapHookDLL Depends on: stoolkit.lib, win32toolkit.lib, x64dis.lib, x86hook.lib, cpu.lib * thookproc (Windows) Starts a new process and injects DLL while process is still suspended Use with: BasicHookDLL or HeapHookDLL Depends on: stoolkit.lib, win32toolkit.lib, x64dis.lib, x86hook.lib, cpu.lib * BasicHookDLL (Windows) DLL injected via thookproc or tinjectdll It will establish communication back to thookproc or tinjectdll and is able to log to the console, a file, or using OutputDebugString (viewable via tools like DbgView from SysInternals) Depends on: stoolkit.lib, win32toolkit.lib, x64dis.lib, x86hook.lib, cpu.lib * HeapHookDLL (Windows) DLL injected via thookproc or tinjectdll It does what BasicHookDLL does, plus it hooks RtlAllocateHeap and RtlFreeHeap Depends on: stoolkit.lib, win32toolkit.lib, x64dis.lib, x86hook.lib, cpu.lib * dotNetHook Inject MSIL bytecode into a .NET assembly Does not work against assemblies that are signed or using native bytecode This happened been maintained since 2002, so it probably doesn't work with new .NET frameworks Depends on: none Reverse engineering tools: * tdepends Automated PE import/export discovery (e.g., used for automated searching) Used to: 1. Find all DLLs exporting a certain function 2. Used to find all executables importing a certain DLL 3. Used to find all executables importa a certain function from a certain DLL Can also handle delayed imports and forwarded exports (e.g., forwarders) * tdisasm (Windows--should work on Linux) Frontend to x64dis (16/32/64-bit x86 disassembler that supports the full IA32/x64 instruction set) Input source can be hex strings, hex files, binary files, base64 file, C source file, etc. Depends on: stoolkit.lib, x64dis.lib * tcodetrace (Windows) Single-step tracer... allows tracing through code on-the-fly (e.g., tcodetrace -x "90 cc") Depends on: stoolkit.lib, x64dis.lib * tcodeparse (Windows--should work on Linux) A minimal C parser that extract C variables from C source code and saves them as binary files. * dumpcpu Dumps x86 structures (LDT, GDT, IDT, etc.) on Windows File/Text tools: * tline (Windows and Linux) Combines functionality of the Unix tools wc, sort, and uniq ni one Depends on: stoolkit.lib * tfind (Windows and Linux) An advanced file find that supports perl regex (greedy and ungreedy) and GNU regex matching Depends on: stoolkit.lib * tgrep (Windows and Linux) An advanced grep supports perl regex (greedy and ungreedy) and GNU regex searching within a text file or multiple test files (combines Unix find and grep tools) Depends on: stoolkit.lib Binary extraction tools: * tbase64 (Windows--should work on Linux) Encode/decode base64 Depends on: stoolkit.lib * tuuencode (Windows--should work on Linux) uuencode/uudecode Depends on: stoolkit.lib * thexdump (Windows--should work on Linux) Supports hexdump in 1, 2, 4 and 8 byte chunks Depends on: stoolkit.lib Networking tools: * PortRedirect (Windows and Linux) TCP/UDP port redirector Depends on: none * enc2alnum (Windows--should work on Linux) Not networking per se, but using for generating polymorphic alphanumeric shellcode, intended for network exploits that has a very narrow input filter--allow numeric characters are usually allowed through such filters without any trouble. Depends on: none Kernel tools: * ObjProfiler Proof-of-concept Windows kernel driver for hooking the callback of executive object types. Base libraries: * stoolkit (Windows--should work on Linux) General purpose C utilities like graph, hash table, linked list, priority queue, efficient search, efficient sort, etc. implementation * win32toolkit (Windows) Depends on: stoolkit.lib, cpu.lib A lot of useful Win32 specific functions like finding the name of a process, finding loaded modules, security ACLs, mapping physical memory, etc. * cpu (Windows) Depends on: stoolkit.lib Useful functions for x86 (e.g., dump context, task/interrupt/call gates, etc.) * x64dis (Windows--should work on Linux) Depends on: stoolkit.lib, cpu.lib A 16, 32, and 64-bit x86 disassembler that supports the full IA32/x64 instruction set (SSE/SSE2/SSE3/3DNow/FPU/etc) * x86hook (Windows--should work on Linux) Depends on: stoolkit.lib, x64dis.lib, win32toolkit.lib, cpu.lib |
#2
|
|||
|
|||
strange words in readme.txt:
niu2bi1 hou2zi, wo3 ai4 ni3! |
#3
|
|||
|
|||
Quote:
|
|
|