You are on page 1of 10

Kernel Mode Ircbot - Adventures of the White Rabbit

● Create your own blog for free


blog.co.uk Search ● Login

tibbar
● Flag this blog

Adventures of the White Rabbit
● Next Blog

About me

« codeCrypter next release plansGoogle What comes next? »

Worm Remover Download


Free Worm & Virus Scan. Winner of Best AntiSpyware. Rated 5 Stars!
www.pctools.com

tibbar Kernel Mode Ircbot


by tibbar @ 2006-04-06 – 20:00:27

Calendar
The world of malware and rootkits has evolved a lot over the last two years, the most significant
<< < April 2006>>> developments have been in the sophistication of rootkits.

Mo Tu We Th Fr Sa Su In case the term "rootkit" doesn't mean much, a rootkit is basically a program that subverts the
1 2 operating system, and allows the attacked to hide certain files and programs from the user. It
usually will also provide a hidden backdoor into the system, and will hide network connections
3 4 5 6 7 8 9 made through the backdoor from the user.
10 11 12 13 14 15 16
17 18 19 20 21 22 23 Windows rootkits have been generally mixed between "usermode" rootkits - these are ones that
run as a normal application (or possibly as an injected dll) and "kernelmode" rootkits, which are
24 25 26 27 28 29 30 actually device drivers running at the highest priviledge level (ring 0).

Now generally, the kernel mode rootkits will hide files, hide network connections and the most
sophisticated ones will provide a kernel mode backdoor. This means all the functionality is held
Recent comments within a single driver (.sys file), and it is extremely difficult to detect whether one is installed on
● thchog on Reflecting on a machine.
better times
● photoshop on kernel However, the attacker will rarely be able to provide all the functionality they need purely in a
driver, and still need to rely on usermode applications, for things like ftp servers, irc bots etc...
mode ftpserver
● ‫ ﺭﻭﺹ ﻉﻑﺭ‬on kernel mode So I thought it would be interesting to see how hard it is, to actually provide this part of the
ftpserver attackers toolkit directly within the kernel mode driver.
● DiabloHorn on Reflecting
on better times One of the developers from rootkit.com called Valerino released a kernel mode socket library,
● DiabloHorn on Reflecting that allows you to create sockets from a kernel mode driver, with reasonable ease. His post is
on better times here:
http://www.rootkit.com/newsread.php?newsid=416
● Elango on Hooking
drivers
I have used this library to create what I believe is the world's first kernel mode ircbot. It's
● rYYr on kernel mode extremely basic in its' current form and will just join a channel plus responding to its' name. But
ftpserver it is a framework that can be built upon and you could in theory write an extremely complex
● jbr on kernel mode ircbot in this fashion.
ftpserver
● jbr on kernel mode Here's a screenshot of the system internals app "DebugView" that allows you to see kernel
messages. I have set the ircbot to ouput text received on irc into the debug messages:
ftpserver
● paradox on Reflecting on
better times

more comments… As I have very limited time for development, I thought I would share this one with the world...the
source lives at:

http://tibbar.gso.googlepages.com/KIrcBot.rar
Archives

http://tibbar.blog.co.uk/2006/04/06/kernel_mode_ircbot~708256/ (1 of 10) [1/5/2010 3:59:40 PM]


Kernel Mode Ircbot - Adventures of the White Rabbit

● July 2008 (1) and I have set this up in Visual Studio 2003. There are two build modes: usermode and
kernelmode.
● December 2006 (2)
● October 2006 (1) I essentially wrapped up the kernel socket functions Valerino wrote, to conform with Berkley
● July 2006 (1) sockets to some extent, which meant that the Irc bot can be compiled as a driver, or as a
usermode executable. The reason for doing this, is that it is notoriously hard to develop kernel
● June 2006 (1) mode applications and the test process is very slow - by allowing usermode builds, the code
● April 2006 (2) can be perfected in usermode, before beginning the kernel mode tests.

more archives… If you want to compile using the DDK, the batch file should be used.

Finally, if you want to support my releases, then I would be grateful if you could take some time
to visit any sponsors on this page that are of interest to you.
Links
● Yorn's Blog Tibbar.
● Governmentsecurity.org
● Rootkit.com Comments (25) Trackbacks (4) Permalink Recommend / Bookmark
● kd-team.com
Show trackback address

Google
Dos attack
Prevent Teardrop Attacks And Protect Your Network
TippingPoint.com/DDOS

Fix Kernel.dll
Free Download Fixes .DLL Errors 100% Guarantee
www.RegistryRepairProgram.com

Eliminate DHA/DoS Attacks


Use Google to protect your business from network attacks. Learn more.
www.google.com/postini

25 Comments to Kernel Mode Ircbot

Hide subcomments

❍ Trackback from: http://www.lavasoft.de/wordpress/?p=73

Kernel mode IRC bot …


Today again, Jan, one of my colleagues here at Lavasoft pointed me to an article. This article
is based on this blog entry. Seemingly someone took the time to write a kernel-mode module
that communicates via IRC. Nothing really sophisticated, given th...

❍ Reply to comment
❍ Permalink

❍ SpannerITWks (Visitor)

❍ 2006-04-07 @ 13:44:07

Hi, Well this should quieten down those peeps who say RK's are not a real threat and we can
all just ignore them. Here's more evidence - Malware Evolution: 2005, part two by Yury
Mashevsky Virus Analyst, Kaspersky Lab " An average of 6 rootkits per month were detected
in 2000, but by the end of 2005, Kaspersky Lab analysts were detecting 32 such programs a

http://tibbar.blog.co.uk/2006/04/06/kernel_mode_ircbot~708256/ (2 of 10) [1/5/2010 3:59:40 PM]


Kernel Mode Ircbot - Adventures of the White Rabbit

month. This almost quadruple increase is shown in the graph below: " " Throughout last year,
kernel-mode rootkits gradually gained in popularity over user-mode rootkits " http://www.
viruslist.com/en/analysis?pubid=182974451 Spanner

❍ Reply to comment
❍ Permalink

❍ Trackback from: http://www.greyhats.org/?2006/04/07/243-evolution-dans-le-monde-des-

rootkits-pour-windows

Evolution dans le monde des rootkits pour Windows


Jusqu'alors, les rootkits noyau pour Windows souffraient d'une limitation importante : pour
communiquer avec l'extérieur, ils devaient passer par une application utilisatrice. Il n'était pas
possible pour eux d'envoyer, de recevoir ou d'écouter...

❍ Reply to comment
❍ Permalink

❍ Panic (Visitor)

❍ http://www.egocrew.de

❍ 2006-04-07 @ 22:23:13

Nice Article, i will now check your source. Well, this is the next generation, i guess....

❍ Reply to comment
❍ Permalink

❍ Steo (Visitor)

❍ http://www.antirootkit.com

❍ 2006-04-13 @ 18:26:11

Tibbar,
nice article. Will have a good look at it. Thanks,
regards
Steo.

❍ Reply to comment
❍ Permalink
❍ Show this thread

■ Affeni Bort (Visitor)

■ 2008-02-21 @ 09:33:00

"Windows rootkits have been generally mixed between "usermode" rootkits - these are ones
that run as a normal application (or possibly as an injected dll) and "kernelmode" rootkits,
which are actually device drivers running at the highest priviledge level (ring 0)..."

"I essentially wrapped up the kernel socket functions Valerino wrote, to conform with Berkley
sockets to some extent, which meant that the Irc bot can be compiled as a driver, or as a

http://tibbar.blog.co.uk/2006/04/06/kernel_mode_ircbot~708256/ (3 of 10) [1/5/2010 3:59:40 PM]


Kernel Mode Ircbot - Adventures of the White Rabbit

usermode executable. The reason for doing this, is that it is notoriously hard to develop buy
cialis kernel mode applications and the test process is very slow - by allowing usermode
builds, the code can be perfected in usermode, before beginning the kernel mode tests."

lol

■ Reply to comment
■ Permalink

❍ DefconHaya (Visitor)

❍ http://footmenfrenzy.blogspot.com/

❍ 2006-04-14 @ 13:48:47

Very interesting !
Let's just hope that kernel-mode RK's doesn't become so popular.

Good Luck !

❍ Reply to comment
❍ Permalink

❍ Trackback from: http://www.c64allstars.de/ourBlog/?p=76

Kernel Mode IRCBot


A little bit older, but still very interesting is the blog entry of Tibbar concerning a Kernel Mode
IRCBot:
One of the developers from rootkit.com called Valerino released a kernel mode socket library,
that allows you to create sockets from a kernel mo...

❍ Reply to comment
❍ Permalink

❍ flykoo (Visitor)

❍ http://www.flykoo.com

❍ 2006-11-02 @ 17:14:12

Wow, thanks. Interesting article, good work!

Regards
flykoo

❍ Reply to comment
❍ Permalink

❍ airman (Visitor)

❍ http://cheapairfares.proboards86.com

❍ 2007-01-14 @ 12:16:33

Hey Tibbar! Thanks for useful info!

http://tibbar.blog.co.uk/2006/04/06/kernel_mode_ircbot~708256/ (4 of 10) [1/5/2010 3:59:40 PM]


Kernel Mode Ircbot - Adventures of the White Rabbit

❍ Reply to comment
❍ Permalink

❍ mugg (Visitor)

❍ 2007-03-09 @ 22:05:59

What's up with the 'build -D KERNELMODE' line in the batch file. DDK no likey:

C:\VX\Rootkits\KernelIRCbot>build -nmake "-D KERNELMODE"

BUILD: Adding /Y to COPYCMD so xcopy ops won't hang.

BUILD: Object root set to: = objfre_wxp_x86

BUILD: Compile and Link for i386

BUILD: Computing Include file dependencies:

BUILD: Examining c:\kbot\kernelircbot directory for files to compile.

c:\kbot\kernelircbot - 4 source files (1,733 lines)

BUILD: Saving c:\winddk\3790\build.dat...

BUILD: Compiling c:\vx\rootkits\kernelircbot directory

NMAKE : U1073: don't know how to make 'KERNELMODE'

BUILD: nmake.exe failed - rc = 2


v
BUILD: Compile errors: not linking c:\kbot\kernelircbot directory

BUILD: Done

❍ Reply to comment
❍ Permalink

❍ Khamis (Visitor)

❍ http://to0.net/uae/games/

❍ 2007-03-30 @ 10:43:46

thank you

❍ Reply to comment
❍ Permalink

❍ xavier (Visitor)

❍ http://monguide.mine.nu

http://tibbar.blog.co.uk/2006/04/06/kernel_mode_ircbot~708256/ (5 of 10) [1/5/2010 3:59:40 PM]


Kernel Mode Ircbot - Adventures of the White Rabbit

❍ 2007-04-02 @ 12:52:12

Here are related links:

http://www.google.com/search?hl=en&q=Windows+rootkits&btnG=Google+Search

Cheers

❍ Reply to comment
❍ Permalink

❍ Mike (Visitor)

❍ http://www.discount-cutlery.info

❍ 2007-06-10 @ 08:29:19

Cool site.

❍ Reply to comment
❍ Permalink

❍ Trackback from: http://www.usfreeads.com/889878-cls.html

Roulette Killer
Very cool Blog you have here, keep it up.

Thanks,
B

❍ Reply to comment
❍ Permalink

❍ prajith, from martial arts world (Visitor)

❍ http://www.worldofmartialart.com

❍ 2007-10-05 @ 11:22:55

nice article, fine.

❍ Reply to comment
❍ Permalink

❍ KVK (Visitor)

❍ http://kvk.110mb.com

❍ 2007-10-06 @ 11:54:37

Congratulations a good site!!! Thanks. Please try site with free online games and earn money
and prizes.

http://tibbar.blog.co.uk/2006/04/06/kernel_mode_ircbot~708256/ (6 of 10) [1/5/2010 3:59:40 PM]


Kernel Mode Ircbot - Adventures of the White Rabbit

❍ Reply to comment
❍ Permalink

❍ F0rg3 (Visitor)

❍ 2007-10-13 @ 20:38:21

Stinky Spammers..they have no respect for privacy and content..shame shame..

Nice info..but i would like you to re-upload the source as it is no more available where you put
it..please kindly use rapidshare or megaupload and if you need an account ..pm me.ok?
Cheers

❍ Reply to comment
❍ Permalink

❍ Memozza (Visitor)

❍ http://fcoolpage1.bravehost.com

❍ 2007-11-07 @ 19:20:59

Very interesting page

❍ Reply to comment
❍ Permalink

❍ Martial Artist blogger (Visitor)

❍ http://www.worldofmartialart.com/martial_arts_blog/

❍ 2007-11-08 @ 02:55:37

Nice. Good Article and a lot of comments

❍ Reply to comment
❍ Permalink

❍ 東京 デリヘル (Visitor)

❍ http://www.fuzoku-annai1.com

❍ 2007-11-13 @ 01:37:05

Great site

❍ Reply to comment
❍ Permalink

❍ 大阪 デリヘル (Visitor)

❍ http://www.fuzoku-annai.com

❍ 2007-11-13 @ 01:38:21

http://tibbar.blog.co.uk/2006/04/06/kernel_mode_ircbot~708256/ (7 of 10) [1/5/2010 3:59:40 PM]


Kernel Mode Ircbot - Adventures of the White Rabbit

Thank you

❍ Reply to comment
❍ Permalink

❍ An (Visitor)

❍ http://inacura.channelflow.org/

❍ 2007-12-15 @ 23:33:01

[...]The world of malware and rootkits has evolved a lot over the last two years, the most
significant developments have been in the sophistication of rootkits.[...]
daihatsu

❍ Reply to comment
❍ Permalink

❍ Maria (Visitor)

❍ http://music-collection.net

❍ 2007-12-18 @ 05:55:56

Thank U so much Admin.Nice article

❍ Reply to comment
❍ Permalink

❍ fanni (Visitor)

❍ http://www.my-batteries.co.uk

❍ 2008-03-07 @ 08:12:36

Very interesting ! Will have a good look at it. Let's just hope that kernel-mode RK's doesn't
become so popular.
Good Luck

❍ Reply to comment
❍ Permalink

Google
Wireless BSD Development
device driver, protocol, BSD kernel and embedded system expertise
www.ojctech.com

Managed Dedicated Server


Dedicated Server Managed Box Tampa. Come to THE source for Tech.
TechSerious.com

۞ Missing Dll File? ۞


Scan & Fix Windows Dll Files, 100% Secure Tool. Download Now!
www.Reimage.com

http://tibbar.blog.co.uk/2006/04/06/kernel_mode_ircbot~708256/ (8 of 10) [1/5/2010 3:59:40 PM]


Kernel Mode Ircbot - Adventures of the White Rabbit

Leave a comment (Login)

Name:*

Email (not visible):*

Website/URL (visible):

Remember me

Please enter the above code here:*

Preview Send comment

Related posts

● Reflecting on better times


by tibbar on 2008-07-21 – 20:25:10
● CodeCrypter 1 Year On
by tibbar on 2006-12-26 – 01:43:20
● Hooking drivers
by tibbar on 2006-12-22 – 17:42:56
● linux server framework
by tibbar on 2006-10-19 – 23:13:23
● ReactOS
by tibbar on 2006-07-15 – 22:31:13
● update
by tibbar on 2006-06-18 – 23:31:25
● What comes next?
by tibbar on 2006-04-11 – 22:07:40
● Kernel Mode Ircbot
by tibbar on 2006-04-06 – 20:00:27
● codeCrypter next release plans
by tibbar on 2006-03-31 – 16:16:51

http://tibbar.blog.co.uk/2006/04/06/kernel_mode_ircbot~708256/ (9 of 10) [1/5/2010 3:59:40 PM]


Kernel Mode Ircbot - Adventures of the White Rabbit

● jotti scan
by tibbar on 2006-03-23 – 13:59:00

About this blog Sitemap Tag cloud blog.de blog.co.uk blog.fr blog.co.uk Sitemap
The content of this website belongs to a private person, blog.co.uk is not responsible for the content of this website.

http://tibbar.blog.co.uk/2006/04/06/kernel_mode_ircbot~708256/ (10 of 10) [1/5/2010 3:59:40 PM]