[Malware Source]Agony ring0 rootkit! [Malware Source]Agony ring0 rootkit!

Name Agony ring0 rootkit
Author Intox
Complier C++

Description
from the readme

A. Before starting

We all know that some security applications aren't compatible, there may be conflicts between them. For instance, the installation of two recent different firewalls
isn't recommended.
Why? Because those tools hook native APIs at kernel mode level (on the
SSDT) and then, when two tools want to hook the same API, there is a conflit. By starting & stopping them, we can easily provoke a blue screen.

As previously said, This tool can conflict with some security tools, like process guard.
So i advise you to read the readme before you use it, and at least to look how to uninstall it.


I. THE TOOL

1.1 What use is it ?

Agony is a rootkit for Windows 2000 and superiors, able to falsify data returned by the Windows APIs. It can make files and applications invisible on a windows system.

1.2 why "Agony" ?

why not ?
1.3 Ring what ?

Under Windows, the applications run under 2 modes: ring3 and ring0, also called respectively user mode and kernel mode. The kernel mode is lower a mode than the user one, wich is the one you usually run under. That means that all the calls made from user mode will interact with kernel level to be executed.
The utility of a kernel mode rootkit is that security tools, working with the user mode, will not notice anything.


1.4 how is it made ?

it is fully coded in C. The rootkit is made of 2 parts: the driver, which runs in kernel mode, and the .exe, which runs in user-mode, it installs the driver and launches commands.
Compile the driver with the DDK, and the .exe with any compiler (including some kernel libraries). I made it with Dev-c++.


1.5 Cool ! This can be usefull

This tool was created in order to familiarize myself with ring0. It's for educationnal purpose, and that's why it's open source.
You will be the only one responsible for the use you make of it. In other words, use it at your own risks, I would also decline any responsibility of materials or software damage.


II. THE OPTIONS

Launch the program without arguments to view a small description of Agony features.
Take care, before using them, that this tool is case sensitive.
for instance: agony -p opera.exe will NOT hide Opera.exe process.
Also note that you have to use quotes to hide object with spaces in their names.


2.1 hide a process

cmdline: agony -p process_name.exe

All processes named "process_name.exe" will be hidden.
Note that agony doesn't prevent access to this process, it just hides it from listing APIs.
example : you can kill this process with his PID, even hidden.


2.2 hide a dir/file

cmdline: Agony -f dir_or_file_name

The hidden file/dir will be not shown in file listings too (eg : explorer).
The content of a hidden dir will not appear on windows research, even if they're not hidden. You can access a hidden dir if you know the path:
For example, you can access C:\hidden_dir after a "agony -f hidden_dir", just by typing "C:\hidden_dir" in the explorer address bar.
All files/dir with the same name will be hidden, so don't try to hide a file named "system32"

2.3 hide a reg key/value

Agony can falsify the reg base.

cmdline: agony -k reg_key: hide a reg key
agony -v reg_value: hide a reg value (wow, seriously ?)

Once again, only listing are falsified, the key/values are accessible.
For exemple: if you create a key "hide this shit" with value "C:\start.exe" into Windows\CurrentVersion\Run registry key, you can hide it by launching agony -v "hide this shit". Furthermore, C:\start.exe will be launched at startup

2.4 Hide a TCP/UDP connexion

w00t, you can hide connexions <8-)
cmdline: agony -tcp num_port.
agony -udp num_port.
You can use tools like fport to see wich ports are opened by an application you want to hide, and use agony to hide it.


2.5 Hide a sercice

cmdline: agony -s service_name.

Be aware of the fact that service_name is the recording name of the service, not the display name showed by the SC manager.
Here, it works a little bit differently: we have to fetch the list of services in the service.exe process memory to find the service to hide, and hide it.
Hidden services will not be accessible anymore.


2.6 Falsify the remaining disk space

-space option allow you to falsify the remaining space disk on a volume.
If you got 300Mb free on C:\, D:\ and E:\ volume, and you launch:
cmdline: agony -space C:500 D:1000 E:3000
Windows will tell you that you have 800Mb free on C:\, 1300 on D:\ and 3300 on E:\
w00t, isn't it ? You can now hide your 30 GB of pr0n.
If you launch "agony -space C:500" and then "agony -space C:800", there will be only 800 Mb added to the real remaining space disk.


2.7 Survive to reboot

The -r option allows agony to survive a reboot.
All the cmdline containing the -r option will be launched at the start of the computer.
"agony -p backdoor.exe -f backdoor.exe -space C:500 -s backdoor -tcp 88 -udp 5900 -v launchBackdoor -r" will, on startup:
- hide backdoor.exe process
- hide backdoor.exe file
- add 500Mb on C:\ volume remaining disk space
- hide the "backdoor" service
- hide connexions on the 88 tcp port and 5900 udp port
- hide launchBackdoor reg value


2.8 stop Agony:

to stop Agony: agony -stop
This command will stop all agony activity, uninstall service, clean registry and some agony files.

You can also stop agony with this cmdline:
sc delete agony (if you didn't hide the agony service).
then you must delete, in "HKLM\\Software\\Microsoft\\Active Setup\\Installed Components", the following sub keys (if they exist):
{232f4e3f2-bab8-11d0-97b9-00c04f98bcb9}
{256dc5e0e-7c46-11d3-b5bf-0000f8695621}

You can also delete the .sys file and reboot.
But the cleanest way is to use -stop option.


III Next versions

I don't think i will continue this rootkit (maybe for private releases).
If you find a bug in my code, you can send me a mail to Intox7@gmail.com,
i'll fix it as soon as i can.
Those who want to continue the tool can start with my code.
A little TODO:
- find a better startup (start in SERVICE_BOOT_START or SERVICE_SYSTEM_START)
- hide VOLUME.INI files better (in System Volume Information, for example)
- options to hide objects from a specified path
- create a hidden directory, which size will be recalculated every X sec, to falsify space disk better
- etc...


IV Greetz & Shoutz

Greetz:

Lots of people to tank, first:
- holy_father : for his great hookX tuts and his good article (in phrack)
- i.m.weasel : for his method to hide services
- jiurl : for his article about connexion hiding
- greg Hoglund : for his nice tips about MDL flags

my beta-testers:
karate, jhd, pikk_poket, Lord.

And :
Ivanlef0u, akcom, Bigbang, Mattwood, Tolwin, ... (and a lot that i forget)

Community:
- rootkit.com : really great community (80% de ma doc)
- osronline : Inescapable for driver coders
- spiritofhack.net & undergroundkonnekt.net

Thx to lucifer and Lord for the translate.

Shoutz to: kinkey_wizard, BeRgA, P41f0x, Nelio, Del_argm0, Icingtaupe, TiTan, chti_hack, Malicia, ...


Intox (Intox7@gmail.com)

How To Crack a Wi-Fi Network How To Crack a Wi-Fi Network

Anda sudah tahu bahwa jika Anda ingin mengunci jaringan Wi-Fi Anda, Anda harus memilih untuk enkripsi WPA karena WEP mudah retak. Tapi apakah Anda tahu caramudah? Coba lihat.
Jika jaringan Anda ingin menguji menjalankan enkripsi WPA lebih populer, lihatpanduan kami untuk cracking Wi-Fi jaringan sandi WPA dengan Reaver gantinya.
Hari ini kita akan turun, langkah demi langkah, cara crack jaringan Wi-Fi dengankeamanan WEP diaktifkan. Tapi pertama, sebuah kata: Pengetahuan adalah kekuatan, tetapi kekuasaan tidak berarti Anda harus menjadi brengsek, atau melakukan sesuatu yang ilegal. Mengetahui bagaimana untuk mengambil kunci tidak membuat Anda seorang pencuri. Pertimbangkan ini pasca pendidikan, atau latihanbukti-konsep intelektual.
Puluhan tutorial tentang cara crack WEP sudah seluruh internet menggunakan metode ini. Serius-Google itu. Ini bukan apa yang akan Anda sebut "berita." Tapi apa yang mengejutkan adalah bahwa orang seperti saya, dengan pengalaman jaringan minimal, bisa mendapatkan ini dilakukan dengan perangkat lunak gratis danWi-Fi adaptor murah. Berikut ini bagaimana kelanjutannya

Apa yang Anda butuhkan

Kecuali Anda seorang keamanan komputer dan ninja jaringan, kemungkinan Anda tidak memiliki semua alat di tangan untuk mendapatkan pekerjaan ini dilakukan.Inilah yang Anda perlu:Sebuah nirkabel yang kompatibel adaptor-Ini adalah kebutuhan terbesar. Anda akan memerlukan adaptor nirkabel yang mampu injeksi paket, dan kemungkinan salah satu di komputer Anda tidak. Setelah berkonsultasi dengan ahli keamanan ramah lingkungan saya, saya membeli sebuah Alfa AWUS050NH USB adaptor, digambarkan di sini, dan itu membuat saya kembali sekitar $ 50 di Amazon.Update: Jangan lakukan apa yang saya lakukan. Dapatkan AWUS036H Alfa, tidak US050NH, bukan. Orang di videobelow ini menggunakan model 12 $ dia membeli di Ebay (dan bahkan menjual router nya pilihan). Ada banyak sumber untuk mendapatkan aircrack-kompatibel adaptor di luar sana.Sebuah BackTrack 3 Live CD. Kami sudah membawa Anda pada tur screenshot penuh tentang bagaimana menginstal dan menggunakan BackTrack 3, Linux Live CD yang memungkinkan Anda melakukan banyak pengujian keamanan dan tugas.Download diri Anda salinan dari CD dan membakarnya, atau beban itu di VMware untuk memulai. (Saya mencoba BackTrack 4 pra-rilis, dan tidak berhasil serta BT3 Jangan sendiri. Nikmat dan tetap dengan BackTrack 3 untuk saat ini.)Sebuah WEP-enabled terdekat Wi-Fi. Sinyal harus kuat dan idealnya orang yang menggunakannya, menghubungkan dan memutuskan perangkat mereka dari itu.Penggunaan lebih mendapat saat Anda mengumpulkan data yang Anda butuhkan untuk menjalankan retak Anda, kemungkinan Anda lebih baik dari kesuksesan.Kesabaran dengan baris perintah. Ini adalah proses sepuluh-langkah yang membutuhkan mengetikkan panjang, perintah misterius dan menunggu sekitar untuk kartu Wi-Fi Anda untuk mengumpulkan data untuk memecahkan sandi. Seperti kata dokter kepada orang yang pendek, menjadi pasien sedikit.Crack itu WEP
Untuk crack WEP, Anda harus memulai Konsole, built-in baris perintah BackTrack itu. Ada persis di sana pada taskbar di pojok kiri bawah, tombol kedua ke kanan.Sekarang, perintah-perintah.Pertama jalankan berikut untuk mendapatkan daftar antarmuka jaringan Anda:airmon-ngSatu-satunya aku ada diberi label ra0. Anda mungkin berbeda; perhatikan label dan menuliskannya. Dari sini di dalam, pengganti di mana-mana termasuk perintah (antarmuka).Sekarang, jalankan perintah berikut empat. Lihat output yang saya punya untuk mereka dalam gambar di bawah.


airmon-ng stop (interface)
ifconfig (interface) down
macchanger --mac 00:11:22:33:44:55 (interface)
airmon-ng start (interface)

If you don't get the same results from these commands as pictured here, most likely your network adapter won't work with this particular crack. If you do, you've successfully "faked" a new MAC address on your network interface, 00:11:22:33:44:55.

Now it's time to pick your network. Run:

airodump-ng (interface)

To see a list of wireless networks around you. When you see the one you want, hit Ctrl+C to stop the list. Highlight the row pertaining to the network of interest, and take note of two things: its BSSID and its channel (in the column labeled CH), as pictured below. Obviously the network you want to crack should have WEP encryption (in the ENC) column, not WPA or anything else.

Like I said, hit Ctrl+C to stop this listing. (I had to do this once or twice to find the network I was looking for.) Once you've got it, highlight the BSSID and copy it to your clipboard for reuse in the upcoming commands.

Now we're going to watch what's going on with that network you chose and capture that information to a file. Run:

airodump-ng -c (channel) -w (file name) --bssid (bssid) (interface)

Where (channel) is your network's channel, and (bssid) is the BSSID you just copied to clipboard. You can use the Shift+Insert key combination to paste it into the command. Enter anything descriptive for (file name). I chose "yoyo," which is the network's name I'm cracking.

You'll get output like what's in the window in the background pictured below. Leave that one be. Open a new Konsole window in the foreground, and enter this command:

aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface)

Here the ESSID is the access point's SSID name, which in my case is yoyo. What you want to get after this command is the reassuring "Association successful" message with that smiley face.

You're almost there. Now it's time for:

aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface)

Here we're creating router traffic to capture more throughput faster to speed up our crack. After a few minutes, that front window will start going crazy with read/write packets. (Also, I was unable to surf the web with the yoyo network on a separate computer while this was going on.) Here's the part where you might have to grab yourself a cup of coffee or take a walk. Basically you want to wait until enough data has been collected to run your crack. Watch the number in the "#Data" column—you want it to go above 10,000. (Pictured below it's only at 854.)

Depending on the power of your network (mine is inexplicably low at -32 in that screenshot, even though the yoyo AP was in the same room as my adapter), this process could take some time. Wait until that #Data goes over 10k, though—because the crack won't work if it doesn't. In fact, you may need more than 10k, though that seems to be a working threshold for many.

Once you've collected enough data, it's the moment of truth. Launch a third Konsole window and run the following to crack that data you've collected:

aircrack-ng -b (bssid) (file name-01.cap)

Here the filename should be whatever you entered above for (file name). You can browse to your Home directory to see it; it's the one with .cap as the extension.

If you didn't get enough data, aircrack will fail and tell you to try again with more. If it succeeds, it will look like this:

Full size

The WEP key appears next to "KEY FOUND." Drop the colons and enter it to log onto the network.

Problems Along the Way

With this article I set out to prove that cracking WEP is a relatively "easy" process for someone determined and willing to get the hardware and software going. I still think that's true, but unlike the guy in the video below, I had several difficulties along the way. In fact, you'll notice that the last screenshot up there doesn't look like the others—it's because it's not mine. Even though the AP which I was cracking was my own and in the same room as my Alfa, the power reading on the signal was always around -30, and so the data collection was very slow, and BackTrack would consistently crash before it was complete. After about half a dozen attempts (and trying BackTrack on both my Mac and PC, as a live CD and a virtual machine), I still haven't captured enough data for aircrack to decrypt the key.

So while this process is easy in theory, your mileage may vary depending on your hardware, proximity to the AP point, and the way the planets are aligned. Oh yeah, and if you're on deadline—Murphy's Law almost guarantees it won't work if you're on deadline.

How To Create Proffesional Websites How To Create Proffesional Websites

It doesn't matter if you're a beginner or a polished web designer, Angelfire's website builder gives you the tools to build a professional-looking website within minutes.

• FREE to sign up (Click Free Sign Up For Make Websites)
• Drag-and-drop website builder interface
• 200+ templates to suit your style
• No need to learn HTML or other fancy coding
• Fully featured web hosting service included
• Free domain name with THE Plan

How to Hack Account Tweeter How to Hack Account Tweeter

⇒ Learn How To Hack Any Twitter Account Using A Web Based Exploit

Do you want to learn how to hack twitter?, Are you looking for a way to hack your friends twitter account without them fiding out? Interested in finding out ways to hack someones profile? Maybe you want to take a quick peek at their direct message inbox, steal their username or find a glitch to use a hacking script.In this article I will show you a fairly easy step by step guide on how to hack twitter user accounts without having to directly hack into twitter or their computer and risk getting caught...ignore all those hacking services, twitter hacks and hackers that charge you money for something you can do on your own for free...hack the password of any of your friends accounts and get their password even as a prank or joke.


Hack twitter, hacking twitter passwords from user accounts and find out someones twitter password...Is any of it really possible? Yes it is!. Surely you've heard on the news of how President Obama's twitter got hacked or a few other celebrities. It is all due to twitter's poor coding/programming which causes all those errors like THIS POPULAR ONE.


A couple of month's ago I wanted to check my old Twitter account but forgot what email and password I had used to sign up, I sent an email to their technical support but they didn't reply so I decided to put my geek skills to good use and find a way to get my login information back by writing a twitter account hacking code or exploit as they are called.

HOW HACKING TWITTER ACCOUNTS WORKS

Twitter has two databases (one for males and one for females users) where they keep all the information from their users, if you remember the email you use to login but forget your password, you can use the 'Forgot your password?' option, however if like me you don't have any of that information it's impossible to legally recover that account.


If you know anything about programming websites you know the 'Forgot your password?' service has to be in direct contact with the databases in order to send requests to retrieve the forgotten information for you, basically what that means is if you 'ask' the database for the login information with the right 'code' (in our case exploit), it will send you back that information.


So all I had to figure out is what the code was and what system they used to contact the databases through the 'Forgot your password?' service, after a few weeks of writing and testing codes I came up with the right one for the job and after doing a bit of research I learned Twitter uses something similar to an email service to contact their databases.


But as usual, everything isn't as easy as it seems. For security reasons the databases are programmed to verify the account your requesting is actually yours and not someone elses so they need some type of authentication or verification (thats why they send you a verification link to your email when creating your account or changing your password), luckily for us Twitter is so poorly programmed they also allow you to use a friends/followers account to verify your own (it's a glitch in the "Mutual Friends/Followers" service where they authenticate accounts by checking if the associated friends/followers email is related to the 'victims' account), in other words, if the person you want to get the login information from is following you on Twitter and your following them...you can use your own account to verify theirs (by confusing the database into thinking we are checking if you both mutually follow each other rather than the true act of reseting their password and getting them to send it to us) and get their login email and password sent to you...but the victim must be following you and you them.

HOW TO DO IT

1) First off you will need to get your username and the victims username, how do you do this?


Go to the victims twitter profile and look at your browsers address bar, at the end of all the address you should see something like this: (I have used a red arrow to point it out)





Write it down somewhere as you will need to use it a bit further down, once that is done you may continue to step 2.

2) At the bottom of this page I have pasted the exploit code I created to fool the databases, this is the tricky part as you will have to edit the code a bit yourself so that it fits your needs when searching for the victims login information.


Scroll down to the bottom of this page and find the code I have highlighted in gray so you know what to copy, select the code and copy it to your clipboard (press CTRL+C) then paste it (CTRL+V) on a notepad or text document so you can edit it.

3) Once you have the code somewhere you can edit it, you will need to insert three things into it, the twitter username of the victim and the friend authentication login information. I will give you step by step examples by trying the exploit code of my friend Sarah's account as the victim, see what parts you have to edit and with what:





1. Should be the victims username.
2. Should be your twitter login username to verify your the victims follower/friend.
3. Should be your password so the database can authentic you really are mutually following each other with the victim.


When editing the code, don't accidentally delete one of the quotes (") or it won't work, so make sure you put the information inside them.

4) Now that you have the exploit code edited and ready to send, we are all set to send it to the database through an email, since it's not your regular email but an exploit email we will have to use a special Subject so the database knows how to read it in programming language.


Go to your email address and Compose a new email to twittersupport@techie.com which is twitters customer service email for forgotten passwords, in the Subject copy and paste the code below highlighted in gray:

$[search_database = $find user+id= "VICTIMSUSERNAME", '%verification+user+gender' = }"F"{ begin_search();

Once you have edited the Subject and entered the email address, your Composed email should look like the screenshot below, I will numerate each item: 


 


1. The email address of the twitter database's forgotten password customer service.
2. This is where you insert the victims username.
3. This is where you insert the victims gender (as mentioned above the twitter database is devided in a male section and female), put an M inside the quotes if they are a male or a F if they are a female.

5) After you have correctly written the To: and Subject: sections, you may proceed to insert the exploit code you previously edited in step 3 into the body section of the email. Now all you have to do is click Send and wait for the database to send you back it's reply with the information.


It should take from 12-24 hours depending on the traffic twitter has that day, this is a sample of the email response you'll receive:

THE EXPLOIT CODE

twt_select_db("find", $linkID) or die(twt_database_error()); $resultID = twt_query("SELECT FriendID FROM signup WHERE email = '$email'", $linkID) or die(twt_database_error()); $num_rows = db_num_rows($resultID); $row = twitter_fetch_array($resultID); $user_id = $row[0];


if ($user_id == "PUT_USERNAME_HERE") = '$repeat' {
print Success, We have sent you an email with the Login email and Password of that Username.
}
else {
// print "We're sorry, your follower does not appear to be in our database."


$passwordfromdb = $row[0];
$find userID = (%follower_list)
#forgot_pass_userid = "%repeat%"; <%search_database_for_id%>
#user email= "YOUR_USERNAME_HERE"; (%follower_vulnerability_match%)
#user password = "YOURPASSWORDHERE"; (%follower_vulnerability_matchk%)
$follower_database_exploit = '%request_forgot_pass_info'
$email_to = %%%@subject_email


session_start();
session_reset_pass("session");
$email_address = $_POST['email_address'];
if (!isset($_POST['email_address'])) {

}
elseif (empty($email_address)) {
   echo $empty_fields_message;
function decrypt userID password() {
     $salt = "abchefghjkmnpqrstuvwxyz0123456789";
     srand((double)microtime()*1000000);
     $i = 0;
     while ($i <= 7) {
             $num = decrypt() % 33;
             $tmp = substr($salt, $num, 1);
             $pass = $pass . $tmp;
             $i++;
    }
    return $pass;
  }


mail($email_address, $subject, $message, "Twitter Password Reset Confirmation




}
/end$