FLISTER - uncovering files hidden by Windows rootkits ------------------------------------------------------- joanna at invisiblethings dot org, 2005. It's gonna be very simple, but somebody needs to bring it the public for the goodness of the mankind... or at least the rootkit community;) When researching some new techniques for files hiding, I came across the very common bug in many (all?) publicly available windows rootkits (both user and kernel mode)... The problem can be noticed when using well known ZwQueryDirectoryFile() function, with ReturnSingleEntry argument set to TRUE. All tested rootkits (see below) failed to hide properly the files or directories which should have need hidden... As usual the very simple proof-of-concept code is provided: http://invisiblethings.org/tools/flister.zip Tested on Windows 2000 SP4, XP SP2 and 2003. Some examples: * Vanquish 0.2- flister shows all hidden files * he4hook 21a - although uses the most advanced file hiding technique (IRP based), flister can still uncover all hidden files :) * Hacker Defender 1.00 - flister returns the error code = 0xc000000f on the hidden file (which leads to easy detection that something's wrong) * yyt_hac 1.22 - that really nice Chinese usermode rootkit;) fails too. It causes ZwQueryDirectoryFile() to return always 0xc000001c error code, when called with ReturnSingleEntry set to true. Again this is an obvious way to detect it. * Basic8 - it simply cuts the output on the hidden file. So, unless the hidden file is the last file in the directory (in the alphabetic order) it will remain hidden. In all other cases, all the files located after the hidden file will be hidden too, which again easily betrays rootkit. As an extra bonus, flister can take second argument, which should be the index of the ZwQueryDirectoryFile service in SDT (which is service pack dependent). When given the correct index, flister should detect files hidden by _all_ usermode rootkits, simply because it will call the service through int 0x2e. This is one of the reasons why usermode rootkits cannot be considered really stealthy... You may wonder why I haven't encoded the good old trick to find that index automatically (namely the *(DWORD*)((char*)addr + 1) trick)? Well, the answer is simply: some usermode overwrites first few bytes of ZwQueryDirectoryFile and that trick will fail then :( So, you will probably need a small database of the correct indexes for all Windows versions :o