Rootkits: Subverting the Windows Kernel [Source/PDF]

This is an extremely useful book on rootkits: Rootkits: Subverting the Windows Kernel

PDF: http://micropenguin.net/files/Other/Rootkits_Subverting_the_Windows_Kernel.pdf

It took me awhile to find all of the source code examples in the book. Since rootkit.com has been taken down, and that is where the book directs you to download from.

These are the examples listed in the book:

InstDrv.zip
migbot.zip
basic_1.zip
basic_hardware.zip
basic_keysniff.zip
HideProcessHookMDL.zip
HybridHook.zip
Klog 1.0.zip
rk_044.zip
strace_Fuzen.zip
SysEnterHook.zip
vice.zip

HaleOS

Development of a simple x64 bit operating system is now in progress! Matt and I are working on creating a PDF that will explain the methodologies of it’s boot/load/run process.
As well as releasing the source code on GitHub. More information can be found here.

Please visit our forums for questions.

P-Warrior

This is an example of a simple P-warrior. A program that stores values in P-Space, that determines which strategy it will use.

The execution starts at res. Where the value -1 is loaded into the B-field. Execution continues to label ‘str’. The A-field of _STR is #0, and str1 is 5 addresses forward. Therefore the line for ‘str’ is ldp.a 0, 5. 0 in the P-Space is equal to -1, therefore ldp.a changes str1’s A-Field to -1.

Execution then continues to the if condition sne.ab #0 , res
This checks to see if both A and B fields are equivalent, if they are, execute the next instruction. If not, skip. Since res is equal to -1, they are not equal. Skipping the ‘lost’ label.

mod.a #2, str1
Does the operation -1 % 2 = 1
Making str1’s A-Field equal to 1

stp.ab str1, _STR stores the value of 1 into the 0 space in the P-Space.
Since str1’s A-Field is equal to 1. And _STR is 1, which points to str1. And since str1’s B-Field is equal to 2 (imp is two addresses forward), this stores 1 into the 2 P-field.

Now execution continues to the str1 label.
jmp @1 , 1
The @1 signifies that jmp’s B-field now points to dat 0, stream ‘s B-field. Which is equal to 2.
So str1 becomes:

jmp 1+(2) , 1

Execution jumps to the stream label. And since djn.f’s A-field is a direct/immediate value, it will continuously jump to itself.

Goes 11 addresses behind. Decrement the B value of that address, and then jump from the B value of that address.

Minecraft ALU

This is a simple ALU that I made in Minecraft. It has basic functions such as XOR, OR, Adding and Subtracting.
It is not the most efficient, compact or powerful design. There are a lot of designs out there that are ‘better’.

Rotating a Matrix [Java][C++]

This is a simple way of rotating a matrix clockwise or counter-clockwise. I will use Java to demonstrate. First, notice the pattern when you are rotating a matrix’ values clockwise:

Original 3 x 3 matrix:

[1][2][3]
[4][5][6]
[7][8][9]

Rotating last row:
[2][0] => [0][0]
[2][1] => [1][0]
[2][2] => [2][0]

Rotating middle row:
[1][0] => [0][1]
[1][1] => [1][1]
[1][2] => [2][1]

Rotating last row:
[0][0] => [0][2]
[0][1] => [1][2]
[0][2] => [2][2]

Note that you will need two loops for each row rotation.
One for incrementing through the row of the first matrix, and the second for incrementing through the rows and columns of the new matrix. In this method, we use a counter (z) for incrementing through each row of the new matrix while keeping the column the same.

Code:

 

Get dat cat to Purr()

I really want that Cat to Purr()!

//Justin
#include 
using namespace std;

class Mammal
{
public:
	virtual void Speak() const {cout << "Mammal Talk!"; }

};

class Cat : public Mammal
{
public:
	void Speak() const { cout << "Meow!"; }
	void Purr() const { cout << "RRRRRRRRRRrr"; }
};

class Dog : public Mammal
{
public:
	void Speak() const { cout << "Wolf!"; }
};

int main()
{

	Mammal * pMammal;

	pMammal = new Cat;

	Cat * lol = dynamic_cast<Cat*> (pMammal);

	lol->Purr();
        cout << "The Game." << endl;

	cin.get();
	return 0;
}

Cat is a derived class from Mammal and overrides the Speak() function. Since all Mammals know how to Speak(), this is polymorphic and makes sense in our code. What if I want a Cat object to know how to code, but not another derived Mammal class like Dog? You can percolate Purr() up into Mammal but that’s bad practice, since it doesn’t apply to Dog.

What you can do is use dynamic_cast to safely cast the pointer as a pointer to a Cat object. Dynamic_cast provides a run-time safety check to ensure that it is indeed a pointing to a valid Cat object.

Cat * paw = dynamic_cast<Cat* > (pMammal)

paw->Purr();

Hax!!

Why would you want to do this? I don’t know. It’s not very polymorphic.

BlackJack.cpp

Messing around with IDA-PRO. This was an assignment, but since my class is switching to Java I have decided to complete it and post the source code.
Here is the link to the GitHub repo: https://github.com/Jyang772/BlackJack

You create two classes, Deck and Card. Deck has a private array of 52 Card objects. Each card object describes one card. It holds the card’s rank and suit.