This is a textfile explaining what flister is and does. FLISTER is proof-of-concept code for detecting files hidden by both usermode and kernelmode Windows rootkits. It exploits the bugs in handling ZwQueryDirectoryFile() calls with ReturnSingleEntry set to TRUE. Flister works on Windows 2000, XP and 2003.
5b6b637cd51329f95822be40d03bfadd2f6be2edba391415b001239b956c157e
FLISTER - uncovering files hidden by Windows rootkits
-------------------------------------------------------
joanna at invisiblethings dot org, 2005.
It's gonna be very simple, but somebody needs to bring it the public
for the goodness of the mankind... or at least the rootkit community;)
When researching some new techniques for files hiding, I came across
the very common bug in many (all?) publicly available windows rootkits
(both user and kernel mode)...
The problem can be noticed when using well known
ZwQueryDirectoryFile() function, with ReturnSingleEntry argument set
to TRUE. All tested rootkits (see below) failed to hide properly the
files or directories which should have need hidden...
As usual the very simple proof-of-concept code is provided:
http://invisiblethings.org/tools/flister.zip
Tested on Windows 2000 SP4, XP SP2 and 2003.
Some examples:
* Vanquish 0.2- flister shows all hidden files
* he4hook 21a - although uses the most advanced file hiding technique
(IRP based), flister can still uncover all hidden files :)
* Hacker Defender 1.00 - flister returns the error code = 0xc000000f
on the hidden file (which leads to easy detection that something's
wrong)
* yyt_hac 1.22 - that really nice Chinese usermode rootkit;) fails
too. It causes ZwQueryDirectoryFile() to return always 0xc000001c
error code, when called with ReturnSingleEntry set to true. Again
this is an obvious way to detect it.
* Basic8 - it simply cuts the output on the hidden file. So, unless
the hidden file is the last file in the directory (in the alphabetic
order) it will remain hidden. In all other cases, all the files
located after the hidden file will be hidden too, which again easily
betrays rootkit.
As an extra bonus, flister can take second argument, which should be
the index of the ZwQueryDirectoryFile service in SDT (which is service
pack dependent). When given the correct index, flister should detect
files hidden by _all_ usermode rootkits, simply because it will call
the service through int 0x2e. This is one of the reasons why usermode
rootkits cannot be considered really stealthy...
You may wonder why I haven't encoded the good old trick to find that
index automatically (namely the *(DWORD*)((char*)addr + 1) trick)?
Well, the answer is simply: some usermode overwrites first few bytes
of ZwQueryDirectoryFile and that trick will fail then :( So, you will
probably need a small database of the correct indexes for all Windows
versions :o