Hacker defender (hxdef)是一个基于Windows NT 4.0, Windows 2000 以及 Windows XP操作系统上的一个Ntrookit,它也能运行于所有基于NT的以后的操作系统。主要 代码是DelPhi 6开发完成。新的部分功能使用汇编书写。驱动代码由C语言完成。后门和 Redirector客户端主要使用 DelPhi 6完成。通过修改配置文件能够达到隐藏文件名,隐藏端口, 隐藏注册表项和键值...隐蔽性极强,一旦被植入后果相当严重。 检测的方法很多, 什么 Icesword 之类, 大都是本机检测的,今天我来说一下网络检测. 使用工具ethereal密码正确抓包如下: char peer0_0[] = {0x01, 0x9a, 0x8c, 0x66, 0xaf, 0xc0, 0x4a, 0x11, 0x9e, 0x3f, 0x40, 0x88, 0x12, 0x2c, 0x3a, 0x4a, 0x84, 0x65, 0x38, 0xb0, 0xb4, 0x08, 0x0b, 0xaf, 0xdb, 0xce, 0x02, 0x94, 0x34, 0x5f, 0x22, 0x00 };char peer1_0[] = {0xe0 };char peer0_1[] = {0xe1 };char peer1_1[] = {0xe2 };char peer0_2[] = {0xe3 };char peer1_2[] = {0xe4 };char peer0_3[] = {0xe5 };char peer1_3[] = {0xe6 };char peer0_4[] = {0x9c, 0xe1, 0xe4, 0x30 };char peer1_4[] = {0xe9 };char peer0_5[] = {0xeb };密码错误抓包如下: char peer0_0[] = {0x01, 0x9a, 0x8c, 0x66, 0xaf, 0xc0, 0x4a, 0x11, 0x9e, 0x3f, 0x40, 0x88, 0x12, 0x2c, 0x3a, 0x4a, 0x84, 0x65, 0x38, 0xb0, 0xb4, 0x08, 0x0b, 0xaf, 0xdb, 0xce, 0x02, 0x94, 0x34, 0x5f, 0x22, 0x00 };char peer1_0[] = {0xe0 };char peer0_1[] = {0xe1 };char peer1_1[] = {0xe2 };char peer0_2[] = {0xe3 };char peer1_2[] = {0xe4 };char peer0_3[] = {0xe5 };char peer1_3[] = {0xe6 };char peer0_4[] = {0x8e, 0xb6, 0x00, 0xfb };char peer1_4[] = {0xea };可以看出 peer0_4[] 这个包是和密码有关系,但是前面几个包都是一样的,根据这个很容易就可以检测出远程主机是否被安装了 hxdef 100, 而且不用用到高深的windows编程技术我用nasl 写了个脚本 port[0] = 21;port[1] = 25;port[2] = 80;port[3] = 135;port[4] = 139;port[5] = 445;port[6] =1433;port[7] = 3306;port[8] = 23;for (i = 0; i < 8; i ){ soc = open_sock_tcp(port[i]); if (soc) { req = raw_string(0x01, 0x9a, 0x8c, 0x66, 0xaf, 0xc0, 0x4a, 0x11, 0x9e, 0x3f, 0x40, 0x88, 0x12, 0x2c, 0x3a, 0x4a, 0x84, 0x65, 0x38, 0xb0, 0xb4, 0x08, 0x0b, 0xaf, 0xdb, 0xce, 0x02, 0x94, 0x34, 0x5f, 0x22, 0x00); send(socket:soc, data:req); r1 = recv(socket:soc, length:1000);# display(r1, "/n"); r2 = recv(socket:soc, length:1); xp = "e0"; if ( (xp >< hexstr(r1)) || (xp >< hexstr(r2))) { req1= raw_string(0xe1); send(socket:soc,data:req1); send(socket:soc,data:req1); r3 = recv(socket:soc, length:1); if ("e2" >< hexstr(r3)) { req2 = raw_string(0xe3); send(socket:soc,data:req2); r4 = recv(socket:soc, length:1); if("e4" >< hexstr(r4)) { security_warning(port[i]); exit(0); } } } close(soc); } } 补充一下, hxdef 不是每个端口都可以用的, 详细的见est 顾问团 紫幻 翻译的readme