AFX Rootkit 2005 by Aphex

Post date: Sep 18, 2010 10:07:40 PM

AFX Rootkit 2005 by Aphex

This program patches Windows API to hide certain objects from being listed.

WARNING -> FOR WINDOWS NT/2000/XP/2003 ONLY!

Current Version Hides:

a) Processes

b) Handles

c) Modules

d) Files & Folders

e) Registry Keys & Values

f) Services

g) TCP/UDP Sockets

h) Systray Icons

Configuring a computer with the rootkit is simple...

1. Create a new folder with a uniqiue name i.e. "c:\winnt\rewt\"

2. In this folder place the root.exe i.e. "c:\winnt\rewt\root.exe"

3. Execute root.exe with the "/i" parameter i.e. "start c:\winnt\rewt\root.exe /i"

4. Inside this folder place any other programs or files.

Everything inside the root folder is now invisible! If you place other services or programs

in the root folder they will be invisible from process/file/dll/handle/socket/etc listing.

However, all programs in the root folder can see each other.

Registry value names are hidden differently from everything else. The name must begin with the

root folder name followed by "\" and other characters i.e. "rewt\hiddenstartup1".

Registry key names are hidden if they have the same name as the root folder i.e. "rewt".

Also, the root folder is unique throughout the system. This means "c:\rewt\", "c:\winnt\rewt\"

and "c:\winnt\system32\rewt\" all will be hidden because they all share the root folder name "rewt".

Removal:

If you install it make sure you know how to remove it!

Method 1

1. Run the root.exe with the "/u" parameter

2. Delete all the files associated with it

3. Reboot

Method 2

1. Boot into safe mode

2. Locate the service with the root folder name

3. Remove the service and delete all the files associated with it

4. Reboot

How To Properly Compile AFX Rootkit

Inside hook.dpr there is a variable...

var

szDllPath: pchar = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';

After compiling hook.dll you must open it with a hex editor and find the offset of that string of X's.

Once you find the offset you need to open root.dpr. Search for the hex number $4a54 and replace it with the new offset.

Each version of Delphi will have a different offset. The offset $4a54 is for Delphi 6. So you shouldn't need to change it if you use D6. It is always best to double check though.

Only Delphi source code is included in the archive.