{"id":3665,"date":"2014-02-14T21:22:35","date_gmt":"2014-02-14T13:22:35","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=3665"},"modified":"2014-02-15T02:23:04","modified_gmt":"2014-02-14T18:23:04","slug":"azazel-userland-anti-debugging-anti-detection-rootkit","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2014\/02\/azazel-userland-anti-debugging-anti-detection-rootkit\/","title":{"rendered":"Azazel &#8211; Userland Anti-debugging &#038; Anti-detection Rootkit"},"content":{"rendered":"<p>Azazel is a userland rootkit written in C based off of the original LD_PRELOAD technique from Jynx rootkit. It is more robust and has additional features, and focuses heavily around anti-debugging and anti-detection. Features include log cleaning, pcap subversion, and more.<\/p>\n<p align=\"center\"><img decoding=\"async\" src=\"http:\/\/farm8.staticflickr.com\/7417\/12524764423_144d6bb0b0.jpg\" alt=\"Azazel Rootkit\" \/><\/p>\n<p><strong>Features<\/strong><\/p>\n<ul>\n<li>Anti-debugging<\/li>\n<li>Avoids unhide, lsof, ps, ldd detection<\/li>\n<li>Hides files and directories<\/li>\n<li>Hides remote connections<\/li>\n<li>Hides processes<\/li>\n<li>Hides logins<\/li>\n<li>PCAP hooks avoid local sniffing<\/li>\n<li>Two accept backdoors with full PTY shells.<\/li>\n<ul>\n<li>Crypthook encrypted accept() backdoor<\/li>\n<li>Plaintext accept() backdoor<\/li>\n<\/ul>\n<li>PAM backdoor for local privesc and remote entry<\/li>\n<li>Log cleanup for utmp\/wtmp entries based on pty<\/li>\n<li>Uses xor to obfuscate static strings<\/li>\n<\/ul>\n<p>As with anything of this nature, it&#8217;s recommended you check the source-code\/run it in a safe environment etc. But if I have to emphasise stuff like that, this is probably the wrong site for you.<\/p>\n<p>You can grab Azazel from Github here:<\/p>\n<pre class=\"lang:sh decode:true \" >git clone https:\/\/github.com\/chokepoint\/azazel.git<\/pre>\n<p>Or read more <a href=\"http:\/\/blackhatlibrary.net\/Azazel\">here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Azazel is a userland rootkit written in C based off of the original LD_PRELOAD technique from Jynx rootkit. It is more robust and has additional features, and focuses heavily around anti-debugging and anti-detection. Features include log cleaning, pcap subversion, and more. Features Anti-debugging Avoids unhide, lsof, ps, ldd detection Hides files and directories Hides remote [&hellip;]<\/p>\n","protected":false},"author":25,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[6,7],"tags":[142,588],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Darknet","author_link":"https:\/\/www.darknet.org.uk\/author\/darknet\/"},"_links":{"self":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/3665"}],"collection":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/users\/25"}],"replies":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/comments?post=3665"}],"version-history":[{"count":0,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/3665\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/media?parent=3665"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/categories?post=3665"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/tags?post=3665"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}