Skip to content

nullcel/dollarnine

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
docs
docs
 
 
dollarnine
dollarnine
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
do.dll
do.dll
 
 
dollarnine.sln
dollarnine.sln
 
 

Repository files navigation

dollarnine

A self-propagating worm driven by an embedded rootkit
Nullcel · Report Bug · Request Feature

overview

basically a reverse shell that uses detours for api calls, and has a stable modified version of the dollarnine rootkit. once the program is ran, it starts to inject dollarnine.dll into explorer.exe. after that, it installs a copy of itself into the system, or if already installed, updated itself. it automatically adds the newly installed/updated copy into the Startup Apps, once done, it start to iterate connection tries to the commander.

rootkit

juicy ring3!

if the file starts with $9, it hides:

  • TCP & UDP connections
  • created files directories
  • processes & CPU/GPU usage
  • registry keys & values
  • services
  • proper server without netcat
  • junctions, named pipes, scheduled tasks

with that, we rename our dropped file to $9dollarnine.exe.

future/past

stuff todo

  • use powershell
  • switch option for powershell/cmd
  • make a normal controller server interface

help me

"educational purposes only" of course

About

A self-propagating worm driven by an embedded rootkit

dollarnine.nullcel.com/

Topics

reverse-shell cpp rootkit

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Languages