She and a partner, Alexander Tereshkin, have published the source to BluePill, or rather a rewrite called New BluePill (NBP), since Rutkowska’s previous employer owns the rights to the original one:
http://www.bluepillproject.org
The source is a little flawed, at least the version I got. It requires three minor corrections, but I am not sure whether this is an intentional hurdle for script-kiddies or a difference between the in-lab source and the one being published. Anyway, it’s not hard at all to figure it out. The source won’t compile with the WNET DDK, though – and presumably won’t compile with even older DDKs either. This means you have to get the Vista WDK or the beta of the 2008 Server WDK. The problem for the WNET DDK seem to be the assembly parts in the source, so this may be possible to be fixed, however, I didn’t try. The executable is around 50 kiB big. Obviously compiles only for AMD64 😉
Using ddkbuild, use the following lines to build the source (after fixing the mentioned glitches):
ddkbuild -WLHNETX64 free . ddkbuild -WLHX64 free .
Use either one of these commands. the WDK BUILD will overwrite the binary for the first one unless you change one line in sources.
Overall interesting. This should be some “fuel” into the discussion on whether such rootkits are actually detectable.
// Oliver