Variations on the Method

As you've seen, the common place to insert code patches into a function is at the very beginning of the function. This is easy, because functions are easy to find in memory. Of course, we don't need to stop there; we can also patch code bytes deep within the function itself. Deeper code patches provide better stealth and, therefore, aren't as easy to detect. Some rootkit-detection software checks the integrity of only the first 20 bytes of a function. If you place your code modification past the initial 20-byte mark, you remain undetected by that software.

Searching for code bytes to patch can sometimes work well. If the series of code bytes you wish to patch are unique, you can simply search for them in memory and patch them. When the code can simply be searched for, there is no need to use function pointers to find it. If the patch itself is simple, you can sometimes search for unique code bytes that are near the intended patch location. The trick is to find some code bytes that are unique, so they can be searched for without generating false hits.

Authentication functions are also good places to modify code. These can be disabled completely so that they always offer access. A more-complex patch could allow a backdoor password or username.

Patches to general-purpose kernel functions can provide stealth for the installed driver and programs. A fairly interesting place to patch is the loader program that loads the kernel itself. Integrity-checking functions can be patched so that they no longer detect Trojan or modified files. Patches to network functions can be used to sniff packets and other data. Patches to firmware and the BIOS can be hard to detect.

When patching and inserting code, you sometimes need to insert a great number of new instructions. From a driver, the best way to proceed is to allocate non-paged pool memory. For more-esoteric patches, however, you may wish to put your code into unused memory. There are unused sections of memory at the bottom of many memory pages. Using these lower regions of existing pages is sometimes called cavern infection (the unused section of memory being known as a cavern).