F | Professional Rootkits (Programmer to Programmer)

F-Secure Blacklight

anti-rootkit software, 254

detection software, 281–282

freeware, 311

fail-open functionality, fail-safe functionality versus, 244

feedback, types of, 244

file

configuration, 23

filtering, 138–139

functions differentiated, 20

parsing a PE formatted, 97–99

tagging a tracked, 277

file-hiding

alternate data streams technique, 15–21

technique, 15–21

testing, 212

File operations, Zw routine, 41

File and Registry (Zw), functional group, 41

file system filtering

diagrammed, 139

performing, 138

file system tamper detection, IceSword, 314

fileManager.c file

code, 17–19

GetFile (mf) function, 17–19

PutFile function, 17–19

fileManager.h file

code, 16

functions used in, 16

MASTER_FILE (mf), 16

FileMon.

See also FileMonitor

utility, 2, 5–6

FileMonitor

freeware, 304–305

RegistryMonitor versus, 305

FileName, Unicode string, 20

filter, adding a keyboard, 168–170

Filter dialog box, 303

Filter Drivers

combined filtering, 140–141

defined, 137

example, 141–166

file filtering, 138–139

filtermanager.c file code, 142–145

filterManager.h file code, 142

Ghost.c file code, 146–150

inserting a, 137–138

IoManager.c file code, 154–165

IoManager.h file code, 150–154

network filtering, 139–140

SOURCES, 166

summary, 166

filtering

combined, 140–141

file, 138–139

network, 139–140

filtering software. See intended installation

filterManager.c file

code, 142–145, 173–174

filter drivers, 142–145

functions list, 142

key logging, 173–174

filterManager.h file

code, 142

filter drivers, 142

key logging, 174

FindKeyHandle, function, 189–198

findProcess, function, 210

findUnresolved, function, 54–63

forensic data, feedback, 244

Forensics, control category, 257

FreeKernelAddress, function, 54–63

FreeKeyHandle, function, 190–198

FreeKeyTrackingData, function, 189–198

freeware

DebugView, 301–302

F-Secure Blacklight, 311

FileMonitor, 304–305

IceSword, 312–314

IDA, 306–307

RegistryMonitor, 302–304

Rootkit Hook Analyzer, 311–312

Rootkit Unhooker, 308–310

RootkitRevealer, 310

Samurai, 307–308

Sophos Anti-Rootkit, 315

TCPView, 305

function

defining a hook, 31–33

trampoline, 48–49

function (Basic Rootkit)

DriverEntry, 10–12, 13

GetFile, 16, 17–19, 20

PutFile, 16–19, 20

function (Communications)

CloseTDIConnection, 122–130

OpenTDIConnection, 122–130

SendToRemoteController, 122–130

TDICompletionRoutine, 122–130

TimerDPC, 122–130

function (Concealment)

AddIndices, 190–198

AddNewKeyHandle, 189–198

AdjustIndices, 190–198

AdjustNextNewIndex, 190–198

AllocateKeyHandle, 190–198

CreateHiddenKeyIndices, 190–198

DriverEntry, 210

FindKeyHandle, 189–198

findProcess, 210

FreeKeyHandle, 190–198

FreeKeyTrackingData, 189–198

GetKeyName, 202

GetNewIndex, 190–198

GetPointerByHandle, 202

GetSubkeyCount, 190–198

InitializeKeyTracking, 189–198

NewZwEnumerateKey, 202

NewZwOpenKey, 202

NewZwQueryKey, 202

OnDeviceControl, 210

function (E-mail Filtering)

AddRef, 218–231, 219–231

CClientExtension, 219–231

CMessageEvents, 218–231

DeleteMessage, 219–231

DeregisterEntry, 234–239

DllMain, 218–231, 234–239

ExchEntryPoint, 216, 218–231

Install, 219–231

LogAttachments, 219–231

LogBody, 219–231

LogContent, 219–231, 234–239

MainEntryPoint, 232, 234–239

OnCheckNames, 218–231

OnCheckNamesComplete, 219–231

OnRead, 218–231

OnReadComplete, 218–231

OnSendMail, 234–239

OnSubmit, 216, 219–231

OnSubmitComplete, 216, 219–231

OnWrite, 218–231

OnWriteComplete, 216, 218–231

ParseRecipientList, 234–239

QueryInterface, 218–231

RegisterEntry, 234–239

Release, 218–231

SaveAttachments, 234–239

SaveBody, 234–239

SaveRecipients, 234–239

function (Filter Drivers)

insertFileFilter, 142–145

insertNetworkFilter, 142–145

IoAttachDeviceToDeviceStack, 138

IoAttachDeviceToDeviceStackSafe, 138

removeFilter, 142–145

function (Ghost Tracker)

AddTarget, 260–262

Alert, 260–262

checkConnectionButton_Click, 262–268

ControlForm, 262–268

Dispose, 260–268

InitializeComponent, 262–268

Listen, 270–272

Main, 260–262

MainForm, 260–262

Ping, 269–270

Start, 268–272

Stop, 269–272

TargetController, 268–270

targetListView_SelectedIndexChanged, 260–262

function (I/O Processing), DeviceIoControl, 103–104

function (Kernel Hooks)

DriverUnload, 34

Hook, 36–37

InterlockedExchange, 30

function (Key Logging)

ExInterlockedInsertTailList, 170

ExInterlockedRemoveHeadList, 170

GetKey, 184

InitializeListHead, 170

InitializeLogThread, 184

insertKeyboardFilter, 173–174

KeInitializeSemaphore, 170

KeInitializeSpinLock, 170

KeWaitForSingleObject, 170

KeyLoggerThread, 185

OnCancel, 185

OnKeyboardRead, 184

OnReadCompletion, 184

OnUnload, 172–173

PsCreateSystemThread, 170

PsTerminateSystemThread, 170

StartKeylogger, 174, 185

StopKeylogger, 185

function (User Hooks)

adjustData, 78–96

AfterOriginalFunction, 66–78

allocateUserMemory, 66–78

beforeEncode, 66–78

BeforeOriginalFunction, 66–78

checkPattern, 54–63

CreateFileW, 50–51

createTrampoline, 66–78

DetourFunction, 66–78

EndOfInjectedCode, 66–78

findUnresolved, 54–63

FreeKernelAddress, 54–63

GetFunctionAddress, 54–63

getHookPointers, 66–78

GetImageSize, 54–63

getNextInstruction, 78, 78–96

getx86Instruction, 66–78

hookFunction, 63

HookKernel, 54–63

HookTable, 66–78

isJump, 78–96

IsSameFile, 44–47, 54–63

IsSameString, 54–63

lstrcmpiW, 50–51

makeWritable, 66–78

MapKernelAddress, 54–63

NewZwMapViewOfSection, 54–63

noTransferOp, 78–96

processInject, 66–78

transferData, 78–96

transferDataPrefix, 78–96

transferInstruction, 78–96

transferOp0F, 78–96

transferOp66, 78–96

transferOp67, 78–96

transferOpF6, 78–96

transferOpF7, 78–96

transferOpFF, 78–96

functional groups

ANSI Prefix Manager (Pfx), 40–41

client operations, 39

Client Server Run Time (Csr), 39

Debug Manager (Dbg), 39

Event Tracing for Windows (Etw), 41

File and Registry (Zw), 41

Kernel (Ki), 40

Loader Manager (Ldr), 40

server operations, 39

functions

of GetFile, 20

in hookManager.c file, 54–55

in injectManager.c file, 66–78

mapping, 20

in ntdll.dll, 39

of parse86.c file, 78–96

of parse86.h file, 78

of PutFile, 20

resource, 20

of Rootkit Unhooker, 308

types of, 20