F-Secure Blacklight
anti-rootkit software, 254
detection software, 281–282
freeware, 311
fail-open functionality, fail-safe functionality versus, 244
feedback, types of, 244
file
configuration, 23
filtering, 138–139
functions differentiated, 20
parsing a PE formatted, 97–99
tagging a tracked, 277
file-hiding
alternate data streams technique, 15–21
technique, 15–21
testing, 212
File operations, Zw routine, 41
File and Registry (Zw), functional group, 41
file system filtering
diagrammed, 139
performing, 138
file system tamper detection, IceSword, 314
fileManager.c file
code, 17–19
GetFile (mf) function, 17–19
PutFile function, 17–19
fileManager.h file
code, 16
functions used in, 16
MASTER_FILE (mf), 16
FileMon.
See also FileMonitor
utility, 2, 5–6
FileMonitor
freeware, 304–305
RegistryMonitor versus, 305
FileName, Unicode string, 20
filter, adding a keyboard, 168–170
Filter dialog box, 303
Filter Drivers
combined filtering, 140–141
defined, 137
example, 141–166
file filtering, 138–139
filtermanager.c file code, 142–145
filterManager.h file code, 142
Ghost.c file code, 146–150
inserting a, 137–138
IoManager.c file code, 154–165
IoManager.h file code, 150–154
network filtering, 139–140
SOURCES, 166
summary, 166
filtering
combined, 140–141
file, 138–139
network, 139–140
filtering software. See intended installation
filterManager.c file
code, 142–145, 173–174
filter drivers, 142–145
functions list, 142
key logging, 173–174
filterManager.h file
code, 142
filter drivers, 142
key logging, 174
FindKeyHandle, function, 189–198
findProcess, function, 210
findUnresolved, function, 54–63
forensic data, feedback, 244
Forensics, control category, 257
FreeKernelAddress, function, 54–63
FreeKeyHandle, function, 190–198
FreeKeyTrackingData, function, 189–198
freeware
DebugView, 301–302
F-Secure Blacklight, 311
FileMonitor, 304–305
IceSword, 312–314
IDA, 306–307
RegistryMonitor, 302–304
Rootkit Hook Analyzer, 311–312
Rootkit Unhooker, 308–310
RootkitRevealer, 310
Samurai, 307–308
Sophos Anti-Rootkit, 315
TCPView, 305
function
defining a hook, 31–33
trampoline, 48–49
function (Basic Rootkit)
DriverEntry, 10–12, 13
GetFile, 16, 17–19, 20
PutFile, 16–19, 20
function (Communications)
CloseTDIConnection, 122–130
OpenTDIConnection, 122–130
SendToRemoteController, 122–130
TDICompletionRoutine, 122–130
TimerDPC, 122–130
function (Concealment)
AddIndices, 190–198
AddNewKeyHandle, 189–198
AdjustIndices, 190–198
AdjustNextNewIndex, 190–198
AllocateKeyHandle, 190–198
CreateHiddenKeyIndices, 190–198
DriverEntry, 210
FindKeyHandle, 189–198
findProcess, 210
FreeKeyHandle, 190–198
FreeKeyTrackingData, 189–198
GetKeyName, 202
GetNewIndex, 190–198
GetPointerByHandle, 202
GetSubkeyCount, 190–198
InitializeKeyTracking, 189–198
NewZwEnumerateKey, 202
NewZwOpenKey, 202
NewZwQueryKey, 202
OnDeviceControl, 210
function (E-mail Filtering)
AddRef, 218–231, 219–231
CClientExtension, 219–231
CMessageEvents, 218–231
DeleteMessage, 219–231
DeregisterEntry, 234–239
DllMain, 218–231, 234–239
ExchEntryPoint, 216, 218–231
Install, 219–231
LogAttachments, 219–231
LogBody, 219–231
LogContent, 219–231, 234–239
MainEntryPoint, 232, 234–239
OnCheckNames, 218–231
OnCheckNamesComplete, 219–231
OnRead, 218–231
OnReadComplete, 218–231
OnSendMail, 234–239
OnSubmit, 216, 219–231
OnSubmitComplete, 216, 219–231
OnWrite, 218–231
OnWriteComplete, 216, 218–231
ParseRecipientList, 234–239
QueryInterface, 218–231
RegisterEntry, 234–239
Release, 218–231
SaveAttachments, 234–239
SaveBody, 234–239
SaveRecipients, 234–239
function (Filter Drivers)
insertFileFilter, 142–145
insertNetworkFilter, 142–145
IoAttachDeviceToDeviceStack, 138
IoAttachDeviceToDeviceStackSafe, 138
removeFilter, 142–145
function (Ghost Tracker)
AddTarget, 260–262
Alert, 260–262
checkConnectionButton_Click, 262–268
ControlForm, 262–268
Dispose, 260–268
InitializeComponent, 262–268
Listen, 270–272
Main, 260–262
MainForm, 260–262
Ping, 269–270
Start, 268–272
Stop, 269–272
TargetController, 268–270
targetListView_SelectedIndexChanged, 260–262
function (I/O Processing), DeviceIoControl, 103–104
function (Kernel Hooks)
DriverUnload, 34
Hook, 36–37
InterlockedExchange, 30
function (Key Logging)
ExInterlockedInsertTailList, 170
ExInterlockedRemoveHeadList, 170
GetKey, 184
InitializeListHead, 170
InitializeLogThread, 184
insertKeyboardFilter, 173–174
KeInitializeSemaphore, 170
KeInitializeSpinLock, 170
KeWaitForSingleObject, 170
KeyLoggerThread, 185
OnCancel, 185
OnKeyboardRead, 184
OnReadCompletion, 184
OnUnload, 172–173
PsCreateSystemThread, 170
PsTerminateSystemThread, 170
StartKeylogger, 174, 185
StopKeylogger, 185
function (User Hooks)
adjustData, 78–96
AfterOriginalFunction, 66–78
allocateUserMemory, 66–78
beforeEncode, 66–78
BeforeOriginalFunction, 66–78
checkPattern, 54–63
CreateFileW, 50–51
createTrampoline, 66–78
DetourFunction, 66–78
EndOfInjectedCode, 66–78
findUnresolved, 54–63
FreeKernelAddress, 54–63
GetFunctionAddress, 54–63
getHookPointers, 66–78
GetImageSize, 54–63
getNextInstruction, 78, 78–96
getx86Instruction, 66–78
hookFunction, 63
HookKernel, 54–63
HookTable, 66–78
isJump, 78–96
IsSameFile, 44–47, 54–63
IsSameString, 54–63
lstrcmpiW, 50–51
makeWritable, 66–78
MapKernelAddress, 54–63
NewZwMapViewOfSection, 54–63
noTransferOp, 78–96
processInject, 66–78
transferData, 78–96
transferDataPrefix, 78–96
transferInstruction, 78–96
transferOp0F, 78–96
transferOp66, 78–96
transferOp67, 78–96
transferOpF6, 78–96
transferOpF7, 78–96
transferOpFF, 78–96
functional groups
ANSI Prefix Manager (Pfx), 40–41
client operations, 39
Client Server Run Time (Csr), 39
Debug Manager (Dbg), 39
Event Tracing for Windows (Etw), 41
File and Registry (Zw), 41
Kernel (Ki), 40
Loader Manager (Ldr), 40
server operations, 39
functions
of GetFile, 20
in hookManager.c file, 54–55
in injectManager.c file, 66–78
mapping, 20
in ntdll.dll, 39
of parse86.c file, 78–96
of parse86.h file, 78
of PutFile, 20
resource, 20
of Rootkit Unhooker, 308
types of, 20