GetFile, function, 16, 17–19, 20
GetFunctionAddress, function, 54–63
getHookPointers, function, 66–78
GetImageSize, function, 54–63
GetKey, function, 184
GetKeyName, function, 202
GetNewIndex, function, 190–198
getNextInstruction, function, 78, 78–96
GetPointerByHandle, function, 202
GetSubkeyCount, function, 190–198
getx86Instruction, function, 66–78
Ghost
rootkit example, 9–15
using to block PGP encoding, 99–100
Ghost Tracker
ControlForm.cs file code, 263–268
GhostTracker.cs file code, 260–262
Listen.cs file code, 271–272
TargetController.cs file code, 269–270
Ghost.c file
code for Basic Rootkit, 10–12
code for Concealment, 198
code for Filter Drivers, 146–150
code for Kernel Hooks, 33–36
code for Key Logging, 172–173
code for User Hooks, 51
comint32, 13
concealment, 198
DbgPrint statements, 13
debug statements, 13
device pointers, 146
DriverEntry function, 10–12
DriverUnload function, 34
filter drivers, 146–150
kernel32Base variable, 51–52
key logging, 172–173
NewSystemCallTable variable, 33–36
OldZwMapViewOfSection variable, 33–36
OnUnload function, 10
pMyMDL variable, 33–36
ZwProtectVirtualMemory, 51–52
ZwProtectVirtualMemory variable, 51–52
Ghost.h file
Basic Rootkit code, 10
CreateFileW function, 50–51
DRIVER_DATA, 10–12
lstrcmpiW function, 50–51
OnUnload function, 10–12
user hooks, 50–51
User Hooks code, 51
GhostTracker, controller, 120–121
GhostTracker form
overview, 273
rootkit remote controller implementation, 273
GhostTracker threading model, diagram, 259
GhostTracker.cs file
code, 260–262
functions list, 260
rootkit remote controller implementation, 260–262
global variable, listOffset, 210–211