parameters, CALL_DATA_STRUCT, 63
parse86.c file
code, 79–96
functions list, 78–79
parse86.h file
code, 78
functions list, 78
ParseRecipientList, function, 234–239
parsing
PE formatted files, 97–99
x86 instructions, 96
payload
defined, 7
overview, 7–8
PE formatted files, parsing, 97–99
peFormat.h file
code, 97–99
user hooks, 97–99
periodic status reporting, feedback, 244
persistence, installation, 245–246
personal firewalls
free, 294
to purchase, 294–295
rootkit prevention, 293–295
Pfx (ANSI Prefix Manager), functional group, 40–41
PfxFindPrefix, routine, 41
PfxInitialize, routine, 40
PfxInsertPrefix, routine, 41
PfxRemovePrefix, routine, 40
PGP Desktop
overview, 115–117
Professional version 9 download, 99
PGP encoding, using Ghost to block, 99–100
PGP Monitor, Microsoft Windows 2000,XP, and, 2003, 101
piggybacked, defined, 289
Ping, function, 269–270
pMyMDL
Ghost.c file variable, 33–36
hookManager.h file variable, 37–38
Policy Development, control category, 257
Policy Implementation, control category, 257
Port operations, Zw routine, 41
prevention. See rootkit prevention
privilege escalation, overview, 245
process creation detection, IceSword, 314
Process detection, IceSword, 313
process hiding
diagrammed, 206
HideMe.c file, 206–211
overview, 205–206
testing, 212
process injection
injectManager.c file and, 66–78
limitation of, 47
NewZwMapViewOfSection function, 47
overview, 43–44
trampoline function and, 49
process injection hook, beforeEncode, 67–78
Process operations, Zw routine, 41
process termination detection, IceSword, 314
ProcessGuard, anti-rootkit software, 254
Processing exceptions, Rtl routine, 41
processing levels, key logging and, 167–168
processInject, function, 66–78
programming, injected function, 114
programs, compiling, 21, 23–24
PsCreateSystemThread, function, 170
PsTerminateSystemThread, function, 170
PutFile, function, 16–19, 20