Summary

Previous page
Table of content
Next page

This chapter has fully detailed the necessary components required to process inject application memory. To keep the code as simple as possible, only bare minimum functionality has been implemented. A complete PGP monitor would need to include patterns for every possible version of the PGP SDK DLL as well as an additional hook for every version of the Self Decrypting Archive function found in the PGP SC DLL, and yet another hook for multi-file encryption using PGP version 9. Fortunately, with the tools provided, and a good understanding of IDA, this additional functionality can be added quickly. Figure 4-4 shows a complete PGP monitor.

image from book
Figure 4-4

We now have a rootkit that does all of the following:

  • Hides its device driver entry

  • Hides its configuration file

  • Hooks the operating system kernel

  • Hooks selected processes loaded by the operating system

We’re getting close to a functional rootkit. Of course, we still can’t talk to the rootkit from a local application or control the rootkit from a remote application. We’ll need to understand the basic I/O system before we jump into these forms of communication. The next chapter introduces this crucial rootkit component: I/O processing.



Previous page
Table of content
Next page
Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler
BUY ON AMAZON
Metrics and Models in Software Quality Engineering (2nd Edition)
Postfix: The Definitive Guide
Data Structures and Algorithms in Java
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
Java Concurrency in Practice
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy