| | Copyright |
| | Praise for Rootkits |
| | Preface |
| | | Historical Background |
| | | Target Audience |
| | | Prerequisites |
| | | Scope |
| | Acknowledgments |
| | About the Authors |
| | About the Cover |
| | Chapter 1. Leave No Trace |
| | | Understanding Attackers' Motives |
| | | What Is a Rootkit? |
| | | Why Do Rootkits Exist? |
| | | How Long Have Rootkits Been Around? |
| | | How Do Rootkits Work? |
| | | What a Rootkit Is Not |
| | | Rootkits and Software Exploits |
| | | Offensive Rootkit Technologies |
| | | Conclusion |
| | Chapter 2. Subverting the Kernel |
| | | Important Kernel Components |
| | | Rootkit Design |
| | | Introducing Code into the Kernel |
| | | Building the Windows Device Driver |
| | | Loading and Unloading the Driver |
| | | Logging the Debug Statements |
| | | Fusion Rootkits: Bridging User and Kernel Modes |
| | | Loading the Rootkit |
| | | Decompressing the .sys File from a Resource |
| | | Surviving Reboot |
| | | Conclusion |
| | Chapter 3. The Hardware Connection |
| | | Ring Zero |
| | | Tables, Tables, and More Tables |
| | | Memory Pages |
| | | The Memory Descriptor Tables |
| | | The Interrupt Descriptor Table |
| | | The System Service Dispatch Table |
| | | The Control Registers |
| | | Multiprocessor Systems |
| | | Conclusion |
| | Chapter 4. The Age-Old Art of Hooking |
| | | Userland Hooks |
| | | Kernel Hooks |
| | | A Hybrid Hooking Approach |
| | | Conclusion |
| | Chapter 5. Runtime Patching |
| | | Detour Patching |
| | | Jump Templates |
| | | Variations on the Method |
| | | Conclusion |
| | Chapter 6. Layered Drivers |
| | | A Keyboard Sniffer |
| | | The KLOG Rootkit: A Walk-through |
| | | File Filter Drivers |
| | | Conclusion |
| | Chapter 7. Direct Kernel Object Manipulation |
| | | DKOM Benefits and Drawbacks |
| | | Determining the Version of the Operating System |
| | | Communicating with the Device Driver from Userland |
| | | Hiding with DKOM |
| | | Token Privilege and Group Elevation with DKOM |
| | | Conclusion |
| | Chapter 8. Hardware Manipulation |
| | | Why Hardware? |
| | | Modifying the Firmware |
| | | Accessing the Hardware |
| | | Example: Accessing the Keyboard Controller |
| | | How Low Can You Go? Microcode Update |
| | | Conclusion |
| | Chapter 9. Covert Channels |
| | | Remote Command, Control, and Exfiltration of Data |
| | | Disguised TCP/IP Protocols |
| | | Kernel TCP/IP Support for Your Rootkit Using TDI |
| | | Raw Network Manipulation |
| | | Kernel TCP/IP Support for Your Rootkit Using NDIS |
| | | Host Emulation |
| | | Conclusion |
| | Chapter 10. Rootkit Detection |
| | | Detecting Presence |
| | | Detecting Behavior |
| | | Conclusion |
| | Index |