Conclusion

 < Day Day Up > 

In this chapter, you learned how to modify some of the very objects the kernel relies upon for its bookkeeping and reporting. Your rootkit can now hide a process and modify its access privileges so that when you return you have all the power of System. These DKOM tricks are very difficult to detect and extremely powerful! However, they also provide ample opportunity to crash the whole machine.

DKOM is not limited to just the uses presented here. You could also use DKOM to hide network ports by modifying the tables of open ports maintained by TCPIP.SYS for bookkeeping, to name just one example.

When seeking to modify kernel objects and reverse engineer where they are used, SoftIce, WinDbg, IDA Pro, and the Microsoft Symbol Server are invaluable tools.

     < Day Day Up > 


    Rootkits(c) Subverting the Windows Kernel
    Rootkits: Subverting the Windows Kernel
    ISBN: 0321294319
    EAN: 2147483647
    Year: 2006
    Pages: 111

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net