< Day Day Up > |
In this chapter, you learned how to modify some of the very objects the kernel relies upon for its bookkeeping and reporting. Your rootkit can now hide a process and modify its access privileges so that when you return you have all the power of System. These DKOM tricks are very difficult to detect and extremely powerful! However, they also provide ample opportunity to crash the whole machine. DKOM is not limited to just the uses presented here. You could also use DKOM to hide network ports by modifying the tables of open ports maintained by TCPIP.SYS for bookkeeping, to name just one example. When seeking to modify kernel objects and reverse engineer where they are used, SoftIce, WinDbg, IDA Pro, and the Microsoft Symbol Server are invaluable tools. |
< Day Day Up > |