Why Hardware?

 < Day Day Up > 

Hardware manipulation is a double-edged sword. On the one hand, it puts your rootkit at a layer below all other things. This means your rootkit has more control and more stealth (it's about as stealthy as you can get). Your options include direct access to peripheral hardware, disk controllers, USB keys, processors, and firmware memory. On the other hand, hardware is more difficult to work with, and is inherently very platform-specific. Your rootkit must be specifically designed for a given piece of hardware. In other words, the rootkit won't be very portable. The decision to use such technology in a rootkit should not be made lightly.

If you're going to incorporate hardware access into your rootkit, it's important for you to understand that firmware is just very specialized software ultimately, we are still dealing with a software rootkit. Also consider that hardware tends to be cranky it wants things done in very specific ways.

Even two devices with the same model number may differ "under the hood." The model number is a marketing label. Only the serial numbers can really be relied upon when determining which version of the device you're dealing with. Serial numbers can be traced back to production runs, and small fixes or modifications are made between runs.

So, before you dive in, ask yourself why you need hardware access in your rootkit. Is your goal simple or complex? Simple goals, like making a copy of a packet or flipping a bit here and there, are better for hardware. A good example is a hardware mod that waits until it sees a specific byte sequence in a packet before it crashes the computer. Complex back-door programs and user shells should be written in higher-level software (for instance, in kernel or user mode), and should employ hardware tricks sparingly if at all.

Assuming you've determined that you do need hardware access in your rootkit, read on. We will cover firmware modification, how to address the hardware, timing problems, and other topics. We will also craft an example rootkit that can interface with the keyboard controller chip.

     < Day Day Up > 

    Rootkits(c) Subverting the Windows Kernel
    Rootkits: Subverting the Windows Kernel
    ISBN: 0321294319
    EAN: 2147483647
    Year: 2006
    Pages: 111

    Similar book on Amazon

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net