Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
ISBN: 0321294319
EAN: 2147483647
EAN: 2147483647
Year: 2006
Pages: 111
Pages: 111
Authors: Greg Hoglund, Jamie Butler
- Rootkits: Subverting the Windows Kernel
- Table of Contents
- Copyright
- Praise for Rootkits
- Preface
- Historical Background
- Target Audience
- Prerequisites
- Scope
- Acknowledgments
- About the Authors
- About the Cover
- Chapter 1. Leave No Trace
- Understanding Attackers Motives
- What Is a Rootkit?
- Why Do Rootkits Exist?
- How Long Have Rootkits Been Around?
- How Do Rootkits Work?
- What a Rootkit Is Not
- Rootkits and Software Exploits
- Offensive Rootkit Technologies
- Conclusion
- Chapter 2. Subverting the Kernel
- Important Kernel Components
- Rootkit Design
- Introducing Code into the Kernel
- Building the Windows Device Driver
- Loading and Unloading the Driver
- Logging the Debug Statements
- Fusion Rootkits: Bridging User and Kernel Modes
- Loading the Rootkit
- Decompressing the .sys File from a Resource
- Surviving Reboot
- Conclusion
- Chapter 3. The Hardware Connection
- Ring Zero
- Tables, Tables, and More Tables
- Memory Pages
- The Memory Descriptor Tables
- The Interrupt Descriptor Table
- The System Service Dispatch Table
- The Control Registers
- Multiprocessor Systems
- Conclusion
- Chapter 4. The Age-Old Art of Hooking
- Userland Hooks
- Kernel Hooks
- A Hybrid Hooking Approach
- Conclusion
- Chapter 5. Runtime Patching
- Detour Patching
- Jump Templates
- Variations on the Method
- Conclusion
- Chapter 6. Layered Drivers
- A Keyboard Sniffer
- The KLOG Rootkit: A Walk-through
- File Filter Drivers
- Conclusion
- Chapter 7. Direct Kernel Object Manipulation
- DKOM Benefits and Drawbacks
- Determining the Version of the Operating System
- Communicating with the Device Driver from Userland
- Hiding with DKOM
- Token Privilege and Group Elevation with DKOM
- Conclusion
- Chapter 8. Hardware Manipulation
- Why Hardware?
- Modifying the Firmware
- Accessing the Hardware
- Example: Accessing the Keyboard Controller
- How Low Can You Go? Microcode Update
- Conclusion
- Chapter 9. Covert Channels
- Remote Command, Control, and Exfiltration of Data
- Disguised TCPIP Protocols
- Kernel TCPIP Support for Your Rootkit Using TDI
- Raw Network Manipulation
- Kernel TCPIP Support for Your Rootkit Using NDIS
- Host Emulation
- Conclusion
- Chapter 10. Rootkit Detection
- Detecting Presence
- Detecting Behavior
- Conclusion
- Index
- index_SYMBOL
- index_A
- index_B
- index_C
- index_D
- index_E
- index_F
- index_G
- index_H
- index_I
- index_J
- index_K
- index_L
- index_M
- index_N
- index_O
- index_P
- index_R
- index_S
- index_T
- index_U
- index_V
- index_W
- index_Z
Rootkits: Subverting the Windows Kernel
ISBN: 0321294319
EAN: 2147483647
EAN: 2147483647
Year: 2006
Pages: 111
Pages: 111
Authors: Greg Hoglund, Jamie Butler