Concealment is one of the defining criteria of a rootkit: concealment by obfuscation, concealment of low-level communication links, concealment of device driver filters, concealment of process injection, concealment of device driver entries, and so on. Up until now I have avoided the most easily detectable methods of concealment - specifically, file, registry key, and process hiding, but there are many environments where detection is not a consideration and concealment is a paramount concern. In these environments, any form of concealment can be used to prevent either accidental or purposeful tampering.
For example, a rootkit monitoring USB traffic to guard end users from accidentally copying customer data to their memory keys will make its presence known whenever a transfer policy is breached. Either the file transfer consistently fails, or a dialog stating “You can’t copy that to a USB key!” will alert most operators to the presence of monitoring software. Rootkits in this category rely on system administrators to maintain their operation and only need to prevent end users from removing the software. In this environment it should be clear that using system call table hooking to hide directories, registry keys, and processes is a viable option.
This chapter includes the following:
Registry key hiding
File directory hiding