Process Hiding


Process hiding is accomplished by removing a specific process entry from the process link list, just as our rootkit is removed from the device driver link list. The implementation provided in this section uses the process ID to find a process in the process link list and then sets the link pointers to remove the desired process entry. This design requires the process to tell the rootkit its process ID. Fortunately, our rootkit already has a local command interface mechanism, so implementation of this functionality will only require slight modifications to existing files, although one new file will be required to test process hiding functionality. This file is aptly named HideMe.c. Process hiding is shown in Figure 9-1.

image from book
Figure 9-1




Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler

Similar book on Amazon
Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
A Guide to Kernel Exploitation: Attacking the Core
A Guide to Kernel Exploitation: Attacking the Core
Reversing: Secrets of Reverse Engineering
Reversing: Secrets of Reverse Engineering
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net