How Do I Build a Rootkit?

Assembling a complete rootkit toolkit will take a lot of time. Fortunately, everything you need to get started can be downloaded from Microsoft (http://msdn2.microsoft.com/en-us/default.aspx). The three most important tools you need are the Microsoft Driver Development Kit (DDK), a C compiler, and the Windows Platform Software Development Kit (SDK). Fortunately, these can all be downloaded from Microsoft without cost.

Though the Visual C++ compiler and the Software Development Kit (SDK) can be downloaded directly, the Driver Development Kit (DDK) can only be downloaded as an ISO image (unless you happen to have a Microsoft MSDN subscription). At the time of this writing, you can get the ISO image from www.microsoft.com/whdc/devtools/ddk/default.mspx. This image can be transferred to a CD using the “record a disk from a disk image” feature of your CD burning software. If you do not have the capability to burn a CD from an ISO image, and you don’t have (or know someone who has) a Microsoft MSDN subscription, you can order the Windows Server 2003 SP1 DDK CD at no cost (other than a small shipping and handling fee) from www.microsoft.com/whdc/devtools/ddk/orderddkcd.mspx.

Currently, Microsoft Visual C++ 2005 Express is available for download, free of charge, from http://msdn.microsoft.com/vstudio/express/visualc/download. This development environment has everything needed to develop basic Windows applications. In addition, Visual C++ 2005 Express has a C compiler that will enable you to create the console programs needed to load, unload, and test the rootkits developed in this book.

The console programs you will be creating are native Win32 programs, so you will also need to download and install the Microsoft Windows Platform SDK separately. The SDK (PSDK-x86.exe) can currently be downloaded from www.microsoft.com/downloads/details.aspx?FamilyId=&displaylang=en#filelist.

Combined, the Driver Development Kit, the Visual C++ compiler (or any Windows-compatible C compiler) and the Platform SDK will enable you to follow along with, compile, and run every example in this book. There are, however, several utilities that will make rootkit development much easier, the first of which is DebugView. This utility enables you to see debugging statements while executing rootkits. Though this is not technically a necessity for rootkit development, I can’t imagine writing a rootkit without it. In addition to DebugView, the good folks at Sysinternals also provide Diskmon, Filemon, and Regmon, three utilities that enable you to monitor disk activity, file system activity, and registry activity, respectively. You’ll want to have these in your toolkit as well. If you have downloaded the source code for this book, you will find individual archives for each of these utilities under “Chapter 1 Tools.”

If you want to delve deeply into the technology behind rootkits, you will also want to get a copy of IDA. IDA is the reverse-engineering tool that will be used in Chapter 4 to pick apart the PGP encryption library. At the time of this writing, IDA cannot be downloaded from the creators, DataRescue. You can purchase IDA Pro from DataRescue, but you will need to perform an Internet search to find a download link for the free version of IDA. To the best of my k nowledge, the last free version of IDA is 4.1, so entering ida + “4.1 ida pro” download datarescue should get you a list that contains at least one download link. Alternately, if you have downloaded the source code for this book, you will find the individual archive IDA_4_1 under “Chapter 1 Tools.”

Another tool for delving into the deepest layers of rootkit development is “Debugging Tools for Windows.” This package contains four debuggers, one of which is a kernel-level debugger that can come in handy when your device driver isn’t working as expected and debugging statements just aren’t enough to figure out what’s going on. This package includes the most recent DDKs, so you may already have it. If not, the package can be downloaded from www.microsoft.com/whdc/devtools/debugging/installx86.mspx. Kernel-level debugging isn’t covered in this book, but “Debugging Tools for Windows” is nonetheless a valuable addition to any rootkit toolkit.

You will find that the kernel debugger mentioned above is of little value without the symbols for the operating system you are using. You can get these symbols from www.microsoft.com/whdc/devtools/debugging/symbolpkg.mspx. After downloading and installing the symbols, you need to tell your kernel debugger where they are. From Start All Programs Debugging Tools for Windows WinDbg, select the menu option File Symbol File Path, and browse to the directory where symbols were installed. Selecting the Symbols directory will magically transform the kernel debugger into a fountain of information that can be used to both fix rootkits and investigate new rootkit technologies.

There is one additional development tool mentioned in this book that has yet to be covered: the Visual C# compiler used to create the rootkit controller developed in Chapter 11. This is another free development environment offered by Microsoft, and can be found at http://msdn.microsoft.com/vstudio/express/visualcsharp. The Visual Studio C# 2005 development environment will not interfere with the Visual Studio C++ 2005 development environment, so feel free to download and install both. The C# compiler also makes a good addition to any rootkit toolkit.

Once you have the Microsoft DDK, a Windows C/C++ compiler, the Microsoft Windows Platform SDK, Sysinternals’ DebugView, RegMon, FileMon, and DiskMon, DataRescue’s IDA, Debugging Tools for Windows, Kernel Debugging Symbols, and Visual Studio C# 2005 Express, you will be ready to tackle basic rootkit development. Remember that the toolkit you develop can be a valuable collection for years to come, so take a moment to zip and archive the components you’ve collected before jumping into rootkit development. Figure 1-1 shows a typical rootkit toolkit.

Figure 1-1