C compiler, downloading a, 1
C# Visual Studio, installing, 120
CALL_DATA_STRUCT, members of, 63
callType, CALL_DATA_STRUCT, 63
CClientExtension, function, 219–231
checkConnectionButton_Click, function, 262–268
Checked DDK shell, using the, 5
checkPattern, function, 54–63
cleanup, installation, 251–254
client operations, functional groups for hooking, 39
Client Server Run Time (Csr), functional group, 39
CloseTDIConnection, function, 122–130
CMessageEvents, function, 218–231
code
commManager.c file, 122–133
commManager.h file, 121–122
configManager.c file, 14–15
configManager.h file, 13
ControlForm.cs file, 263–268
Controller.c file, 105–106
in data segment prevention technique, 299
directory hiding, 203–205
fileManager.c file, 17–19
fileManager.h file, 16
filterManager.c file, 142–145, 173–174
filterManager.h file, 142
Ghost.c file, 10–12, 33–36, 146–150, 172–173, 198
Ghost.h file, 10, 51
GhostTracker.cs file, 260–262
HideMe.c file, 206–210, 211
Hook Function, 31–33
hookManager.c file, 36–37, 55–63, 199–202
hookManager.h file, 37–38, 52–54, 198–199
injectManager.c file, 67–78
injectManager.h file, 63–66
installation, 246–247, 249–251, 251–254
IoManager.c file, 110–114, 154–166, 174
IoManager.h file, 106–107, 150–154
Kernel Memory Protection, 28–30
keyManager.c file, 176–184
keyManager.h file, 174–175
link library, 44–46
Listen.cs file, 271–272
Lotus Notes Client Extension testing, 242
LotusExtension.c file, 235–239
LotusExtension.def file, 240
LotusExtension.h file, 234
LotusExtension.mak file, 240
Mozilla Firefox installation, 249–251
Outlook Client Extension testing, 232
OutlookExtension.cpp file, 219–230
OutlookExtension.h file, 216–218
parse86.c file, 79–96
parse.c file, 79–96
parse.h file, 78
peFormat.h file, 97–99
readme.txt file, 241
registryManager.c file, 190–197
registryManager.h file, 188–189
SCMLoader.c file, 22
SCMUnloader.c file, 25
TargetController.cs file, 269–270
code (Basic Rootkit)
configManager.c file, 14–15
configManager.h file, 13
fileManager.c file, 17–19
fileManager.h file, 16
Ghost.c file, 10–12
SCMLoader.c file, 22
SCMUnloader.c file, 25
code (Communications)
commManager.c file, 122–133
commManager.h file, 121–122
code (Concealment)
Ghost.c file, 198
HideMe.c file, 206–210, 211
hookManager.c file, 199–202
hookManager.h file, 198–199
registryManager.c file, 190–197
registryManager.h file, 188–189
code (E-mail Filtering)
LotusExtension.c file, 235–239
LotusExtension.def file, 240
LotusExtension.h file, 234
LotusExtension.mak file, 240
OutlookExtension.cpp file, 219–230
OutlookExtension.h file, 216–218
readme.txt file, 241
code (Filter Drivers)
filterManager.c file, 142–145
filterManager.h file, 142
Ghost.c file, 146–150
IoManager.c file, 154–166
IoManager.h file, 150–154
code (Ghost Tracker)
ControlForm.cs file, 263–268
GhostTracker.cs file, 260–262
Listen.cs file, 271–272
TargetController.cs file, 269–270
code (I/O Processing)
Controller.cs file, 105–106
IoManager.c file, 110–114
IoManager.h file, 106–107
code (Kernel Hooks)
filterManager.c file, 173–174
Ghost.c file, 33–36
hookManager.c file, 36–37
hookManager.h file, 37–38
IoManager.c file, 174
keyManager.c file, 176–184
keyManager.h file, 174–175
code (Key Logging), Ghost.c file, 172–173
code (User Hooks)
Ghost.c file, 51–52
Ghost.h file, 51
hookManager.c file, 55–63
hookManager.h file, 52–54
injectManager.c file, 67–78
injectManager.h file, 63–66
parse86.c file, 79–96
parse86.h file, 78
peFormat.h file, 97–99
combined filtering, diagrammed, 141
comint32.sys, rootkit/device driver, 21
comint32, debug statements and, 13
command
build, 25
ipconfig, 121
Command Prompt window, VCVARS32.BAT, 23
commManager.c file
code, 122–133
functions list, 122
used in Communications, 122–133
commManager.h file
code, 121–122
used in Communications, 121–122
Communications
code, 121–133
commManager.c file, 122–130
commManager.h file, 121–122
example, 120–133
initiating the connection, 120
running the example, 133–135
SOURCES, 130–131
summary, 135–136
Transport Driver Interface (TDI), 119–120
compiling, programs, 21, 23–24
completion routine, keyboard I/O, 168
Compression and decompression operations, Rtl routine, 41
computer code. See code
Concealment
directory hiding, 203–205
directory hiding code, 203–205
Ghost.c file, 198
Ghost.c file code, 198
HideMe.c file code, 206–210, 211
hookManager.c file, 199–202
hookManager.c file code, 199–202
hookManager.h file, 198–199
hookManager.h file code, 198–199
overview, 187
process hiding, 205–211
registry key hiding, 187–202
registryManager.c file, 189–198
registryManager.c file code, 190–197
registryManager.h file, 188–189
registryManager.h file code, 188–189
summary, 212–213
testing, 211–212
configManager.c file, code, 14–15
configManager.h file
code, 13
DriverEntry function, 13
configuration file
creating the, 23
diagrammed, 16
connection
initiating the, 120
rootkit controller, 257
Console Application, using the, 105–114
Control categories, overview, 257
Control Panels, control category, 257
ControlForm
function, 262–268
overview, 273
rootkit remote controller implementation, 273
ControlForm.cs file
code, 263–268
functions list, 262
rootkit remote controller implementation, 262–268
controller
Control categories, 257
designing the, 256–257
determining the necessity of a, 255
interface, 256
Interface medium, 256
Summary view, 257
Controller.c file
code, 105–106
I/O Processing, 105–106
CreateFileW, function, 50–51
CreateHiddenKeyIndices, function, 190–198
createTrampoline, function, 66–78
creating
a basic rootkit, 9–12
configuration files, 23
CrsNewThread, routine, 39
Csr (Client Server Run Time), functional group, 39
CsrCaptureMessageBuffer, routine, 39
CsrClientCallServer, routine, 39
CsrConnectClientToServer, routine, 39