Dbg (Debug Manager), functional group, 39
DbgBreakPoint, routine, 39
DbgPrint, routine, 39
DbgPrint statements, Ghost.c file and, 13
DbgUiConnectToDbg, routine, 39
DbgUserBreakPoint, routine, 39
Debug Manager (Dbg), functional group, 39
debug operations, functional groups for hooking, 39
debug statements
comint32 and, 13
Ghost.c file and, 13
Debug View
downloading, 5
output, 24
utility, 2
Debugging Tools for Windows
downloading, 2
verifying, 7
DebugView, freeware, 301–302
DeleteMessage, function, 219–231
demand start loading, defined, 21
DeregisterEntry, function, 234–239
detecting, rootkits, 275–290
detection methods
IceSword, 312–313
rootkit, 275–279
detection software.
See also software
F-Secure Blacklight, 281–282
IceSword, 283–286
Rootkit Hook Analyzer, 282–283
RootkitRevealer, 280–281
Strider GhostBuster (monofont ghostbuster), 280
Sophos Anti-Rootkit, 286–287
DetourFunction, function, 66–78
device driver
comint32.sys, 21
diagrammed, 12
handling IO within the, 107–114
loading a, 21–22
rootkit, 9–15
unloading a, 21, 25
device extension, defined, 138
device pointer
newFileSysDevice, 146–150
newNetworkDevice, 146–150
oldFileSysDevice, 146–150
oldNetworkDevice, 146–150
DeviceIoControl, function, 103–104
diagrams
basic IO control, 104
combined filtering, 141
configuration file, 16
device driver, 12
file system filters, 139
GhostTracker threading model, 259
key logger insertion, 169
key logger synchronization, 170
key processing, 171
loading/unloading a device driver, 21
Memory Descriptor Lists, 28
network filtering, 140
NewSystemCallTable, 30
parsing x86 instructions, 96
PGP Monitor for Windows 2000, XP and, 2003, 101
process hiding, 206
Process Hiding Detection, 279
rootkit environment, 134
SwapContext Process Hiding Detection, 279
system call table, 30
system call table hooking, 31
trampoline process, 49
ZwMapViewOfSection, 44
dialog box
Filter, 303
IDA file selection, 7
Load File, 307
Recipient Selection, 115–116
Save As, 115–116
Save PGP Zip As, 115–116
Windows Firewall, 293
directory hiding
coding, 203–205
overview, 203–205
Diskmon, utility, 2, 5–6
Dispose, function, 260–268
DllMain, function, 218–231, 234–239
downloading
C compiler, 1
Debug View, 5
Debugging Tools for Windows, 2
Lotus Notes C API, 233
Microsoft Driver Development Kit (DDK), 2
Microsoft Visual C++ 2005 Express, 2
PGP Professional Version, 9, 99
symbols, 2–3
Windows Platform Software Development Kit (SDK), 1–2
driver load prevention, prevention technique, 298–299
DRIVER_DATA, operating system structure, 10–12
DriverEntry
entry function, 10–12, 13
function, 210
I/O Processing, 110
drivers.exe, rootkit testing with, 26
DriverUnload, function, 34
Dynamic Link Libraries (DLLs), overview, 43–44