D


Dbg (Debug Manager), functional group, 39

DbgBreakPoint, routine, 39

DbgPrint, routine, 39

DbgPrint statements, Ghost.c file and, 13

DbgUiConnectToDbg, routine, 39

DbgUserBreakPoint, routine, 39

Debug Manager (Dbg), functional group, 39

debug operations, functional groups for hooking, 39

debug statements

comint32 and, 13

Ghost.c file and, 13

Debug View

downloading, 5

output, 24

utility, 2

Debugging Tools for Windows

downloading, 2

verifying, 7

DebugView, freeware, 301302

DeleteMessage, function, 219231

demand start loading, defined, 21

DeregisterEntry, function, 234239

detecting, rootkits, 275290

detection methods

IceSword, 312–313

rootkit, 275–279

detection software.

See also software

F-Secure Blacklight, 281–282

IceSword, 283–286

Rootkit Hook Analyzer, 282–283

RootkitRevealer, 280–281

Strider GhostBuster (monofont ghostbuster), 280

Sophos Anti-Rootkit, 286–287

DetourFunction, function, 6678

device driver

comint32.sys, 21

diagrammed, 12

handling IO within the, 107–114

loading a, 21–22

rootkit, 9–15

unloading a, 21, 25

device extension, defined, 138

device pointer

newFileSysDevice, 146–150

newNetworkDevice, 146–150

oldFileSysDevice, 146–150

oldNetworkDevice, 146–150

DeviceIoControl, function, 103104

diagrams

basic IO control, 104

combined filtering, 141

configuration file, 16

device driver, 12

file system filters, 139

GhostTracker threading model, 259

key logger insertion, 169

key logger synchronization, 170

key processing, 171

loading/unloading a device driver, 21

Memory Descriptor Lists, 28

network filtering, 140

NewSystemCallTable, 30

parsing x86 instructions, 96

PGP Monitor for Windows 2000, XP and, 2003, 101

process hiding, 206

Process Hiding Detection, 279

rootkit environment, 134

SwapContext Process Hiding Detection, 279

system call table, 30

system call table hooking, 31

trampoline process, 49

ZwMapViewOfSection, 44

dialog box

Filter, 303

IDA file selection, 7

Load File, 307

Recipient Selection, 115–116

Save As, 115–116

Save PGP Zip As, 115–116

Windows Firewall, 293

directory hiding

coding, 203–205

overview, 203–205

Diskmon, utility, 2, 56

Dispose, function, 260268

DllMain, function, 218231, 234239

downloading

C compiler, 1

Debug View, 5

Debugging Tools for Windows, 2

Lotus Notes C API, 233

Microsoft Driver Development Kit (DDK), 2

Microsoft Visual C++ 2005 Express, 2

PGP Professional Version, 9, 99

symbols, 2–3

Windows Platform Software Development Kit (SDK), 1–2

driver load prevention, prevention technique, 298299

DRIVER_DATA, operating system structure, 1012

DriverEntry

entry function, 10–12, 13

function, 210

I/O Processing, 110

drivers.exe, rootkit testing with, 26

DriverUnload, function, 34

Dynamic Link Libraries (DLLs), overview, 4344




Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler

Similar book on Amazon
Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
A Guide to Kernel Exploitation: Attacking the Core
A Guide to Kernel Exploitation: Attacking the Core
Reversing: Secrets of Reverse Engineering
Reversing: Secrets of Reverse Engineering
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net