G


GetFile, function, 16, 1719, 20

GetFunctionAddress, function, 5463

getHookPointers, function, 6678

GetImageSize, function, 5463

GetKey, function, 184

GetKeyName, function, 202

GetNewIndex, function, 190198

getNextInstruction, function, 78, 7896

GetPointerByHandle, function, 202

GetSubkeyCount, function, 190198

getx86Instruction, function, 6678

Ghost

rootkit example, 9–15

using to block PGP encoding, 99–100

Ghost Tracker

ControlForm.cs file code, 263–268

GhostTracker.cs file code, 260–262

Listen.cs file code, 271–272

TargetController.cs file code, 269–270

Ghost.c file

code for Basic Rootkit, 10–12

code for Concealment, 198

code for Filter Drivers, 146–150

code for Kernel Hooks, 33–36

code for Key Logging, 172–173

code for User Hooks, 51

comint32, 13

concealment, 198

DbgPrint statements, 13

debug statements, 13

device pointers, 146

DriverEntry function, 10–12

DriverUnload function, 34

filter drivers, 146–150

kernel32Base variable, 51–52

key logging, 172–173

NewSystemCallTable variable, 33–36

OldZwMapViewOfSection variable, 33–36

OnUnload function, 10

pMyMDL variable, 33–36

ZwProtectVirtualMemory, 51–52

ZwProtectVirtualMemory variable, 51–52

Ghost.h file

Basic Rootkit code, 10

CreateFileW function, 50–51

DRIVER_DATA, 10–12

lstrcmpiW function, 50–51

OnUnload function, 10–12

user hooks, 50–51

User Hooks code, 51

GhostTracker, controller, 120121

GhostTracker form

overview, 273

rootkit remote controller implementation, 273

GhostTracker threading model, diagram, 259

GhostTracker.cs file

code, 260–262

functions list, 260

rootkit remote controller implementation, 260–262

global variable, listOffset, 210211




Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net