I


I/O control, testing, 114117

I/O functions, differentiated, 20

I/O Processing

buildController.bat, 107

code for handling IO within the device driver, 108–110

Controller.c file, 105–106

Controller.c file code, 105–106

DeviceIoControl function, 103–104

DriverEntry, 110

handling IO within the Device Driver, 107–114

injected function programming, 114

IoManager.c file, 110–112

IoManager.c file code, 110–114

IoManager.h file, 106–107

IoManager.h file code, 106–107

SOURCES, 112

summary, 117–118

testing I/O control, 114–117

The Console Application, 105–107

I/O Request Packets (IRPs), defined, 120

IceSword

autostarted application detection, 314

browser helper object detection, 314

detection methods, 312–313

detection software, 283–286

file system tamper detection, 314

freeware, 312–314

kernel module detection, 313

kernel system call table hook detection, 314

message hook detection, 314

process creation detection, 314

process termination detection, 314

registry tamper detection, 314

service detection, 314

winsock catalog entry detection, 314

IDA

advantages to using, 47–48

downloading, 2

file selection dialog box, 7

freeware, 306–307

overview, 6

plug-ins availability, 306

process injection and, 47–48

verifying, 7

index, CALL_DATA_STRUCT, 63

initialization files, installation, 248249

InitializeComponent, function, 262268

InitializeKeyTracking, function, 189198

InitializeListHead, function, 170

InitializeLogThread, function, 184

Initializing and using critical selctions, Rtl routine, 41

Initializing and using resources, Rtl routine, 41

Initializing and using security objects, Rtl routine, 41

Initializing and using strings, Rtl routine, 41

Initializing and using threads, Rtl routine, 41

injected function programming

application programming versus, 114

overview, 114

injectManager.c file

code, 67–78

functions listed, 66–67

functions of, 66–67

process injection and, 66–78

user hooks, 66–78

injectManager.h file

CALL_DATA_STRUCT members, 63

code, 63–66

Ghost.h file, 50–51

user hooks, 63–66

IN_PROCESS_DATA, Ghost.h file, 5051

insertFileFilter, function, 142145, 145

inserting, filter drivers, 137138

insertKeyboardFilter, function, 173174

insertNetworkFilter, function, 142145

Install, function, 219231

installation

cleanup, 251–254

code, 246–247, 249–254

considerations summary, 254

End User License Agreements (EULAs), 244–245

initialization files, 248–249

intended, 243–244

persistence, 245–246

privilege escalation, 245

registry settings, 247–248

software for intended, 244

technique for Mozilla Firefox (mf), 249–251

testing, 254

through exploitation, 249–251

unintended, 245

using ZwSetSystemInformation, 246–247

installing

C# Visual Studio, 120

a Lotus Notes client filter, 241–242

the Microsoft Driver Development Kit (DDK), 4

Microsoft Visual C++ 2005 Express, 5

an Outlook client filter, 231

a rootkit, 21–25

the Windows Platform Software Development Kit (SDK), 5

InstallShield, software, 244, 287

instruction, parsing x86, 96

integrating, the SQL Server, 5

intended installation

overview, 243–244

software, 244

intercept method, IRP, 169170

interface, overview, 256

interface-driven, low-level technology versus, 256

Interface medium, overview, 256

InterlockedExchange, function, 30

IO

control basic overview, 104

handling within the device driver, 107–114

IoAttachDeviceToDeviceStack function, IoAttachDeviceToDeviceStackSafe function versus, 138

IoManager.c file

code for Filter Drivers, 154–166

code for I/O Processing, 106–107, 110–114

code for Key Logging, 174

filter drivers, 154–165

I/O Processing, 110–112

key logging, 174

IoManager.h file

code, 150–154

filter drivers, 150–154

I/O Processing, 106–107

IP address, finding an, 121

ipconfig command, finding an IP address with the, 121

IPv4 and IPv6 operations, Rtl routine, 41

IRP intercept method, key logging and the, 169170

IRPs (I/O Request Packets), defined, 120

IRQL = APC_LEVEL, processing level, 168

IRQL = DIRQL, processing level, 168

IRQL = DISPATCH_LEVE, processing level, 168

IRQL = PASSIVE_LEVEL, processing level, 168

isJump, function, 78, 7896

ISO image, downloading the, 12

IsSameFile, function, 4447, 5463

IsSameString, function, 5463




Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net