K


KeInitializeSemaphore, function, 170

KeInitializeSpinLock, function, 170

Kerio Personal Firewall, overview, 294

kernel

call table hooking detection, 277

function hooking detection, 277

hooking problems, 42

Kernel Debugger, overview, 6

kernel hook prevention, prevention technique, 298

Kernel Hooks

basic components of, 31

code for defining a hook function, 31–33

code for kernel memory protection, 29–30

DriverUnload function, 34

example, 33–38

functional groups, 39–41

Ghost.c file code, 33–36

hookManager.c file, 36–37

hookManager.c file code, 36–37

hookManager.h file, 37–38

hookManager.h file code, 37–38

kernel hook functions, 31–33

kernel hook macros, 30–31

kernel memory protection, 28–31

problems with, 42

summary, 42

system service table, 27–28

Kernel (Ki), functional group, 40

kernel memory, scanning, 278

kernel mode device driver, wOpenFile, 20

kernel module detection, IceSword, 313

kernel system call table hook detection, IceSword, 314

kernel32Base variable, Ghost.c, 5152

kernel32.dll, Ghost.h, 5051

KeServiceDescriptorTable

hookManager.h file, 37–38

system call table, 27–30

KeWaitForSingleObject, function, 170

key code mapping, key processing versus, 171

key codes, interpreting, 170171

key logger

insertion diagram, 169

synchronization diagram, 170

Key Logging

example, 171–185

example testing, 185

filterManager.c file, 173–174

filterManager.c file code, 173–174

filterManager.h file, 174

Ghost.c file, 172–173

Ghost.c file code, 172–173

IoManager.c file, 174

IoManager.c file code, 174

IRP intercept method, 169–170

key codes, 170–171

keyboard filter, 168–170

keyManager.c file, 176–184

keyManager.c file code, 176–184

keyManager.h file, 174–175

keyManager.h file code, 174–175

processing levels, 167–168

SOURCES, 172

summary, 186

threading and synchronization, 170

key processing

diagram, 171

key code mapping versus, 171

keyboard filter, adding a, 168170

keyboard I/O, completion routine, 168

keyboardData global variable, key logging, 172173

KeyLoggerThread, function, 185

keyManager.c file

code, 176–184

key logging, 176–184

keyManager.h file

code, 174–175

key logging, 174–175

Ki (Kernel), functional group, 40

KiRaiseUserExceptionDispatcher, routine, 40

KiUserApcDispatcher, routine, 40

KiUserCallbackDispatcher, routine, 40

KiUserExceptionDispatcher, routine, 40

known good environment, defined, 276




Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler

Similar book on Amazon
Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
A Guide to Kernel Exploitation: Attacking the Core
A Guide to Kernel Exploitation: Attacking the Core
Reversing: Secrets of Reverse Engineering
Reversing: Secrets of Reverse Engineering
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net