Testing Your Rootkit

Previous page
Table of content
Next page

Now that you can load, unload, start, and stop a basic rootkit, you can verify the rootkit technologies detailed in this chapter.

The first test will require a system administration tool, something that can list all the active device drivers currently running on the system. The standard tool for this task is drivers.exe. This utility is supplied with most Microsoft operating system resource kits, as well as most driver development kits. Running this application with no parameters will provide a list of all running device drivers. Loading and starting MyDeviceDriver should not add the expected comint32.sys entry to the list of running device drivers.

The second test will verify the alternate data stream added to C:\Windows\Resources. The easiest way to verify this functionality is to delete C:\config32 and then stop and restart MyDeviceDriver. Because config32 no longer exists, the rootkit must retrieve configuration information from the alternate data stream. This can be verified with the DebugView utility. Debug output should indicate that the initial GetFile() failed; this is the attempt to read C:\config32. Afterward, debug output should indicate “Reading config from hidden file.” The IP and port information read from the ADS is then displayed.



Previous page
Table of content
Next page
Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler
BUY ON AMAZON
Interprocess Communications in Linux: The Nooks and Crannies
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
Developing Tablet PC Applications (Charles River Media Programming)
MySQL Clustering
C & Data Structures (Charles River Media Computer Engineering)
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy