Summary


This has been a busy chapter, yet we have only just begun. The rootkit developed here can only hide its configuration file and hide its device driver entry from the operating system. Many other considerations must be addressed in order to achieve true stealth. For example, registering the rootkit with the service control manager creates a registry entry that can be seen by anyone using the registry editor. Ghost uses a form of obfuscation, “comint32,” to conceal its true intentions from users, but better hiding techniques might be required.

The ability to hide files, directories, drivers, processes, and registry entries are likely to be requirements of your rootkit. There are many techniques for achieving these goals, so many that I can only detail a few. Nonetheless, with process hiding techniques, device hiding techniques, file hiding techniques, registry key hiding techniques, and communication channel hiding techniques, you should be able to create just about any rootkit and keep it in memory for the life of the operating system.

We now have a rootkit that does the following:

  • Hides its device driver entry

  • Hides its configuration file

It’s not much, but it’s a start; and with all journeys, the first step is the most difficult. The following chapters will add more and more functionality to this rootkit. The next chapter adds a crucial rootkit component: kernel function hooking.




Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler

Similar book on Amazon
Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
A Guide to Kernel Exploitation: Attacking the Core
A Guide to Kernel Exploitation: Attacking the Core
Reversing: Secrets of Reverse Engineering
Reversing: Secrets of Reverse Engineering
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net