This has been a busy chapter, yet we have only just begun. The rootkit developed here can only hide its configuration file and hide its device driver entry from the operating system. Many other considerations must be addressed in order to achieve true stealth. For example, registering the rootkit with the service control manager creates a registry entry that can be seen by anyone using the registry editor. Ghost uses a form of obfuscation, “comint32,” to conceal its true intentions from users, but better hiding techniques might be required.
The ability to hide files, directories, drivers, processes, and registry entries are likely to be requirements of your rootkit. There are many techniques for achieving these goals, so many that I can only detail a few. Nonetheless, with process hiding techniques, device hiding techniques, file hiding techniques, registry key hiding techniques, and communication channel hiding techniques, you should be able to create just about any rootkit and keep it in memory for the life of the operating system.
We now have a rootkit that does the following:
Hides its device driver entry
Hides its configuration file
It’s not much, but it’s a start; and with all journeys, the first step is the most difficult. The following chapters will add more and more functionality to this rootkit. The next chapter adds a crucial rootkit component: kernel function hooking.