Ghost.c


The file Ghost.c has been expanded by the addition of two global variables:

  PVOID kernel32Base = NULL; ZWPROTECTVIRTUALMEMORY OldZwProtectVirtualMemory; 

Kernel32Base is supplied by ZwMapViewOfSection when the mapped library is kernel32.dll .OldZwProtectVirtualMemory is supplied by findUnresolved, a pattern-matching algorithm that searches backward from ZwPulseEvent looking for ZwProtectVirtualMemory.

The hook function called from DriverEntry of Ghost.c was also renamed HookKernel() because there are now two forms of hooking: kernel hooking and user hooking:

  // Add kernel hooks if( !NT_SUCCESS( HookKernel() ) ) {  DbgPrint("comint32: HookKernel failed!\n");  return STATUS_UNSUCCESSFUL; } 




Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler

Similar book on Amazon
Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
A Guide to Kernel Exploitation: Attacking the Core
A Guide to Kernel Exploitation: Attacking the Core
Reversing: Secrets of Reverse Engineering
Reversing: Secrets of Reverse Engineering
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net