Summary


This chapter has fully detailed the necessary components required to process inject application memory. To keep the code as simple as possible, only bare minimum functionality has been implemented. A complete PGP monitor would need to include patterns for every possible version of the PGP SDK DLL as well as an additional hook for every version of the Self Decrypting Archive function found in the PGP SC DLL, and yet another hook for multi-file encryption using PGP version 9. Fortunately, with the tools provided, and a good understanding of IDA, this additional functionality can be added quickly. Figure 4-4 shows a complete PGP monitor.

image from book
Figure 4-4

We now have a rootkit that does all of the following:

  • Hides its device driver entry

  • Hides its configuration file

  • Hooks the operating system kernel

  • Hooks selected processes loaded by the operating system

We’re getting close to a functional rootkit. Of course, we still can’t talk to the rootkit from a local application or control the rootkit from a remote application. We’ll need to understand the basic I/O system before we jump into these forms of communication. The next chapter introduces this crucial rootkit component: I/O processing.




Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler

Similar book on Amazon
Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
A Guide to Kernel Exploitation: Attacking the Core
A Guide to Kernel Exploitation: Attacking the Core
Reversing: Secrets of Reverse Engineering
Reversing: Secrets of Reverse Engineering
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net