Testing IO Control


Testing I/O Control

To test the functionality developed thus far, you need to build the Chapter05Ghost rootkit from a Checked DDK command prompt. SCMUnloader.exe, SCMLoader.exe, and Controller.exe are also required. In addition, you need PGP Desktop version 9, though versions 6 through 8 can be used if the correct SDK Dynamic Link Library name and pre-encode function pattern are integrated into your version of the rootkit.

Copy SCMUnloader, SCMLoader, Controller, and Chapter05Ghost\objchk\i386\comint32.sys to C:\.

Execute DebugView to monitor the rootkit.

If the rootkit has ever been loaded before, you will need to run SCMUnloader once to unload the existing rootkit. This is because SCMLoader leaves a registry entry telling the operating system to load, but not start, the rootkit.

Load and start the rootkit. Correct any error conditions noted by DebugView until the rootkit loads and starts successfully.

From the PGP system tray icon, select Open PGP Desktop. Figure 5-2 shows the PGP desktop.

image from book
Figure 5-2

From the PGP desktop, select File image from book New image from book PGP Zip. From the PGP Zip window, select the Add Recipients button. Selecting a PGP recipient is shown in Figure 5-3.

image from book
Figure 5-3

From the Recipient Selection dialog, select any recipient and click OK. This should return you to the PGP Zip window. Drag and drop any file into the lower section of the PGP Zip window and click the Save button. The Save PGP Zip As dialog box is shown in Figure 5-4.

image from book
Figure 5-4

Use the default filename offered by the Save As dialog box and press Save again. As a final step, the PGP desktop will ask for the passphrase that is required when decrypting the archive. Enter your passphrase to initiate encryption. Entering a PGP passphrase is shown in Figure 5-5.

image from book
Figure 5-5

If the rootkit blocks the encryption an error message will appear, usually a DLL mismatch message. For PGP version 9 the message is “Unable to save (library version too old or too new).” A failed PGP encryption attempt is shown in Figure 5-6.

image from book
Figure 5-6

Now enter the command “controller off” from the directory containing Controller.exe. You should see the response “MyDeviceDriver off” from the command prompt and “comint32: allowing encryption” from DebugView.

Close the PGP desktop.

Now attempt the same encryption described earlier. The selected file should now be saved in encrypted form.




Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler

Similar book on Amazon
Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
A Guide to Kernel Exploitation: Attacking the Core
A Guide to Kernel Exploitation: Attacking the Core
Reversing: Secrets of Reverse Engineering
Reversing: Secrets of Reverse Engineering
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net