To test the functionality developed thus far, you need to build the Chapter05Ghost rootkit from a Checked DDK command prompt. SCMUnloader.exe, SCMLoader.exe, and Controller.exe are also required. In addition, you need PGP Desktop version 9, though versions 6 through 8 can be used if the correct SDK Dynamic Link Library name and pre-encode function pattern are integrated into your version of the rootkit.
Copy SCMUnloader, SCMLoader, Controller, and Chapter05Ghost\objchk\i386\comint32.sys to C:\.
Execute DebugView to monitor the rootkit.
If the rootkit has ever been loaded before, you will need to run SCMUnloader once to unload the existing rootkit. This is because SCMLoader leaves a registry entry telling the operating system to load, but not start, the rootkit.
Load and start the rootkit. Correct any error conditions noted by DebugView until the rootkit loads and starts successfully.
From the PGP system tray icon, select Open PGP Desktop. Figure 5-2 shows the PGP desktop.
From the PGP desktop, select File New PGP Zip. From the PGP Zip window, select the Add Recipients button. Selecting a PGP recipient is shown in Figure 5-3.
From the Recipient Selection dialog, select any recipient and click OK. This should return you to the PGP Zip window. Drag and drop any file into the lower section of the PGP Zip window and click the Save button. The Save PGP Zip As dialog box is shown in Figure 5-4.
Use the default filename offered by the Save As dialog box and press Save again. As a final step, the PGP desktop will ask for the passphrase that is required when decrypting the archive. Enter your passphrase to initiate encryption. Entering a PGP passphrase is shown in Figure 5-5.
If the rootkit blocks the encryption an error message will appear, usually a DLL mismatch message. For PGP version 9 the message is “Unable to save (library version too old or too new).” A failed PGP encryption attempt is shown in Figure 5-6.
Now enter the command “controller off” from the directory containing Controller.exe. You should see the response “MyDeviceDriver off” from the command prompt and “comint32: allowing encryption” from DebugView.
Close the PGP desktop.
Now attempt the same encryption described earlier. The selected file should now be saved in encrypted form.