Running the Example


To demonstrate the TDI connection, first start GhostTracker (GT.exe). GhostTracker provides a simple list control that is filled with the IP addresses of connecting clients. Because c:\config32 is set to the IP address of the machine running GhostTracker, Ghost will open a TDI connection to GhostTracker and send a connection string to the controller via SendToRemoteController. All you need to do to initiate this connection is start Ghost using the same “SCMLoader” and “net start MyDeviceDriver” commands you have been using throughout this book. Figure 6-2 shows a typical rootkit environment.

image from book
Figure 6-2

If you have two or more machines, you can put GhostTracker on one machine and Ghost on the others. Just be sure to add the IP address of the machine running GhostTracker to the config32 file(s) on the other machine(s). This will give you an idea of how rootkits are used in the field. GhostTracker is shown in Figure 6-3.

image from book
Figure 6-3

Once the list box in GhostTracker begins to fill with client connections, you can double-click on any IP address to spawn a remote control panel for that client. However, don’t look for much more from this example. GhostTracker is a simple mock-up with no operational capability. The GhostTracker control panel is shown in Figure 6-4.

image from book
Figure 6-4




Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler

Similar book on Amazon
Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
A Guide to Kernel Exploitation: Attacking the Core
A Guide to Kernel Exploitation: Attacking the Core
Reversing: Secrets of Reverse Engineering
Reversing: Secrets of Reverse Engineering
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net