Professional Rootkits (Programmer to Programmer)
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
EAN: 2147483647
Year: 2007
Pages: 229
Pages: 229
Authors: Ric Vieler
- Table of Contents
- Back Cover
- Professional Rootkits
- Credits
- Introduction
- Who This Book Is For
- What This Book Covers
- How This Book Is Structured
- What You Need to Use This Book
- Conventions
- Source Code
- Errata
- p2p.wrox.com
- Chapter 1: Tools
- How Do I Build a Rootkit?
- The Microsoft Driver Development Kit
- Microsoft Visual VC 2005 Express
- Microsoft Software Developers Kit
- Sysinternals Freeware
- IDA
- Debugging Tools for Windows
- Verification
- VCVARS32.BAT
- Other Tools to Consider
- What to Keep Out
- Summary
- Chapter 2: A Basic Rootkit
- Ghost
- Alternate Data Streams
- Installing Your Rootkit
- Testing Your Rootkit
- Summary
- Chapter 3: Kernel Hooks
- The System Call Table
- Kernel Memory Protection
- Defining a Hook Function
- An Example
- hookManager.c
- hookManager.h
- What to Hook?
- Csr - Client Server Run Time
- Dbg - Debug Manager
- Etw - Event Tracing for Windows
- Ki - Kernel (must be called from Kernel)
- Ldr - Loader Manager
- Pfx - ANSI Prefix Manager
- Rtl - Runtime Library
- Zw - File and Registry
- The Problem with Hooking
- Summary
- Chapter 4: User Hooks
- Process Injection
- Finding a Specific Dynamic Link Library
- Defining a Hook Function
- The Trampoline Function
- An Example
- Ghost.h
- Ghost.c
- hookManager.h
- hookManager.c
- injectManager.h
- injectManager.c
- parse86.h
- parse86.c
- peFormat.h
- Using Ghost to Block PGP Encoding
- Summary
- Chapter 5: IO Processing
- Using DeviceIoControl
- The Console Application
- Controller.c
- IoManager.h
- buildController.bat
- Handling IO within the Device Driver
- IoManager.c
- Injected Function Programming
- Testing IO Control
- Summary
- Chapter 6: Communications
- The Transport Driver Interface
- Initiating the Connection
- An Example
- commManager.h
- commManager.c
- Running the Example
- Summary
- Chapter 7: Filter Drivers
- Inserting a Filter Driver
- File Filtering
- Network Filtering
- Combined Filtering
- An Example
- filterManager.h
- filterManager.c
- Ghost.c
- IoManager.h
- IoManager.c
- Summary
- Chapter 8: Key Logging
- Processing Levels
- A Keyboard Filter
- Threading and Synchronization
- Interpreting Key Codes
- An Example
- SOURCES
- Ghost.c
- filterManager.c
- filterManager.h
- IoManager.c
- keyManager.h
- keyManager.c
- OnKeyboardRead
- OnReadCompletion
- GetKey
- InitializeLogThread
- KeyLoggerThread
- StartKeylogger
- StopKeylogger
- OnCancel
- Testing the Example
- Summary
- Chapter 9: Concealment
- Registry Key Hiding
- registryManager.h
- registryManager.c
- Ghost.c
- hookManager.h
- hookManager.c
- Directory Hiding
- Process Hiding
- HideMe.c
- Testing Concealment
- Summary
- Chapter 10: E-mail Filtering
- Microsoft Outlook E-mail Filtering
- OutlookExtension.h
- OutlookExtension.cpp
- Installing an Outlook Client Filter
- Testing the Outlook Client Extension
- Lotus Notes E-mail Filtering
- LotusExtension.h
- LotusExtension.c
- LotusExtension.def
- LotusExtension.mak
- readme.txt
- Installing a Lotus Notes Client Filter
- Testing the Lotus Notes Client Extension
- Summary
- Chapter 11: Installation Considerations
- Intended Installation
- Intended Installation Software
- End User License Agreements (EULAs)
- Unintended Installation
- Privilege Escalation
- Persistence
- ZwSetSystemInformation with SystemLoadAndCallImage
- Registry Possibilities
- Initialization Files
- Installing onto Machines That Visit Your Website
- Removing the Traces of an Installation
- Testing Your Installation Techniques
- Summary
- Chapter 12: Ghost Tracker
- The Controller
- The Connection
- Tamper Detection
- An Example
- GhostTracker.cs
- ControlForm.cs
- TargetController.cs
- Listen.cs
- GhostTracker
- ControlForm
- Summary
- Chapter 13: Detecting Rootkits
- Detection Methods
- Detection Software
- What to Do with a Detected Rootkit
- Safe Mode
- Summary
- Chapter 14: Preventing Rootkits
- Operating System Updates
- Automatic Updates
- Personal Firewalls
- Free Personal Firewalls
- Other Personal Firewalls
- Host-based Intrusion Prevention Systems
- Hardening
- Virtualizing
- Blocking Unexpected Operations
- Rootkit Prevention Techniques
- Summary
- Appendix A: Freeware
- DebugView
- RegistryMonitor
- FileMonitor
- TCPView
- IDA
- Samurai
- Rootkit Unhooker
- RootkitRevealer
- F-Secure BlackLight
- Rootkit Hook Analyzer
- IceSword
- Sophos Anti-Rootkit
- Index
- B
- C
- D
- E
- F
- G
- H
- I
- K
- L
- M
- N
- O
- P
- Q
- R
- S
- T
- U
- V
- W
- Z
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
EAN: 2147483647
Year: 2007
Pages: 229
Pages: 229
Authors: Ric Vieler