Cover image for Professional rootkits
Title:
Professional rootkits
Personal Author:
Vieler, Ric
Publication Information:
Indianapolis, IN. : Wiley Publishing, 2007
Physical Description:
xix, 334 p. : ill. ; 24 cm.
ISBN:
9780470101544
Subject Term:
Computers -- Access control

Microsoft Windows (Computer file)

Computer security

Available:*

Library
Item Barcode
Call Number
Material Type
Item Category 1
Status
Searching...
 30000010183988 QA76.9.A25 V56 2007 Open Access Book Book
Searching...

On Order

Summary

Summary

Whether you want to learn how to develop a robust, full-featured rootkit or you′re looking for effective ways to prevent one from being installed on your network, this hands-on resource provides you with the tools you′ll need. Expert developer Ric Vieler walks you through all of the capabilities of rootkits, the technology they use, steps for developing and testing them, and the detection methods to impede their distribution.

This book provides the detailed, step-by-step instructions and examples required to produce full-featured, robust rootkits. Presented in modular sections, source code from each chapter can be used separately or together to produce highlyspecific functionality. In addition, Vieler details the loading, configuration, and control techniques used to deploy rootkits. All ancillary software is fully detailed with supporting source code and links to the compilers, utilities, and scripts necessary to build and run every example provided.

What you will learn from this book

Complete coverage of all major rootkit technologies: kernel hooks, process injection, I/O filtering, I/O control, memory management, process synchronization, TDI communication, network filtering, email filtering, key logging, process hiding, device driver hiding, registry key hiding, directory hiding and more Complete coverage of the compilers, kits, utilities, and tools required to develop robust rootkits Techniques for protecting your system by detecting a rootkit before it′s installed Ways to create modular, commercial grade software

Who this book is for

This book is for anyone who is involved in software development or computer security.

Wrox Professional guides are planned and written by working programmers to meet the real-world needs of programmers, developers, and IT professionals. Focused and relevant, they address the issues technology professionals face every day. They provide examples, practical solutions, and expert education in new technologies, all designed to help programmers do a better job.


Author Notes

Ric Vieler is a software engineer and a certified ethical hacker. He enjoys writing both technical manuals (such as Professional Rootkits ) and science fiction novels (such as Spliced, Acknowledge, and A Stitch in Time ). His love of the unexplored, mixed with a thorough understanding of computer internals, has culminated in a career that fully embraces both: professional hacking. When not hacking, reading, or writing, Ric spends his spare time with his wife, Lisa, and their two children, Samantha and Dylan.


Table of Contents

Introduction
Chapter 1 Tools
How Do I Build a Rootkit?
The Microsoft Driver Development Kit
Microsoft Visual VC++ 2005 Express
Microsoft Software Developers Kit
Sysinternals Freeware
IDA
Debugging Tools for Windows
Verification
VCVARS32.BAT
Other Tools to Consider
What to Keep Out
Summary
Chapter 2 A Basic Rootkit
Ghost
Alternate Data Streams
Installing Your Rootkit
Testing Your Rootkit
Summary
Chapter 3 Kernel Hooks
The System Call Table
Kernel Memory Protection
Defining a Hook Function
An Example
hookManager.c
hookManager.h
What to Hook? Csr - Client Server Run Time
Dbg - Debug Manager
Etw - Event Tracing for Windows
Ki - Kernel (must be called from Kernel)
Ldr - Loader Manager
Pfx - ANSI Prefix Manager
Rtl - Runtime Library
Zw - File and Registry
The Problem with Hooking
Summary
Chapter 4 User Hooks
Process Injection
Finding a Specific Dynamic Link Library
Defining a Hook Function
The Trampoline Function
An Example
Ghost.h
Ghost.c
hookManager.h
hookManager.c
injectManager.h
injectManager.c
parse86.h
parse86.c
peFormat.h
Using Ghost to Block PGP Encoding
Summary
Chapter 5 I/O Processing
Using DeviceIoControl
The Console Application
Controller.c
IoManager.h
buildController.bat
Handling IO within the Device Driver
IoManager.c
Injected Function Programming
Testing I/O Control
Summary
Chapter 6 Communications
The Transport Driver Interface
Initiating the Connection
An Example
commManager.h
commManager.c
Running the Example
Summary
Chapter 7 Filter Drivers
Inserting a Filter Driver
File Filtering
Network Filtering
Combined Filtering
An Example
filterManager.h
filterManager.c
Ghost.c
IoManager.h
IoManager.c
Summary
Chapter 8 Key Logging
Processing Levels
A Keyboard Filter
Threading and Synchronization
Interpreting Key Codes
An Example
Sources
Ghost.c
filterManager.c
filterManager.h
IoManager.c
keyManager.h
keyManager.c
OnKeyboardRead
OnReadCompletion
GetKey
InitializeLogThread
KeyLoggerThread
StartKeylogger
StopKeylogger
OnCancel
Testing the Example
Summary
Chapter 9 Concealment
Registry Key Hiding
registryManager.h
registryManager.c
Ghost.c
hookManager.h
hookManager.c
Directory Hiding
Process Hiding
HideMe.c
Testing Concealment
Summary
Chapter 10 E-mail Filtering
Microsoft Outlook E-mail Filtering
OutlookExtension.h
OutlookExtension.cpp
Installing an Outlook Client Filter
Testing the Outlook Client Extension
Lotus Notes E-mail Filtering
LotusExtension.h
LotusExtension.c
LotusExtension.def
LotusExtension.mak
readme.txt
Installing a Lotus Notes Client Filter
Testing the Lotus Notes Client Extension
Summary
Chapter 11 Installation Considerations
Intended Installation
Intended Installation Software
End User License Agreements (EULAs)
Unintended Installation
Privilege Escalation
Persistence
ZwSetSystemInformation with SystemLoadAndCallImage
Registry Possibilities
Initialization Files
Installing onto M