Rootkits: Subverting the Windows Kernel By Greg Hoglund, James Butler

Rootkits: Subverting the Windows Kernel By Greg Hoglund, James Butler

Publisher: Addison Wesley Professional

Pub Date: July 22, 2005

ISBN: 0-321-29431-9

Pages: 352

Copyright

Praise for Rootkits

Preface

Historical Background

Target Audience

Prerequisites

Scope

Acknowledgments

About the Authors

About the Cover

Chapter 1. Leave No Trace

Understanding Attackers' Motives

What Is a Rootkit?

Why Do Rootkits Exist?

How Long Have Rootkits Been Around?

How Do Rootkits Work?

What a Rootkit Is Not

Rootkits and Software Exploits

Offensive Rootkit Technologies

Conclusion

Chapter 2. Subverting the Kernel

Important Kernel Components

Rootkit Design

Introducing Code into the Kernel

Building the Windows Device Driver

Loading and Unloading the Driver

Logging the Debug Statements

Fusion Rootkits: Bridging User and Kernel Modes

Loading the Rootkit

Decompressing the .sys File from a Resource

Surviving Reboot

Conclusion

Chapter 3. The Hardware Connection

Ring Zero

Tables, Tables, and More Tables

Memory Pages

The Memory Descriptor Tables

The Interrupt Descriptor Table

The System Service Dispatch Table

The Control Registers

Multiprocessor Systems

Conclusion

Chapter 4. The Age-Old Art of Hooking

Userland Hooks

Kernel Hooks

A Hybrid Hooking Approach

Conclusion

Chapter 5. Runtime Patching

Detour Patching

Jump Templates

Variations on the Method

Conclusion

Chapter 6. Layered Drivers

A Keyboard Sniffer

The KLOG Rootkit: A Walk-through

File Filter Drivers

Conclusion

Chapter 7. Direct Kernel Object Manipulation

DKOM Benefits and Drawbacks

Determining the Version of the Operating System

Communicating with the Device Driver from Userland

Hiding with DKOM

Token Privilege and Group Elevation with DKOM

Conclusion

Chapter 8. Hardware Manipulation

Why Hardware?

Modifying the Firmware

Accessing the Hardware

Example: Accessing the Keyboard Controller

How Low Can You Go? Microcode Update

Conclusion

Chapter 9. Covert Channels

Remote Command, Control, and Exfiltration of Data

Disguised TCP/IP Protocols

Kernel TCP/IP Support for Your Rootkit Using TDI

Raw Network Manipulation

Kernel TCP/IP Support for Your Rootkit Using NDIS

Host Emulation

Conclusion

Chapter 10. Rootkit Detection

Detecting Presence

Detecting Behavior

Conclusion