The Rootkit Arsena Escape and Evasion in the Dark
Corners of the System Reverend Bill Blunden Wordware Publishing, Inc.
Contents
Preface: Metadata . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . XIX
Rootkits: The Kim Philby of System Software . . . .
Who Is Using Rootkit Technology?
The Feds ..
The Spooks .... .. .
The Suits .... ... .
1.3 The Malware Connection.
Infectious Agents . . .
Adware and Spyware . . .
Rise of the Botnets . . . .
Malware versus Rootkits .
Job Security: The Nature of the Software Industry .
1.4 Closing Thoughts. . . . . . . . . . . . . . .
Into the Catacombs: IA-32 . . . . . . . . . . . . . .
2.1 IA-32 Memory Models.
Physical Memory . . . . . .
Flat Memory Model. . . . .
Segmented Memory Model
Modes of Operation. .
2.2 Real Mode. . . . . . . . . .
Case Study: MS-DOS ....
Isn't This a Waste of Time? Why Study Real Mode? .
The Real-Mode Execution Environment
Real-Mode Interrupts .. .... .. .
Segmentation and Program Control . . .
Case Study: Dumping the IVT . . . . . .
Case Study: Logging Keystrokes with a TSR .
Case Study: Patching the tree.com Command
Synopsis ........ .... ..... .. . .
2.3 Protected Mode. . . . . . . . . . . . . . . . .
The Protected-Mode Execution Environment.
Protected-Mode Segmentation ..... .
Protected-Mode Paging ......... .
Protected-Mode Paging: A Closer Look .
2.4 Implementing Memory Protection ....
Protection through Segmentation . . . .
Limit Checks . . .
Type Checks . . . . . . . . . .
Privilege Checks. . . . . . . .
3.2 Memory Protection .
3.3 Virtual Memory . . . . . . . .
User Space Topography . ...
Kernel Space Dynamic Allocation .
Address Space Layout Randomization (ASLR) .
3.4 User Mode and Kernel Mode .
How versus Where . . . .
Kernel-Mode Components
User-Mode Components
3.5 The Native API .. .. . .
The IVT Grows Up ... .
The System Service Dispatch Tables .
Enumerating the Native API . . .
Nt*O versus Zw*O System Calls.
The Life Cycle of a System Call .
Other Kernel-Mode Routines . ..
Kernel-Mode API Documentation
3.6 The Boot Process . . . . . .
Startup for BIOS Firmware . .
Startup for EFI Firmware. . .
The Windows Boot Manager .
The Windows Boot Loader .
Initializing the Executive.
The Session Manager .
Wininit.exe. . . . .
Winlogon.exe. . . .
The Major Players.
3.7 Design Decisions .
How Will Our Rootkit Execute at Run Time? .
What Constructs Will Our Rootkit Manipulate? .
Rootkit Basics . . . .
4.1 Rootkit Tools ....
Development Tools
<<<<<<<<<TO>>>>>>>>>
Project: ReadPE .. .. . ..... . .. .... ... 741
Project: HookIAT . . .... ... . . 746
Project: HookIDT . . . . . . . 750
Project: HookSYS . . . . . . . 756
Project: HookSSDT . . 760
Project: HookIRP . . . . . . . . . . 772
Project: HookGDT . .. ... . .. . 774
Project: AntiHook (Kernel Space and User Space) . . . . . .
. . 779
Project: ParsePEB. . . . . . . . . . . . . . . . . . . . ..
. . 790
Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . .
. .. .. 793
Project: TraceDetour . . . . . 793
Project: GPO Detour . . . . . . . . 801
Project: AccessDetour. . . . . . . . . . 804
Project: MBR Disassembly . . . . . . . . . . . . 811
Project: LoadMBR. . . . . . . . . . . . . . . . . 813
Chapter 7 . . . . . . . . . . . .. ... .. .. . ... . ....
816
Project: No-FU (User-Mode Portion) .. .... . .... . .. . 816
Project: No-FU (Kernel-Mode Portion) . ... ... ....... 821
Project: TaskLister . . . 834
Project: findFU . . . . .. ... ............... . 838
Chapter 8 . . . . . . . . . .. .. ..... ...... . ... . . 843
Project: KiLogr-VOl . . . . .. . . . . .... . 843
Project: KiLogr-V02. . . .. ... .. . ..... 847
Chapter 10 . . . . . . . . . .. . . . .. . . . . . . 854
Project: TSMod . . . . . . . . . . 854
Project: Slack .. . . . . . . . . . 858
Project: MFT . . . . . . . . . . 860
Project: Cryptor . .. . . . . . . . . 871
Chapter 11 . . . .. .. . . . . . . . . 876
Project: UserModeDNS . . 876
Project: WSK-DNS . ....... . .... ... .. ... . .. 883
Index . ............. . . .. . 895
