You are previewing The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd Edition.

The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd Edition

  1. Cover
  2. Title Page
  3. Copyright
  4. Contents
  5. Preface
  6. Part I: Foundations
    1. Chapter 1 Empty Cup Mind
      1. 1.1 An Uninvited Guest
      2. 1.2 Distilling a More Precise Definition
      3. 1.3 Rootkits != Malware
      4. 1.4 Who Is Building and Using Rootkits?
      5. 1.5 Tales from the Crypt: Battlefield Triage
      6. 1.6 Conclusions
    2. Chapter 2 Overview of Anti-Forensics
      1. Everyone Has a Budget: Buy Time
      2. 2.1 Incident Response
      3. 2.2 Computer Forensics
      4. 2.3 AF Strategies
      5. 2.4 General Advice for AF Techniques
      6. 2.5 John Doe Has the Upper Hand
      7. 2.6 Conclusions
    3. Chapter 3 Hardware Briefing
      1. 3.1 Physical Memory
      2. 3.2 IA-32 Memory Models
      3. 3.3 Real Mode
      4. 3.4 Protected Mode
      5. 3.5 Implementing Memory Protection
    4. Chapter 4 System Briefing
      1. 4.1 Physical Memory under Windows
      2. 4.2 Segmentation and Paging under Windows
      3. 4.3 User Space and Kernel Space
      4. 4.4 User Mode and Kernel Mode
      5. 4.5 Other Memory Protection Features
      6. 4.6 The Native API
      7. 4.7 The BOOT Process
      8. 4.8 Design Decisions
    5. Chapter 5 Tools of the Trade
      1. 5.1 Development Tools
      2. 5.2 Debuggers
      3. 5.3 The KD.exe Kernel Debugger
    6. Chapter 6 Life in Kernel Space
      1. 6.1 A KMD Template
      2. 6.2 Loading a KMD
      3. 6.3 The Service Control Manager
      4. 6.4 Using an Export Driver
      5. 6.5 Leveraging an Exploit in the Kernel
      6. 6.6 Windows Kernel-Mode Security
      7. 6.7 Synchronization
      8. 6.8 Conclusions
  7. Part II: Postmortem
    1. Chapter 7 Defeating Disk Analysis
      1. 7.1 Postmortem Investigation: An Overview
      2. 7.2 Forensic Duplication
      3. 7.3 Volume Analysis
      4. 7.4 File System Analysis
      5. 7.5 File Signature Analysis
      6. 7.6 Conclusions
    2. Chapter 8 Defeating Executable Analysis
      1. 8.1 Static Analysis
      2. 8.2 Subverting Static Analysis
      3. 8.3 Runtime Analysis
      4. 8.4 Subverting Runtime Analysis
      5. 8.5 Conclusions
  8. Part III: Live Response
    1. Chapter 9 Defeating Live Response
      1. Autonomy: The Coin of the Realm
      2. Learning the Hard Way: DDefy
      3. The Vendors Wise Up: Memoryze
      4. 9.1 Live Incident Response: The Basic Process
      5. 9.2 User-Mode Loaders (UMLs)
      6. 9.3 Minimizing Loader Footprint
      7. 9.4 The Argument Against Stand-Alone PE Loaders
    2. Chapter 10 Building Shellcode in C
      1. Why Shellcode Rootkits?
      2. Does Size Matter?
      3. 10.1 User-Mode Shellcode
      4. 10.2 Kernel-Mode Shellcode
      5. 10.3 Special Weapons and Tactics
      6. 10.4 Looking Ahead
    3. Chapter 11 Modifying Call Tables
      1. 11.1 Hooking in User Space: The IAT
      2. 11.2 Call Tables in Kernel Space
      3. 11.3 Hooking the IDT
      4. 11.4 Hooking Processor MSRs
      5. 11.5 Hooking the SSDT
      6. 11.6 Hooking IRP Handlers
      7. 11.7 Hooking the GDT: Installing a Call Gate
      8. 11.8 Hooking Countermeasures
      9. 11.9 Counter-Countermeasures
    4. Chapter 12 Modifying Code
      1. Types of Patching
      2. In-Place Patching
      3. Detour Patching
      4. Prologue and Epilogue Detours
      5. Detour Jumps
      6. 12.1 Tracing Calls
      7. 12.2 Subverting Group Policy
      8. 12.3 Bypassing Kernel-Mode API Loggers
      9. 12.4 Instruction Patching Countermeasures
    5. Chapter 13 Modifying Kernel Objects
      1. 13.1 The Cost of Invisibility
      2. 13.2 Revisiting the EPROCESS Object
      3. 13.3 The DRIVER_SECTION Object
      4. 13.4 The Token Object
      5. 13.5 Hiding a Process
      6. 13.6 Hiding a Driver
      7. 13.7 Manipulating the Access Token
      8. 13.8 Using No-FU
      9. 13.9 Kernel-Mode Callbacks
      10. 13.10 Countermeasures
      11. 13.11 Counter-Countermeasures
    6. Chapter 14 Covert Channels
      1. 14.1 Common Malware Channels
      2. 14.2 Worst-Case Scenario: Full Content Data Capture
      3. 14.3 The Windows TCP/IP Stack
      4. 14.4 DNS Tunneling
      5. 14.5 DNS Tunneling: User Mode
      6. 14.6 DNS Tunneling: WSK Implementation
      7. 14.7 NDIS Protocol Drivers
      8. 14.8 Passive Covert Channels
    7. Chapter 15 Going Out-of-Band
      1. Ways to Jump Out-of-Band
      2. 15.1 Additional Processor Modes
      3. 15.2 Firmware
      4. 15.3 Lights-Out Management Facilities
      5. 15.4 Less Obvious Alternatives
      6. 15.5 Conclusions
  9. Part IV: Summation
    1. Chapter 16 The Tao of Rootkits
      1. The Dancing Wu Li Masters
      2. When a Postmortem Isn’t Enough
      3. The Battlefield Shifts Again
      4. 16.1 Core Stratagems
      5. 16.2 Identifying Hidden Doors
      6. 16.3 Architectural Precepts
      7. 16.4 Engineering a Rootkit
      8. 16.5 Dealing with an Infestation
  10. Index
  11. Photo Credits
O'Reilly logo

Chapter 4    System Briefing

 

In Chapter 2, we found that to engineer a rootkit, we must first decide:

Image  What part of the system we want the rootkit to interface with.

Image  Where the code that manages this interface will reside.

We spent the previous chapter investigating the memory protection features offered by the IA-32 processor. In this chapter, we’ll see how Windows leverages these features to establish the boundary between user space and kernel space. This will give us the foundation we need to address these two issues.

As you’ll see, the mapping ...

The best content for your career. Discover unlimited learning on demand for around $1/day.