You are previewing The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd Edition.

The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd Edition

  1. Cover
  2. Title Page
  3. Copyright
  4. Contents
  5. Preface
  6. Part I: Foundations
    1. Chapter 1 Empty Cup Mind
      1. 1.1 An Uninvited Guest
      2. 1.2 Distilling a More Precise Definition
      3. 1.3 Rootkits != Malware
      4. 1.4 Who Is Building and Using Rootkits?
      5. 1.5 Tales from the Crypt: Battlefield Triage
      6. 1.6 Conclusions
    2. Chapter 2 Overview of Anti-Forensics
      1. Everyone Has a Budget: Buy Time
      2. 2.1 Incident Response
      3. 2.2 Computer Forensics
      4. 2.3 AF Strategies
      5. 2.4 General Advice for AF Techniques
      6. 2.5 John Doe Has the Upper Hand
      7. 2.6 Conclusions
    3. Chapter 3 Hardware Briefing
      1. 3.1 Physical Memory
      2. 3.2 IA-32 Memory Models
      3. 3.3 Real Mode
      4. 3.4 Protected Mode
      5. 3.5 Implementing Memory Protection
    4. Chapter 4 System Briefing
      1. 4.1 Physical Memory under Windows
      2. 4.2 Segmentation and Paging under Windows
      3. 4.3 User Space and Kernel Space
      4. 4.4 User Mode and Kernel Mode
      5. 4.5 Other Memory Protection Features
      6. 4.6 The Native API
      7. 4.7 The BOOT Process
      8. 4.8 Design Decisions
    5. Chapter 5 Tools of the Trade
      1. 5.1 Development Tools
      2. 5.2 Debuggers
      3. 5.3 The KD.exe Kernel Debugger
    6. Chapter 6 Life in Kernel Space
      1. 6.1 A KMD Template
      2. 6.2 Loading a KMD
      3. 6.3 The Service Control Manager
      4. 6.4 Using an Export Driver
      5. 6.5 Leveraging an Exploit in the Kernel
      6. 6.6 Windows Kernel-Mode Security
      7. 6.7 Synchronization
      8. 6.8 Conclusions
  7. Part II: Postmortem
    1. Chapter 7 Defeating Disk Analysis
      1. 7.1 Postmortem Investigation: An Overview
      2. 7.2 Forensic Duplication
      3. 7.3 Volume Analysis
      4. 7.4 File System Analysis
      5. 7.5 File Signature Analysis
      6. 7.6 Conclusions
    2. Chapter 8 Defeating Executable Analysis
      1. 8.1 Static Analysis
      2. 8.2 Subverting Static Analysis
      3. 8.3 Runtime Analysis
      4. 8.4 Subverting Runtime Analysis
      5. 8.5 Conclusions
  8. Part III: Live Response
    1. Chapter 9 Defeating Live Response
      1. Autonomy: The Coin of the Realm
      2. Learning the Hard Way: DDefy
      3. The Vendors Wise Up: Memoryze
      4. 9.1 Live Incident Response: The Basic Process
      5. 9.2 User-Mode Loaders (UMLs)
      6. 9.3 Minimizing Loader Footprint
      7. 9.4 The Argument Against Stand-Alone PE Loaders
    2. Chapter 10 Building Shellcode in C
      1. Why Shellcode Rootkits?
      2. Does Size Matter?
      3. 10.1 User-Mode Shellcode
      4. 10.2 Kernel-Mode Shellcode
      5. 10.3 Special Weapons and Tactics
      6. 10.4 Looking Ahead
    3. Chapter 11 Modifying Call Tables
      1. 11.1 Hooking in User Space: The IAT
      2. 11.2 Call Tables in Kernel Space
      3. 11.3 Hooking the IDT
      4. 11.4 Hooking Processor MSRs
      5. 11.5 Hooking the SSDT
      6. 11.6 Hooking IRP Handlers
      7. 11.7 Hooking the GDT: Installing a Call Gate
      8. 11.8 Hooking Countermeasures
      9. 11.9 Counter-Countermeasures
    4. Chapter 12 Modifying Code
      1. Types of Patching
      2. In-Place Patching
      3. Detour Patching
      4. Prologue and Epilogue Detours
      5. Detour Jumps
      6. 12.1 Tracing Calls
      7. 12.2 Subverting Group Policy
      8. 12.3 Bypassing Kernel-Mode API Loggers
      9. 12.4 Instruction Patching Countermeasures
    5. Chapter 13 Modifying Kernel Objects
      1. 13.1 The Cost of Invisibility
      2. 13.2 Revisiting the EPROCESS Object
      3. 13.3 The DRIVER_SECTION Object
      4. 13.4 The Token Object
      5. 13.5 Hiding a Process
      6. 13.6 Hiding a Driver
      7. 13.7 Manipulating the Access Token
      8. 13.8 Using No-FU
      9. 13.9 Kernel-Mode Callbacks
      10. 13.10 Countermeasures
      11. 13.11 Counter-Countermeasures
    6. Chapter 14 Covert Channels
      1. 14.1 Common Malware Channels
      2. 14.2 Worst-Case Scenario: Full Content Data Capture
      3. 14.3 The Windows TCP/IP Stack
      4. 14.4 DNS Tunneling
      5. 14.5 DNS Tunneling: User Mode
      6. 14.6 DNS Tunneling: WSK Implementation
      7. 14.7 NDIS Protocol Drivers
      8. 14.8 Passive Covert Channels
    7. Chapter 15 Going Out-of-Band
      1. Ways to Jump Out-of-Band
      2. 15.1 Additional Processor Modes
      3. 15.2 Firmware
      4. 15.3 Lights-Out Management Facilities
      5. 15.4 Less Obvious Alternatives
      6. 15.5 Conclusions
  9. Part IV: Summation
    1. Chapter 16 The Tao of Rootkits
      1. The Dancing Wu Li Masters
      2. When a Postmortem Isn’t Enough
      3. The Battlefield Shifts Again
      4. 16.1 Core Stratagems
      5. 16.2 Identifying Hidden Doors
      6. 16.3 Architectural Precepts
      7. 16.4 Engineering a Rootkit
      8. 16.5 Dealing with an Infestation
  10. Index
  11. Photo Credits
O'Reilly logo

Chapter 14  Covert Channels

 

In the most general sense, a covert channel is just a way of exchanging information in a manner that makes the act of exchange difficult to perceive. This could entail repackaging the data that’s exchanged. For example, during World War II, spies often transmitted photographs as microdots, which were then embedded as periods in otherwise mundane postal correspondence.

Another way to implement a covert channel is to use an unconventional conduit. For instance, in South Asian countries, it’s possible to move money around outside of official money-transfer lines by use of an informal network of brokers known as a “hawala.” Not only are the requirements to move cash less stringent, but also a hawala operates completely ...

The best content for your career. Discover unlimited learning on demand for around $1/day.