Chapter 15 Going Out-of-Band
Our quest to foil postmortem analysis led us to opt for memory-resident tools. Likewise, in an effort to evade memory carving tools at runtime, we decided to implement our rootkit using kernel-mode shellcode. Nevertheless, in order to score some CPU time, somewhere along the line we’ll have to modify the targeted operating system so that we can embezzle a few CPU cycles. To this end, the options we have at our disposal range from sophomoric to subtle (see Table 15.1).
|Modify static elements||Hooking||IAT, SSDT, GDT, IDT, MSRs|
|In-place patching||System calls, driver routines|
|Detour patching||System calls, driver routines|
|Modify dynamic elements ...|