You are previewing The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd Edition.

The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd Edition

  1. Cover
  2. Title Page
  3. Copyright
  4. Contents
  5. Preface
  6. Part I: Foundations
    1. Chapter 1 Empty Cup Mind
      1. 1.1 An Uninvited Guest
      2. 1.2 Distilling a More Precise Definition
      3. 1.3 Rootkits != Malware
      4. 1.4 Who Is Building and Using Rootkits?
      5. 1.5 Tales from the Crypt: Battlefield Triage
      6. 1.6 Conclusions
    2. Chapter 2 Overview of Anti-Forensics
      1. Everyone Has a Budget: Buy Time
      2. 2.1 Incident Response
      3. 2.2 Computer Forensics
      4. 2.3 AF Strategies
      5. 2.4 General Advice for AF Techniques
      6. 2.5 John Doe Has the Upper Hand
      7. 2.6 Conclusions
    3. Chapter 3 Hardware Briefing
      1. 3.1 Physical Memory
      2. 3.2 IA-32 Memory Models
      3. 3.3 Real Mode
      4. 3.4 Protected Mode
      5. 3.5 Implementing Memory Protection
    4. Chapter 4 System Briefing
      1. 4.1 Physical Memory under Windows
      2. 4.2 Segmentation and Paging under Windows
      3. 4.3 User Space and Kernel Space
      4. 4.4 User Mode and Kernel Mode
      5. 4.5 Other Memory Protection Features
      6. 4.6 The Native API
      7. 4.7 The BOOT Process
      8. 4.8 Design Decisions
    5. Chapter 5 Tools of the Trade
      1. 5.1 Development Tools
      2. 5.2 Debuggers
      3. 5.3 The KD.exe Kernel Debugger
    6. Chapter 6 Life in Kernel Space
      1. 6.1 A KMD Template
      2. 6.2 Loading a KMD
      3. 6.3 The Service Control Manager
      4. 6.4 Using an Export Driver
      5. 6.5 Leveraging an Exploit in the Kernel
      6. 6.6 Windows Kernel-Mode Security
      7. 6.7 Synchronization
      8. 6.8 Conclusions
  7. Part II: Postmortem
    1. Chapter 7 Defeating Disk Analysis
      1. 7.1 Postmortem Investigation: An Overview
      2. 7.2 Forensic Duplication
      3. 7.3 Volume Analysis
      4. 7.4 File System Analysis
      5. 7.5 File Signature Analysis
      6. 7.6 Conclusions
    2. Chapter 8 Defeating Executable Analysis
      1. 8.1 Static Analysis
      2. 8.2 Subverting Static Analysis
      3. 8.3 Runtime Analysis
      4. 8.4 Subverting Runtime Analysis
      5. 8.5 Conclusions
  8. Part III: Live Response
    1. Chapter 9 Defeating Live Response
      1. Autonomy: The Coin of the Realm
      2. Learning the Hard Way: DDefy
      3. The Vendors Wise Up: Memoryze
      4. 9.1 Live Incident Response: The Basic Process
      5. 9.2 User-Mode Loaders (UMLs)
      6. 9.3 Minimizing Loader Footprint
      7. 9.4 The Argument Against Stand-Alone PE Loaders
    2. Chapter 10 Building Shellcode in C
      1. Why Shellcode Rootkits?
      2. Does Size Matter?
      3. 10.1 User-Mode Shellcode
      4. 10.2 Kernel-Mode Shellcode
      5. 10.3 Special Weapons and Tactics
      6. 10.4 Looking Ahead
    3. Chapter 11 Modifying Call Tables
      1. 11.1 Hooking in User Space: The IAT
      2. 11.2 Call Tables in Kernel Space
      3. 11.3 Hooking the IDT
      4. 11.4 Hooking Processor MSRs
      5. 11.5 Hooking the SSDT
      6. 11.6 Hooking IRP Handlers
      7. 11.7 Hooking the GDT: Installing a Call Gate
      8. 11.8 Hooking Countermeasures
      9. 11.9 Counter-Countermeasures
    4. Chapter 12 Modifying Code
      1. Types of Patching
      2. In-Place Patching
      3. Detour Patching
      4. Prologue and Epilogue Detours
      5. Detour Jumps
      6. 12.1 Tracing Calls
      7. 12.2 Subverting Group Policy
      8. 12.3 Bypassing Kernel-Mode API Loggers
      9. 12.4 Instruction Patching Countermeasures
    5. Chapter 13 Modifying Kernel Objects
      1. 13.1 The Cost of Invisibility
      2. 13.2 Revisiting the EPROCESS Object
      3. 13.3 The DRIVER_SECTION Object
      4. 13.4 The Token Object
      5. 13.5 Hiding a Process
      6. 13.6 Hiding a Driver
      7. 13.7 Manipulating the Access Token
      8. 13.8 Using No-FU
      9. 13.9 Kernel-Mode Callbacks
      10. 13.10 Countermeasures
      11. 13.11 Counter-Countermeasures
    6. Chapter 14 Covert Channels
      1. 14.1 Common Malware Channels
      2. 14.2 Worst-Case Scenario: Full Content Data Capture
      3. 14.3 The Windows TCP/IP Stack
      4. 14.4 DNS Tunneling
      5. 14.5 DNS Tunneling: User Mode
      6. 14.6 DNS Tunneling: WSK Implementation
      7. 14.7 NDIS Protocol Drivers
      8. 14.8 Passive Covert Channels
    7. Chapter 15 Going Out-of-Band
      1. Ways to Jump Out-of-Band
      2. 15.1 Additional Processor Modes
      3. 15.2 Firmware
      4. 15.3 Lights-Out Management Facilities
      5. 15.4 Less Obvious Alternatives
      6. 15.5 Conclusions
  9. Part IV: Summation
    1. Chapter 16 The Tao of Rootkits
      1. The Dancing Wu Li Masters
      2. When a Postmortem Isn’t Enough
      3. The Battlefield Shifts Again
      4. 16.1 Core Stratagems
      5. 16.2 Identifying Hidden Doors
      6. 16.3 Architectural Precepts
      7. 16.4 Engineering a Rootkit
      8. 16.5 Dealing with an Infestation
  10. Index
  11. Photo Credits
O'Reilly logo

Chapter 16  The Tao of Rootkits

 

In organizations like the CIA, it’s standard operating procedure for security officers to periodically monitor people with access to sensitive information even if there is no explicit reason to suspect them.

The same basic underlying logic motivates preemptive security assessments in information technology (IT).1 Don’t assume a machine is secure simply because you’ve slapped on a group policy, patched it, and installed the latest anti-virus signatures. Oh no, you need to roll your sleeves up and actually determine if someone has undermined the integrity of the system. Just because a machine seems to be okay doesn’t mean that it hasn’t acquired an uninvited guest.

As an attacker, to survive this sort of aggressive ...

The best content for your career. Discover unlimited learning on demand for around $1/day.