Rootkits Subverting the Windows Kernel

ISBN-10: 0321294319

ISBN-13: 9780321294319

Edition: 2006

Authors: Greg Hoglund, Jamie Butler

List price: $64.99 Buy it from $4.04
30 day, 100% satisfaction guarantee

If an item you ordered from TextbookRush does not meet your expectations due to an error on our part, simply fill out a return request and then return it by mail within 30 days of ordering it for a full refund of item cost.

Learn more about our returns policy


Rootkits are programmes that are designed to be invisble once they are installed onto a computer operating system. This book is about penetrating a computer system without detection, as the best way to counter forensics is with stealth. If no attack is suspected then no forensics are likely to be applied.
Used Starting from $4.04
what's this?
Rush Rewards U
Members Receive:
You have reached 400 XP and carrot coins. That is the daily max!
Study Briefs

Limited time offer: Get the first one free! (?)

All the information you need in one place! Each Study Brief is a summary of one specific subject; facts, figures, and explanations to help you learn faster.

Add to cart
Study Briefs
Periodic Table Online content $4.95 $1.99
Add to cart
Study Briefs
SQL Online content $4.95 $1.99
Add to cart
Study Briefs
MS Excel® 2010 Online content $4.95 $1.99
Add to cart
Study Briefs
MS Word® 2010 Online content $4.95 $1.99
Customers also bought

Book details

List price: $64.99
Copyright year: 2006
Publisher: Addison Wesley Professional
Publication date: 7/22/2005
Binding: Paperback
Pages: 352
Size: 7.00" wide x 9.00" long x 1.00" tall
Weight: 1.430
Language: English

About the Authors
About the Cover
Leave No Trace
Understanding Attackers' Motives
The Role of Stealth
When Stealth Doesn't Matter
What Is a Rootkit?
Why Do Rootkits Exist?
Remote Command and Control
Software Eavesdropping
Legitimate Uses of Rootkits
How Long Have Rootkits Been Around?
How Do Rootkits Work?
Easter Eggs
Spyware Modifications
Source-Code Modification
The Legality of Software Modification
What a Rootkit Is Not
A Rootkit Is Not an Exploit
A Rootkit Is Not a Virus
Rootkits and Software Exploits
Why Exploits Are Still a Problem
Offensive Rootkit Technologies
Bypassing the IDS/IPS
Bypassing Forensic Tools
Subverting the Kernel
Important Kernel Components
Rootkit Design
Introducing Code into the Kernel
Building the Windows Device Driver
The Device Driver Development Kit
The Build Environments
The Files
Running the Build Utility
The Unload Routine
Loading and Unloading the Driver
Logging the Debug Statements
Fusion Rootkits: Bridging User and Kernel Modes
I/O Request Packets
Creating a File Handle
Adding a Symbolic Link
Loading the Rootkit
The Quick-and-Dirty Way to Load a Driver
The Right Way to Load a Driver
Decompressing the .sys File from a Resource
Surviving Reboot
The Hardware Connection
Ring Zero
Tables, Tables, and More Tables
Memory Pages
Memory Access Check Details
Paging and Address Translation
Page-Table Lookups
The Page-Directory Entry
The Page-Table Entry
Read-Only Access to Some Important Tables
Multiple Processes, Multiple Page Directories
Processes and Threads
The Memory Descriptor Tables
The Global Descriptor Table
The Local Descriptor Table
Code Segments
Call Gates
The Interrupt Descriptor Table
Other Types of Gates
The System Service Dispatch Table
The Control Registers
Control Register Zero (CR0)
Other Control Registers
The EFlags Register
Multiprocessor Systems
The Age-Old Art of Hooking
Userland Hooks
Import Address Table Hooking
Inline Function Hooking
Injecting a DLL into Userland Processes
Kernel Hooks
Hooking the System Service Descriptor Table
Hooking the Interrupt Descriptor Table
Hooking the Major I/O Request Packet Function Table in the Device Driver Object
A Hybrid Hooking Approach
Getting into a Process' Address Space
Memory Space for Hooks
Runtime Patching
Detour Patching
Rerouting the Control Flow Using MigBot
Checking for Function Bytes
Keeping Track of the Overwritten Instructions
Using NonPagedPool Memory
Runtime Address Fixups
Jump Templates
The Interrupt Hook Example
Variations on the Method
Layered Drivers
A Keyboard Sniffer
I/O Request Packet (IRP) and Stack Locations
The KLOG Rootkit: A Walk-through
File Filter Drivers
Direct Kernel Object Manipulation
DKOM Benefits and Drawbacks
Determining the Version of the Operating System
User-Mode Self-Determination
Kernel-Mode Self-Determination
Querying the Operating System Version in the Registry
Communicating with the Device Driver from Userland
Hiding with DKOM
Process Hiding
Device-Driver Hiding
Synchronization Issues
Token Privilege and Group Elevation with DKOM
Modifying a Process Token
Faking out the Windows Event Viewer
Hardware Manipulation
Why Hardware?
Modifying the Firmware
Accessing the Hardware
Hardware Addresses
Accessing Hardware Is Not Like Accessing RAM
Timing Considerations
The I/O Bus
Accessing the BIOS
Accessing PCI and PCMCIA Devices
Example: Accessing the Keyboard Controller
The 8259 Keyboard Controller
Changing the LED Indicators
Hard Reboot
Keystroke Monitor
How Low Can You Go? Microcode Update
Covert Channels
Remote Command, Control, and Exfiltration of Data
Disguised TCP/IP Protocols
Beware of Traffic Patterns
Don't Send Data "in the Clear"
Use Time to Your Advantage
Hide Under DNS Requests
"Stego" on ASCII Payloads
Use Other TCP/IP Channels
Kernel TCP/IP Support for Your Rootkit Using TDI
Build the Address Structure
Create a Local Address Object
Create a TDI Endpoint with Context
Associate an Endpoint with a Local Address
Connect to a Remote Server (Send the TCP Handshake)
Send Data to a Remote Server
Raw Network Manipulation
Implementing Raw Sockets on Windows XP
Binding to an Interface
Sniffing with Raw Sockets
Promiscuous Sniffing with Raw Sockets
Sending Packets with Raw Sockets
Forging the Source
Bouncing Packets
Kernel TCP/IP Support for Your Rootkit Using NDIS
Registering the Protocol
The Protocol Driver Callbacks
Moving Whole Packets
Host Emulation
Creating Your MAC Address
Handling ARP
The IP Gateway
Sending a Packet
Rootkit Detection
Detecting Presence
Guarding the Doors
Scanning the "Rooms"
Looking for Hooks
Detecting Behavior
Detecting Hidden Files and Registry Keys
Detecting Hidden Processes
Free shipping on orders over $35*

*A minimum purchase of $35 is required. Shipping is provided via FedEx SmartPost® and FedEx Express Saver®. Average delivery time is 1 – 5 business days, but is not guaranteed in that timeframe. Also allow 1 - 2 days for processing. Free shipping is eligible only in the continental United States and excludes Hawaii, Alaska and Puerto Rico. FedEx service marks used by permission."Marketplace" orders are not eligible for free or discounted shipping.

Learn more about the TextbookRush Marketplace.