Rootkits: Subverting the Windows Kernel

Index

[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [Z]

RaiseCPUIrqlAndWait function

Raw network manipulation     binding to interfaces     bouncing packets

     forging sources

     on Windows XP

     sending packets

     sniffing Read-only table access

ReadFile function 2nd Reading ports

Reboots     from keyboard controllers     surviving recvfrom functionRegistering

     for surviving reboot

     protocols

Registers

     control

     latching between

Registry

     for injecting DLLs into processes

     key detection

     operating system version queries in

RegOpenKeyEx function

RegQueryValue function

RegQueryValueEx function 2nd

Relative Virtual Addresses (RVAs)

Remote command and control 2ndRemote servers

     connecting to

     sending data to

Remote shells

Remote threads Reordering of instructions REQINFO structure

Rerouting control flow ResponseToArp function Restarting rootkits Returns, far

Ring Zero Rings 2nd RootkitDispatch function RootkitRevealer toolRootkits     and software exploits     characteristics of

     detecting

         behavior detection         guarding-the-doors approach         looking for hooks

         scanning rooms

     for kernel

     history of

     legitimate uses of     loading

     offensive technologies     operation of

     purpose of     restarting     vs. exploits     vs. viruses RtlCopyMemory function

RtlGetVersion function

Run key

Runtime address fixups

Runtime patching

    detour. [See Detour patching]

     jump templates

     variations

RVAs [See Relative Virtual Addresses]