Rootkits: Subverting the Windows Kernel
< Day Day Up > |
If you have a difficult task, give it to a lazy person; he will find an easier way to do it. HLADE'S LAW Developers engineer clever solutions to avoid work. In fact, this laziness drives many innovations in code. The ability to layer drivers is one such innovation. Using layers, a developer can chain multiple drivers together. In this way, a developer can modify the behavior of an existing driver without coding a whole new driver from scratch. Think about it: What if you want to encrypt the contents of a hard drive? Would you like to write an NTFS driver from scratch that supports not only the exact hardware of the drive mechanism, but also its NTFS protocol and encryption routines? Using layered drivers, this is not necessary. You simply intercept the data as it travels to the pre-existing NTFS driver and modify it with encryption. More importantly, the details of the NTFS protocol can be decoupled from the hardware details of the drive mechanism. This elegant idea applies to most drivers in the Windows environment. Driver chains exist for almost all hardware devices. The lowest-level driver deals with direct access to the bus and the hardware device, and higher-level drivers deal with data formatting, error codes, and the conversion of high-level requests into the smaller, more pointed details of hardware manipulation. Layering is an important concept for rootkits, because layered drivers are involved in the movement of data in and out of lower-level hardware. Layered drivers not only intercept data; they can also modify this data before passing it on. In other words, they are perfect for rootkit developers. Almost every device on the system can be intercepted in this way. And, using layering, we can be lazy and intercept only the data we are interested in. Best of all, we can avoid dealing with complicated hardware. If we want to sniff keystrokes, for example, we just layer our interception over the already existing keyboard driver. In this chapter, you will learn how to use layering techniques to intercept and modify data in a system. We will start by discussing how the Windows kernel handles drivers, and take you through a detailed walk-through of a sample keyboard filter driver for sniffing keystrokes. We will end the chapter with a discussion of file filter-drivers. By the time you finish reading this chapter, you should be able to intercept everything a user types, and to hide the file or directory where you are storing the data. |
< Day Day Up > |