Rootkits: Subverting the Windows Kernel

Index

[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [R] [S] [T] [U] [V] [W] [Z]

I/O bus

I/O Control Codes (IOCTLs) 2nd 3rd I/O Controller Hub (ICH) chipsI/O Request Packets. [See IRPs (I/O Request Packets)]

IAT (Import Address Table)

     finding hooks

     hooking 2nd

     in rootkit detection ICH (I/O Controller Hub) chips

ICMP packets IdentifySSDTHooks function

Idle process IDS software, bypassing IDTENTRY structure IDTINFO structure IDTRs (interrupt descriptor table registers)

IDTs (Interrupt Descriptor Tables)

     hooking

     in rootkit detection

     working with

IMAGE_DIRECTORY_ENTRY_IMPORT structure

IMAGE_IMPORT_BY_NAME structure

IMAGE_IMPORT_DESCRIPTOR structure 2nd

IMAGE_INFO structure

Import Address Table (IAT)

     finding hooks

     hooking 2nd

     in rootkit detection

in instruction 2nd

in_addr structure Include files

INCLUDES variable

INETADDR macro

Infected files for reboot survival

InitThreadKeyLogger function Injecting DLLs into processesInline functions

     finding hooks     hooking InstallTCPDriverHook function InstDrv tool

Instructions, alignment INT 2E instruction Integrity Protection Driver (IPD) 2nd Intel processors, microcode updates Interfaces, binding to Interlocked functions InterlockedExchange function

Interrupt descriptor table registers (IDTRs)

Interrupt Descriptor Tables (IDTs)     hooking     in rootkit detection

     working with

Interrupt flags

Interrupt gates

Interrupt service routines (ISRs) 2ndInterrupt tables

     for CPUs     with jump templates

Interrupts for keystrokes IO_STACK_LOCATION IoAttachDevice function IoCallDriver function 2nd 3rd IoCompletionRoutine function 2nd

IoCopyCurrentIrpStack LocationToNext function

IoCreateDevice function

IoCreateSymbolicLink function

IOCTL_DRV_INIT IOCTL

IOCTL_DRV_VER IOCTL

IOCTLs (I/O Control Codes) 2nd 3rd

IoDetachDevice function

IoGetCurrentIrpStackLocation function

IoGetCurrentProcess function

IoGetDeviceObjectPointer function

IoGetNextIrpStackLocation function

IoSetCompletionRoutine function 2nd

IoSkipCurrentIrpStack Location function

IoSkipCurrentStackLocation function IPD (Integrity Protection Driver) 2nd

IRP_ values

IRP_MJ_DEVICE_CONTROL

IRPs (I/O Request Packets)

     and stack locations     completion routines for     driver tables for

     finding hooks     for keyboards     hooking     in rootkit detection

     working withISRs [See Interrupt Service Routines]