Professional Rootkits (Programmer to Programmer)

GetFile, function, 16, 17–19, 20

GetFunctionAddress, function, 54–63

getHookPointers, function, 66–78

GetImageSize, function, 54–63

GetKey, function, 184

GetKeyName, function, 202

GetNewIndex, function, 190–198

getNextInstruction, function, 78, 78–96

GetPointerByHandle, function, 202

GetSubkeyCount, function, 190–198

getx86Instruction, function, 66–78

Ghost

rootkit example, 9–15

using to block PGP encoding, 99–100

Ghost Tracker

ControlForm.cs file code, 263–268

GhostTracker.cs file code, 260–262

Listen.cs file code, 271–272

TargetController.cs file code, 269–270

Ghost.c file

code for Basic Rootkit, 10–12

code for Concealment, 198

code for Filter Drivers, 146–150

code for Kernel Hooks, 33–36

code for Key Logging, 172–173

code for User Hooks, 51

comint32, 13

concealment, 198

DbgPrint statements, 13

debug statements, 13

device pointers, 146

DriverEntry function, 10–12

DriverUnload function, 34

filter drivers, 146–150

kernel32Base variable, 51–52

key logging, 172–173

NewSystemCallTable variable, 33–36

OldZwMapViewOfSection variable, 33–36

OnUnload function, 10

pMyMDL variable, 33–36

ZwProtectVirtualMemory, 51–52

ZwProtectVirtualMemory variable, 51–52

Ghost.h file

Basic Rootkit code, 10

CreateFileW function, 50–51

DRIVER_DATA, 10–12

lstrcmpiW function, 50–51

OnUnload function, 10–12

user hooks, 50–51

User Hooks code, 51

GhostTracker, controller, 120–121

GhostTracker form

overview, 273

rootkit remote controller implementation, 273

GhostTracker threading model, diagram, 259

GhostTracker.cs file

code, 260–262

functions list, 260

rootkit remote controller implementation, 260–262

global variable, listOffset, 210–211