Professional Rootkits (Programmer to Programmer)

parameters, CALL_DATA_STRUCT, 63

parse86.c file

code, 79–96

functions list, 78–79

parse86.h file

code, 78

functions list, 78

ParseRecipientList, function, 234–239

parsing

PE formatted files, 97–99

x86 instructions, 96

payload

defined, 7

overview, 7–8

PE formatted files, parsing, 97–99

peFormat.h file

code, 97–99

user hooks, 97–99

periodic status reporting, feedback, 244

persistence, installation, 245–246

personal firewalls

free, 294

to purchase, 294–295

rootkit prevention, 293–295

Pfx (ANSI Prefix Manager), functional group, 40–41

PfxFindPrefix, routine, 41

PfxInitialize, routine, 40

PfxInsertPrefix, routine, 41

PfxRemovePrefix, routine, 40

PGP Desktop

overview, 115–117

Professional version 9 download, 99

PGP encoding, using Ghost to block, 99–100

PGP Monitor, Microsoft Windows 2000,XP, and, 2003, 101

piggybacked, defined, 289

Ping, function, 269–270

pMyMDL

Ghost.c file variable, 33–36

hookManager.h file variable, 37–38

Policy Development, control category, 257

Policy Implementation, control category, 257

Port operations, Zw routine, 41

prevention. See rootkit prevention

privilege escalation, overview, 245

process creation detection, IceSword, 314

Process detection, IceSword, 313

process hiding

diagrammed, 206

HideMe.c file, 206–211

overview, 205–206

testing, 212

process injection

injectManager.c file and, 66–78

limitation of, 47

NewZwMapViewOfSection function, 47

overview, 43–44

trampoline function and, 49

process injection hook, beforeEncode, 67–78

Process operations, Zw routine, 41

process termination detection, IceSword, 314

ProcessGuard, anti-rootkit software, 254

Processing exceptions, Rtl routine, 41

processing levels, key logging and, 167–168

processInject, function, 66–78

programming, injected function, 114

programs, compiling, 21, 23–24

PsCreateSystemThread, function, 170

PsTerminateSystemThread, function, 170

PutFile, function, 16–19, 20