Professional Rootkits (Programmer to Programmer)

The file Ghost.c has been expanded by the addition of two global variables:

PVOID kernel32Base = NULL; ZWPROTECTVIRTUALMEMORY OldZwProtectVirtualMemory;

Kernel32Base is supplied by ZwMapViewOfSection when the mapped library is kernel32.dll .OldZwProtectVirtualMemory is supplied by findUnresolved, a pattern-matching algorithm that searches backward from ZwPulseEvent looking for ZwProtectVirtualMemory.

The hook function called from DriverEntry of Ghost.c was also renamed HookKernel() because there are now two forms of hooking: kernel hooking and user hooking:

// Add kernel hooks if( !NT_SUCCESS( HookKernel() ) ) { DbgPrint("comint32: HookKernel failed!\n"); return STATUS_UNSUCCESSFUL; }