page-023

2 Methodology

Put an Emphasis on Building Custom Tools

The general tendency of many security books is to offer a survey of the avail¬

able tools, accompanied by comments on their use.

With regard to rootkits, however, I think that it would be a disservice to you

if I merely stuck to widely available tools. This is because public tools are,

well . . . public. They've been carefully studied by the White Hats, leading

to the identification of telltale signatures and the development of automated

countemneasures. The ultimate packing executable (UPX) executable packer

and Zeus malware suite are prime examples of this. The average forensic

investigator will easily be able to recognize the artifacts that these tools leave

behind.

In light of this, the best way to keep a low profile and minimize your chances

of detection is to use your own tools. It's not enough simply to survey exist¬

ing technology. You've got to understand how stealth technology works under

the hood so that you have the skillset necessary to construct your own weap¬

onry. This underscores the fact that some of the more prolific Black Hats, the

ones you never hear about, are also accomplished developers.

Over the course of its daily operation, the average computer spits out giga¬

bytes of data in one form or another (log entries, registry edits, file system

changes, etc.). The only way that an investigator can sift through all this data

and maintain a semblance of sanity is to rely heavily on automation. By using

custom software, you're depriving investigators of the ability to rely on off-

the-shelf tools and are dramatically increasing the odds in your favor.

Include an Adequate Review of Prerequisite Material

Dealing with system-level code is a lot like walking around a construction

site for the first time. Kernel-mode code is very unforgiving. The nature of

this hard-hat zone is such that it shelters the cautious and punishes the fool¬

hardy. In these surroundings, it helps to have someone who knows the terrain

and can point out the dangerous spots. To this end, I put a significant amount

of effort in covering the finer points of Intel hardware, explaining obscure

device-driver concepts, and dissecting the appropriate system-level applica¬

tion programming interfaces (APIs). I wanted to include enough background

material so that you don't have to read this book with two other books in your

lap.

XXV