Log In
Or create an account -> 
Imperial Library
  • Home
  • About
  • News
  • Upload
  • Forum
  • Help
  • Login/SignUp

Index
Designing BSD Rootkits
ACKNOWLEDGMENTS FOREWORD INTRODUCTION
What Is a Rootkit? Why FreeBSD? The Goals of This Book Who Should Read This Book? Contents Overview Conventions Used in This Book Concluding Remarks
1. LOADABLE KERNEL MODULES
Module Event Handler The DECLARE_MODULE Macro "Hello, world!" System Call Modules
The System Call Function The sysent Structure The Offset Value The SYSCALL_MODULE Macro Example The modfind Function The modstat Function The syscall Function Executing the System Call Executing the System Call Without C Code
Kernel/User Space Transitions
The copyin and copyinstr Functions The copyout Function The copystr Function
Character Device Modules
The cdevsw Structure Character Device Functions The Device Registration Routine Example Testing the Character Device
Linker Files and Modules Concluding Remarks
2. HOOKING
Hooking a System Call Keystroke Logging Kernel Process Tracing Common System Call Hooks Communication Protocols
The protosw Structure The inetsw[ ] Switch Table The mbuf Structure
Hooking a Communication Protocol Concluding Remarks
3. DIRECT KERNEL OBJECT MANIPULATION
Kernel Queue Data Structures
The LIST_HEAD Macro The LIST_HEAD_INITIALIZER Macro The LIST_ENTRY Macro The LIST_FOREACH Macro The LIST_REMOVE Macro
Synchronization Issues
The mtx_lock Function The mtx_unlock Function The sx_slock and sx_xlock Functions The sx_sunlock and sx_xunlock Functions
Hiding a Running Process
The proc Structure The allproc List Example
Hiding a Running Process Redux
The hashinit Function pidhashtbl The pfind Function Example
Hiding with DKOM Hiding an Open TCP-based Port
The inpcb Structure The tcbinfo.listhead List Example
Corrupting Kernel Data Concluding Remarks
4. KERNEL OBJECT HOOKING
Hooking a Character Device
The cdevp_list Tail Queue and cdev_priv Structures The devmtx Mutex Example
Concluding Remarks
5. RUN-TIME KERNEL MEMORY PATCHING
Kernel Data Access Library
The kvm_openfiles Function The kvm_nlist Function The kvm_geterr Function The kvm_read Function The kvm_write Function The kvm_close Function
Patching Code Bytes Understanding x86 Call Statements
Patching Call Statements
Allocating Kernel Memory
The malloc Function The MALLOC Macro The free Function The FREE Macro Example
Allocating Kernel Memory from User Space
Example
Inline Function Hooking
Example Gotchas
Cloaking System Call Hooks Concluding Remarks
6. PUTTING IT ALL TOGETHER
What HIDSes Do Bypassing HIDSes Execution Redirection File Hiding Hiding a KLD
The linker_files List The linker_file Structure The modules List The module Structure Example
Preventing Access, Modification, and Change Time Updates
Change Time Example
Proof of Concept: Faking Out Tripwire Concluding Remarks
7. DETECTION
Detecting Call Hooks
Finding System Call Hooks
Detecting DKOM
Finding Hidden Processes Finding Hidden Ports
Detecting Run-Time Kernel Memory Patching
Finding Inline Function Hooks Finding Code Byte Patches
Concluding Remarks
8. CLOSING WORDS BIBLIOGRAPHY COLOPHON
  • ← Prev
  • Back
  • Next →
  • ← Prev
  • Back
  • Next →

Chief Librarian: Las Zenow <zenow@riseup.net>
Fork the source code from gitlab.

This is a mirror of the Tor onion service:
http://kx5thpx2olielkihfyo4jgjqfb7zx7wxr3sd4xzt26ochei4m6f7tayd.onion