Log In
Or create an account -> 
Imperial Library
  • Home
  • About
  • News
  • Upload
  • Forum
  • Help
  • Login/SignUp

Index
Cover Title Page Copyright Contents Preface Part I: Foundations
Chapter 1 Empty Cup Mind
1.1 An Uninvited Guest 1.2 Distilling a More Precise Definition
The Attack Cycle The Role of Rootkits in the Attack Cycle Single-Stage Versus Multistage Droppers Other Means of Deployment A Truly Pedantic Definition Don’t Confuse Design Goals with Implementation Rootkit Technology as a Force Multiplier The Kim Philby Metaphor: Subversion Versus Destruction Why Use Stealth Technology? Aren’t Rootkits Detectable?
1.3 Rootkits != Malware
Infectious Agents Adware and Spyware Rise of the Botnets Enter: Conficker Malware Versus Rootkits
1.4 Who Is Building and Using Rootkits?
Marketing Digital Rights Management It’s Not a Rootkit, It’s a Feature Law Enforcement Industrial Espionage Political Espionage Cybercrime Who Builds State-of-the-Art Rootkits? The Moral Nature of a Rootkit
1.5 Tales from the Crypt: Battlefield Triage 1.6 Conclusions
Chapter 2 Overview of Anti-Forensics
Everyone Has a Budget: Buy Time 2.1 Incident Response
Intrusion Detection System (and Intrusion Prevention System) Odd Behavior Something Breaks
2.2 Computer Forensics
Aren’t Rootkits Supposed to Be Stealthy? Why AF? Assuming the Worst-Case Scenario Classifying Forensic Techniques: First Method Classifying Forensic Techniques: Second Method Live Response When Powering Down Isn’t an Option The Debate over Pulling the Plug To Crash Dump or Not to Crash Dump Postmortem Analysis Non-Local Data
2.3 AF Strategies
Data Destruction Data Concealment Data Transformation Data Fabrication Data Source Elimination
2.4 General Advice for AF Techniques
Use Custom Tools Low and Slow Versus Scorched Earth Shun Instance-Specific Attacks Use a Layered Defense
2.5 John Doe Has the Upper Hand
Attackers Can Focus on Attacking Defenders Face Institutional Challenges Security Is a Process (and a Boring One at That) Ever-Increasing Complexity
2.6 Conclusions
Chapter 3 Hardware Briefing
3.1 Physical Memory 3.2 IA-32 Memory Models
Flat Memory Model Segmented Memory Model Modes of Operation
3.3 Real Mode
Case Study: MS-DOS Isn’t This a Waste of Time? Why Study Real Mode? The Real-Mode Execution Environment Real-Mode Interrupts Segmentation and Program Control Case Study: Dumping the IVT Case Study: Logging Keystrokes with a TSR Case Study: Hiding the TSR Case Study: Patching the TREE.COM Command Synopsis
3.4 Protected Mode
The Protected-Mode Execution Environment Protected-Mode Segmentation Protected-Mode Paging Paging with Address Extension A Closer Look at the Tables A Closer Look at the Control Registers
3.5 Implementing Memory Protection
Protection Through Segmentation Limit Checks Type Checks Privilege Checks Restricted Instruction Checks Gate Descriptors The Protected-Mode Interrupt Table Protection Through Paging Summary
Chapter 4 System Briefing
4.1 Physical Memory under Windows
Land of the Lost (Memory) How Windows Uses Physical Address Extension Pages, Page Frames, and Page Frame Numbers
4.2 Segmentation and Paging under Windows
Segmentation Paging Linear to Physical Address Translation A Quicker Approach Comments on EPROCESS and KPROCESS
4.3 User Space and Kernel Space
4-Gigabyte Tuning (4GT) To Each His Own Jumping the Fence User-Space Topography Kernel-Space Dynamic Allocation Address Windowing Extension PAE Versus 4GT Versus AWE
4.4 User Mode and Kernel Mode
How Versus Where Kernel-Mode Components User-Mode Components
4.5 Other Memory Protection Features
Data Execution Prevention Address Space Layout Randomization /GS Compiler Option /SAFESEH Linker Option
4.6 The Native API
The IVT Grows Up A Closer Look at the IDT System Calls via Interrupt The SYSENTER Instruction The System Service Dispatch Tables Enumerating the Native API Nt*() Versus Zw*() System Calls The Life Cycle of a System Call Other Kernel-Mode Routines Kernel-Mode API Documentation
4.7 The BOOT Process
Startup for BIOS Firmware Startup for EFI Firmware The Windows Boot Manager The Windows Boot Loader Initializing the Executive The Session Manager Wininit.exe Winlogon.exe Boot Process Recap
4.8 Design Decisions
Hiding in a Crowd: Type 0 Active Concealment: Type I and Type II Jumping Out of Bounds: Type III The Road Ahead
Chapter 5 Tools of the Trade
5.1 Development Tools
Diagnostic Tools Disk-Imaging Tools For Faster Relief: Virtual Machines Tool Roundup
5.2 Debuggers
Configuring CDB.exe Symbol Files Windows Symbols Invoking CDB.exe Controlling CDB.exe Useful Debugger Commands Examine Symbols Command (x) List Loaded Modules (lm and !lmi) Display Type Command (dt) Unassemble Command (u) Display Commands (d*) Registers Command (r)
5.3 The KD.exe Kernel Debugger
Different Ways to Use a Kernel Debugger Physical Host–Target Configuration Preparing the Hardware Preparing the Software Launching a Kernel–Debugging Session Controlling the Target Virtual Host-Target Configuration Useful Kernel-Mode Debugger Commands List Loaded Modules Command (lm) !process Registers Command (r) Working with Crash Dumps Method No. 1: PS/2 Keyboard Trick Method No. 2: KD.exe Command Method No. 3: NotMyFault.exe Crash Dump Analysis
Chapter 6 Life in Kernel Space
6.1 A KMD Template
Kernel-Mode Drivers: The Big Picture WDK Frameworks A Truly Minimal KMD Handling IRPs Communicating with User-Mode Code Sending Commands from User Mode
6.2 Loading a KMD 6.3 The Service Control Manager
Using sc.exe at the Command Line Using the SCM Programmatically Registry Footprint
6.4 Using an Export Driver 6.5 Leveraging an Exploit in the Kernel 6.6 Windows Kernel-Mode Security
Kernel-Mode Code Signing (KMCS) KMCS Countermeasures Kernel Patch Protection (KPP) KPP Countermeasures
6.7 Synchronization
Interrupt Request Levels Deferred Procedure Calls Implementation
6.8 Conclusions
Part II: Postmortem
Chapter 7 Defeating Disk Analysis
7.1 Postmortem Investigation: An Overview 7.2 Forensic Duplication
Countermeasures: Reserved Disk Regions
7.3 Volume Analysis
Storage Volumes under Windows Manual Volume Analysis Countermeasures: Partition Table Destruction Raw Disk Access under Windows Raw Disk Access: Exceptions to the Rule
7.4 File System Analysis
Recovering Deleted Files Recovering Deleted Files: Countermeasures Enumerating ADSs Enumerating ADSs: Countermeasures Recovering File System Objects Recovering File System Objects: Countermeasures Out-of-Band Concealment In-Band Concealment Enter: FragFS Application-Level Concealment Acquiring Metadata Acquiring Metadata: Countermeasures Altering Time Stamps Altering Checksums Identifying Known Files Cross-Time Versus Cross-View Diffs Identifying Known Files: Countermeasures
7.5 File Signature Analysis
File Signature Analysis: Countermeasures
7.6 Conclusions
Chapter 8 Defeating Executable Analysis
8.1 Static Analysis
Scan for Related Artifacts Verify Digital Signatures Dump String Data Inspect File Headers Disassembly and Decompilation
8.2 Subverting Static Analysis
Data Transformation: Armoring Armoring: Cryptors Key Management Armoring: Packers Armoring: Metamorphic Code The Need for Custom Tools The Argument Against Armoring Data Fabrication False-Flag Attacks Data Source Elimination: Multistage Loaders Defense In-depth
8.3 Runtime Analysis
The Working Environment Manual Versus Automated Runtime Analysis Manual Analysis: Basic Outline Manual Analysis: Tracing Manual Analysis: Memory Dumping Manual Analysis: Capturing Network Activity Automated Analysis Composition Analysis at Runtime
8.4 Subverting Runtime Analysis
Tracing Countermeasures API Tracing: Evading Detour Patches API Tracing: Multistage Loaders Instruction-Level Tracing: Attacking the Debugger Break Points Detecting a User-Mode Debugger Detecting a Kernel-Mode Debugger Detecting a User-Mode or a Kernel-Mode Debugger Detecting Debuggers via Code Checksums The Argument Against Anti-Debugger Techniques Instruction-Level Tracing: Obfuscation Obfuscating Application Data Obfuscating Application Code Hindering Automation Countering Runtime Composition Analysis
8.5 Conclusions
Part III: Live Response
Chapter 9 Defeating Live Response
Autonomy: The Coin of the Realm Learning the Hard Way: DDefy The Vendors Wise Up: Memoryze 9.1 Live Incident Response: The Basic Process 9.2 User-Mode Loaders (UMLs)
UMLs That Subvert the Existing APIs The Argument Against Loader API Mods The Windows PE File Format at 10,000 Feet Relative Virtual Addresses PE File Headers The Import Data Section (.idata) The Base Relocation Section (.reloc) Implementing a Stand-Alone UML
9.3 Minimizing Loader Footprint
Data Contraception: Ode to The Grugq The Next Step: Loading via Exploit
9.4 The Argument Against Stand-Alone PE Loaders
Chapter 10 Building Shellcode in C
Why Shellcode Rootkits? Does Size Matter? 10.1 User-Mode Shellcode
Visual Studio Project Settings Using Relative Addresses Finding Kernel32.dll: Journey into the TEB and PEB Augmenting the Address Table Parsing the kernel32.dll Export Table Extracting the Shellcode The Danger Room Build Automation
10.2 Kernel-Mode Shellcode
Project Settings: $(NTMAKEENV)\makefile.new Project Settings: SOURCES Address Resolution Loading Kernel-Mode Shellcode
10.3 Special Weapons and Tactics 10.4 Looking Ahead
Chapter 11 Modifying Call Tables
11.1 Hooking in User Space: The IAT
DLL Basics Accessing Exported Routines Injecting a DLL Walking an IAT from a PE File on Disk Hooking the IAT
11.2 Call Tables in Kernel Space 11.3 Hooking the IDT
Handling Multiple Processors: Solution #1 Naked Routines Issues with Hooking the IDT
11.4 Hooking Processor MSRs
Handling Multiple Processors: Solution #2
11.5 Hooking the SSDT
Disabling the WP Bit: Technique #1 Disabling the WP Bit: Technique #2 Hooking SSDT Entries SSDT Example: Tracing System Calls SSDT Example: Hiding a Process SSDT Example: Hiding a Network Connection
11.6 Hooking IRP Handlers 11.7 Hooking the GDT: Installing a Call Gate
Ode to Dreg
11.8 Hooking Countermeasures
Checking for Kernel-Mode Hooks Checking IA32_SYSENTER_EIP Checking INT 0x2E Checking the SSDT Checking IRP Handlers Checking for User-Mode Hooks Parsing the PEB: Part I Parsing the PEB: Part II
11.9 Counter-Countermeasures
Assuming the Worst Case Worst-Case Countermeasure #1 Worst-Case Countermeasure #2
Chapter 12 Modifying Code
Types of Patching In-Place Patching Detour Patching Prologue and Epilogue Detours Detour Jumps 12.1 Tracing Calls
Detour Implementation Acquire the Address of the NtSetValueKey() Initialize the Patch Metadata Structure Verify the Original Machine Code Against a Known Signature Save the Original Prologue and Epilogue Code Update the Patch Metadata Structure Lock Access and Disable Write-Protection Inject the Detours The Prologue Detour The Epilogue Detour Postgame Wrap-Up
12.2 Subverting Group Policy
Detour Implementation Initializing the Patch Metadata Structure The Epilogue Detour Mapping Registry Values to Group Policies
12.3 Bypassing Kernel-Mode API Loggers
Fail-Safe Evasion Kicking It Up a Notch
12.4 Instruction Patching Countermeasures
Chapter 13 Modifying Kernel Objects
13.1 The Cost of Invisibility
Issue #1: The Steep Learning Curve Issue #2: Concurrency Issue #3: Portability and Pointer Arithmetic Branding the Technique: DKOM Objects?
13.2 Revisiting the EPROCESS Object
Acquiring an EPROCESS Pointer Relevant Fields in EPROCESS UniqueProcessId ActiveProcessLinks Token ImageFileName
13.3 The DRIVER_SECTION Object 13.4 The Token Object
Authorization on Windows Locating the Token Object Relevant Fields in the Token Object
13.5 Hiding a Process 13.6 Hiding a Driver 13.7 Manipulating the Access Token 13.8 Using No-FU 13.9 Kernel-Mode Callbacks 13.10 Countermeasures
Cross-View Detection High-Level Enumeration: CreateToolhelp32Snapshot() High-Level Enumeration: PID Bruteforce Low-Level Enumeration: Processes Low-Level Enumeration: Threads Related Software Field Checksums
13.11 Counter-Countermeasures
The Best Defense: Starve the Opposition Commentary: Transcending the Two-Ring Model The Last Line of Defense
Chapter 14 Covert Channels
14.1 Common Malware Channels
Internet Relay Chat Peer-to-Peer Communication HTTP
14.2 Worst-Case Scenario: Full Content Data Capture
Protocol Tunneling DNS ICMP Peripheral Issues
14.3 The Windows TCP/IP Stack
Windows Sockets 2 Raw Sockets Winsock Kernel API NDIS Different Tools for Different Jobs
14.4 DNS Tunneling
DNS Query DNS Response
14.5 DNS Tunneling: User Mode 14.6 DNS Tunneling: WSK Implementation
Initialize the Application’s Context Create a Kernel-Mode Socket Determine a Local Transport Address Bind the Socket to the Transport Address Set the Remote Address (the C2 Client) Send the DNS Query Receive the DNS Response
14.7 NDIS Protocol Drivers
Building and Running the NDISProt 6.0 Example An Outline of the Client Code An Outline of the Driver Code The Protocol*() Routines Missing Features
14.8 Passive Covert Channels
Chapter 15 Going Out-of-Band
Ways to Jump Out-of-Band 15.1 Additional Processor Modes
System Management Mode Rogue Hypervisors White Hat Countermeasures Rogue Hypervisors Versus SMM Rootkits
15.2 Firmware
Mobo BIOS ACPI Components Expansion ROM UEFI Firmware
15.3 Lights-Out Management Facilities 15.4 Less Obvious Alternatives
Onboard Flash Storage Circuit-Level Tomfoolery
15.5 Conclusions
Part IV: Summation
Chapter 16 The Tao of Rootkits
The Dancing Wu Li Masters When a Postmortem Isn’t Enough The Battlefield Shifts Again 16.1 Core Stratagems
Respect Your Opponent Five Point Palm Exploding Heart Technique Resist the Urge to Smash and Grab Study Your Target
16.2 Identifying Hidden Doors
On Dealing with Proprietary Systems Staking Out the Kernel Kingpin: Hardware Is the New Software Leverage Existing Research
16.3 Architectural Precepts
Load First, Load Deep Strive for Autonomy Butler Lampson: Separate Mechanism from Policy
16.4 Engineering a Rootkit
Stealth Versus Development Effort Use Custom Tools Stability Counts: Invest in Best Practices Gradual Enhancement Failover: The Self-Healing Rootkit
16.5 Dealing with an Infestation
Index Photo Credits
  • ← Prev
  • Back
  • Next →
  • ← Prev
  • Back
  • Next →

Chief Librarian: Las Zenow <zenow@riseup.net>
Fork the source code from gitlab.

This is a mirror of the Tor onion service:
http://kx5thpx2olielkihfyo4jgjqfb7zx7wxr3sd4xzt26ochei4m6f7tayd.onion