Table of Contents for

The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd Edition

Index

!cpuid debugger command

!ivt debugger command

!list debugger command

!lmi debugger command

!peb debugger command

!process debugger command

!pte debugger command

!token debugger command

!vtop debugger command

#BP trap

#DB trap

#GP, see general protection exception

#PF, see page fault exception

#pragma directives

$DATA attribute

$FILE_NAME attribute

$SECURITY_DESCRIPTOR attribute

$STANDARD_INFORMATION attribute

.bss section

.data section

.edata section

.formats debugger command

.idata section

.process meta-command

.rdata section

.reloc section

.rsrc section

.text section

.textbss section

/DYNAMICBASE linker option

/NXCOMPAT linker option

\Device\msnetdiag

\Device\PhysicalMemory

__declspec(dllimport)

__declspec(naked)

_NT_DEBUG_BAUD_RATE

_NT_DEBUG_LOG_FILE_OPEN

_NT_DEBUG_PORT

_NT_SOURCE_PATH

_NT_SYMBOL_PATH

_SEH_epilog4

_SEH_prolog4

80286 processor

80386 processor

8086/88 processor

A

abort

Absolute Software

access control entry (ACE)

access token

ACPI driver

ACPI, see advanced configuration and power

interface active partition

address space layout randomization (ASLR)

address windowing extensions (AWE)

ADDRESS_INFO structure

ADInsight tool

ADS, see alternative data stream

advanced configuration and power interface (ACPI)

advapi32.dll

adware

afd.sys ancillary function driver

alternative data stream (ADS)

Angleton, James Jesus

anti-forensic strategies

AppInit_DLLs registry value

application layer hiding

armoring

ASLR, see address space layout randomization

Atsiv utility

authentication

authorization

autochk.exe

Autodump+ tool

autorunsc.exe tool

AWE, see address windowing extensions

AX general register

B

Barreto, Paulo

basic I/O system (BIOS)

bc debugger command

BCD, see boot configuration data

bcdedit.exe

Bejtlich, Richard

BHO, see browser helper object

binary patching

BIOS parameter block (BPB)

BIOS, see basic I/O system

bl debugger command

Blacklight tool

Blue Pill Project

blue screen of death (BSOD)

Bochs emulator

boot class device driver

boot configuration data (BCD) hive

bootable partition

BootExecute registry value

bootkit

bootmgfw.efi

bootmgr

bootmgr.efi

BOOTVID.DLL

bot herder

botnet

bp debugger command

BP stack frame pointer register

BRADLEY virus

breakpoint

browser helper object (BHO)

BSOD, see blue screen of death

bug check, see blue screen of death

build.exe

bus driver

Butler, Jamie

BX general register

C

C2, see command and control

call gate descriptor

CALL instruction

call table

CALL_GATE_DESCRIPTOR structure

cdb.exe debugger

CDECL calling convention

centralized function dispatching

checksum detection

checksum

clfs.sys driver

CLI instruction

CLIENT_ID structure

cluster

code interleaving

code morphing

collision resistant

COM, see component object model

command and control (C2)

complete memory dump

component object model (COM)

computer forensics

computrace

conforming code segment

control bus

control registers CR0–CR04

conventional memory

covert channel

CPL, see current privilege level

CR0

CR1

CR2

CR3

CR4

crash dump

CrashOnCtrlScroll registry value

CreateToolhelp32Snapshot() routine

CRITICAL_STRUCTURE_CORRUPTION stop code

cross-time diff

cross-view diff

cryptor

CS code segment register

csrss.exe

CTRL+B

CTRL+C

CTRL+R

CTRL+V

current privilege level (CPL)

CX general register

Cygnus hex editor

D

d* debugger command

Dameware Mini Remote Control (DMRC) tool

data aggregation

data bus

data destruction

data encoding

data execution protection (DEP)

data fabrication

data hiding

Data Mule FS tool

data ordering

data transformation

DBG_PRINT macro

DBG_TRACE macro

DbgPrint() routine

dcfldd tool

DCOM, see distributed component object model

dd command

DDefy rootkit

DDoS, see distributed denial of service

debug.exe tool

decryptor

DEF file

default cluster size

deferred procedure call (DPC)

Defiler’ s toolkit

demand paged virtual memory

DEP, see data execution protection

DependOnService registry key

descriptor privilege level (DPL)

detour patching

device configuration overlay (DCO)

device IRQL (DIRQL)

device object

DeviceIoControl() routine

dg debugger command

DI data destination index register

Dircon.net

direct jump

direct kernel object manipulation (DKOM)

DIRQL, see device IRQL

discretionary access control list (DACL)

dispatch ID

DISPATCH_LEVEL IRQL

distributed component object model (DCOM)

distributed denial of service (DDoS)

DKOM, see direct kernel object manipulation

DLL, see dynamic-link library

DLL injection

DNS header

DNS label

DNS query format

DNS question

DNS response format

DNS Tunneling

DoReadProc()

DOS extenders

DoWriteProc()

DPC, see deferred procedure call

DPL, see descriptor privilege level

drive slack

driver stack

DRIVER_OBJECT structure

DRIVER_SECTION structure

DriverEntry() routine

drivers.exe tool

dropper

DS data segment register

dt debugger command

dumpbin.exe

DX general register

dynamic-link library (DLL)

E

EAX general register

EBP stack frame pointer register

EBX general register

ECX general register

EDI data destination index register

EDX general register

effective address

EFI, see extensible firmware interface

EFLAGS register

EFS, see Windows Encrypting File System

EIP instruction pointer register

EnCase

EnumerateDevices()

EnumProcessModules() routine

environmental key

environmental subsystem

epilogue detour

EPROCESS structure

Ericsson AXE switches

ES extra segment register

ESI data source index register

ESP stack pointer register

ETHREAD structure

evilize tool

EX_FAST_REF structure

exception

Execryptor tool

exported symbols

extended BIOS parameter block (EBPB)

extended memory

extended partition

extensible firmware interface (EFI)

external interrupt

F

far jump

far pointer

FASTCALL calling convention

fault

fc.exe command

file carving

File Encryption key (FEK)

file insertion and subversion technique (FIST)

File Scavenger Pro

file system analysis

file system attacks

file wiping

FILE_BASIC_INFORMATION structure

FILE_DEVICE_RK

FILE_INFORMATION_CLASS structure

FILE_READ_DATA

FILE_WRITE_DATA

filter driver

findFU program

first-generation forensic copy

FIST, see file insertion and subversion technique

FLAGS register

flat memory model

footprint vs. failover

footprinting

force multiplier

Foremost tool

free build of Windows

free build symbols

FS segment register

F-Secure

FTK

FU rootkit

full content data capture

full symbol file

function driver

FUTo rootkit

G

g debugger command

gate descriptor

gdi32.dll

GDT, see global descriptor table

GDTR register

general protection exception (#GP)

global descriptor table (GDT)

Golden Killah

GoToMyPC tool

gpedit.msc

group policy

GS segment register

gu debugger command

Gutmann, Peter

H

hal.dll

handle.exe tool

HANDLE_TABLE structure

Harbour, Nick

hardware abstraction layer

hardware interrupt

hash function

high memory

HLT instruction

Hoglund, Greg

hooking

host machine

host protected area (HPA)

host-based IDS (HIDS)

hot patch

Hyper-V

I

I/O control code (IOCTL code)

I/O control operation

I/O request packet (IRP)

IA-32, see Intel 32-bit process architecture

IA32_SYSENTER_CS

IA32_SYSENTER_EIP

IA32_SYSENTER_ESP

IA-64, see Intel 64-bit process architecture

IAT, see import address table

IDA Pro

IDS, see intrusion detection system

IDT, see interrupt dispatch table

IDT_DESCRIPTOR structure

IDTR register

ILT

import address table (IAT)

in-band hiding

inlining

in-place patching

INT instruction

intermediate representation (IR)

interrupt descriptor

interrupt dispatch table (IDT)

interrupt gate descriptor

interrupt handler, see interrupt service routine

interrupt

interrupt request level (IRQL)

interrupt service routine (ISR)

interrupt vector

interrupt vector table (IVT)

interrupts, real mode

intrusion detection system (IDS)

intrusion prevention system (IPS)

Ionescu, Alex

IP instruction pointer register

ipconfig.exe tool

IPS, see intrusion prevention system

IRET instruction

IRP, see I/O request packet

IRP_MJ_DEVICE_CONTROL

IRP_MJ_READ

IRP_MJ_WRITE

IRQL, see interrupt request level

isDebuggerPresent() routine

ISR, see interrupt service routine

IVT, see interrupt vector table

J

JMP instruction

John The Ripper

Jones, Keith

K

KAPC_STATE structure

kd.exe debugger

KD_DEBUGGER_NOT_PRESENT

kd1394.dll

kdcom.dll

kdusb.dll

kernel memory dump

kernel mode

kernel patch protection (KPP)

kernel space

kernel32.dll

kernel-mode code signing (KMCS)

kernel-mode driver (KMD)

KeServiceDescriptorTable

KeServiceDescriptorTableShadow

KeSetAffinityThread() routine

KiDebugService() routine

KiEndUnexpectedRange routine

KiFastCallEntry

KiFastSystemCall routine

KiInitialThread symbol

KiServiceTable

KiSystemService() routine

KMCS see kernel-mode code signing

KMD, see kernel-mode driver

KMode registry value

known bad files

known good files

KnownDLLs registry key

Kornblum, Jesse

KPP, see kernel patch protection

KPROCESS structure

KTHREAD structure

L

Lampson, Butler

layered driver paradigm

LCN, see logical cluster number

LdmSvc, see logical disk management service

LDR_DATA_TABLE_ENTRY structure

LDT, see local descriptor table

LDTR register

Ledin, George

LGDT instruction

LIB file

LIDT instruction

Linchpin Labs

linear address

linear address space

Linux-NTFS project

LIST_ENTRY structure

listDlls.exe tool

little-endian

Liu, Vinnie

live incident response

LiveKD.exe tool

lm debugger command

load-time dynamic linking

local descriptor table (LDT)

local kernel debugging

local security authority subsystem (lsass.exe)

local session manager (lsm.exe)

Locard’s Exchange Principle

logexts.dll

logger.exe tool

logical address

logical cluster number (LCN)

logical disk management service (LdmSvc)

logon user interface host (logonui.exe)

logonsessions.exe tool

logviewer.exe

low memory

lsass.exe, see local security authority subsystem

Ludwig, Mark

M

M42 sub-basement

MAC timestamp

machine specific registers (MSRs)

magic lantern

major function code

MajorFunction array

MANUALLY_INITIATED_CRASH

maskable interrupt

master boot record (MBR)

master file table (MFT)

MBR, see master boot record

MCB, see memory control block

MD5 hash algorithm

MDL, see memory descriptor list

mem.exe

memory control block (MCB)

memory control record

memory descriptor list (MDL)

memory segment

Mental Driller

message compression

message digest

metamorphic code

MetaPHOR

Metasploit Meterpreter

METHOD_BUFFERED

MFT, see master file table

MFT_HEADER structure

miniport driver

miniport NDIS drivers

Miss Identify tool

module

MODULE_ARRAY structure

MODULE_DATA structure

MODULE_LIST structure

Monroe, Matthew

Moore, H.D.

Morris, Robert Tappan

MSC_WARNING_LEVEL macro

MSR, see machine specific registers

Mswsock.dll

MULTICS

N

native API

native application

nbtstat.exe tool

NDIS, see Network Driver Interface Specification

Ndis.sys NDIS library

NDISProt WDK example

near jump

netstat.exe tool

Network Driver Interface Specification (NDIS)

network IDS (NIDS)

network order

network provider interface (NPI)

Nmap tool

nonconforming code segment

nonmaskable interrupt

nonvolatile data

NOP instruction

Norton Ghost

NPI, see network provider interface

NT virtual DOS Machine subsystem

nt!_security_cookie

Nt*() calls

Ntbtlog.txt

NtDeviceIoControlFile

ntdll.dll

ntoskrnl.exe

NtQueryInformationProcess() routine

ntsd.exe debugger

NTSTATUS

null modem cable

null segment descriptor

null segment selector

null.sys driver

O

obfuscation

object ID (OID)

OBJECT_ATTRIBUTES structure

object based OS

offline binary patching

offset address

OID, see object ID

one-way mapping

opaque predicate

Open Watcom

OpenSSH

order of volatility (RFC 3227)

OS/2 subsystem

outlining

out-of-band hiding

P

p debugger command

page directory

page directory base register (PDBR), see CR3

page directory entry (PDE)

page fault exception (#PF)

page frame

page of memory

page table entry (PTE)

page table

Partimage Is Not Ghost tool

partition table

PASSIVE_LEVEL IRQL

pass-through function

PATCH_INFO structure

Patchguard

PDBR register, see CR3

PDE, see page directory entry

PEB, see process environment block

Phrack Magazine

physical address extension (PAE)

physical address

physical address space

PID bruteforce (PIDB)

PING, see Partimage Is Not Ghost tool

pointer arithmetic

polymorphic code

portable executable (PE) file format

POSIX subsystem

potency of code

PowerQuest Partition Table Editor

predicate

primary access token

private symbols

privilege level

process environment block (PEB)

process puppeteering

ProcMon.exe

ProDiscover tool

PROFILE_LEVEL IRQL

program database format (.pdb)

Project Loki

prologue detour

protected mode

PTE, see page table entry public symbols

Purple Pill

PuTTY

pwdump5

tool

pwn

Q

q debugger command

qttask.exe

R

r debugger command

R/W flag

RAM slack

raw socket

RDMSR instruction

real mode

relative virtual address (RVA)

relay agent

relocatable jump

reordering operations

request privilege level (RPL)

resilient code

resource definition script (.rc file)

retail build symbols

Ring 0 privilege

Ring 3 privilege

rM debugger command

root account

rooting

rootkit

RootkitRevealer tool

Rose, Curtis

rpcnet.exe

RPL, see request privilege level

Runefs tool

running line tactic

runtime binary patching

run-time dynamic linking

runtime executable analysis

Russinovich, Mark

Rutkowska, Joanna

RVA, see relative virtual address

S

sanitizing data

sc.exe

Schreiber, Sven

SCM, see service control manager

SDE structure

SDT structure

second-generation forensic copy

secpol.msc

securable object

security descriptor

Security-Assessment.com

SeDebugPrivilege

SEG_DESCRIPTOR structure

segment descriptor

segment descriptor S field

segment descriptor Type field

segment selector

segmentation, limit check

segmentation, privilege level check

segmentation, restricted instruction checks

segmentation, type check

self-healing rootkit

Selinger, Peter

SEP_TOKEN_PRIVILEGES

service control manager (SCM)

service descriptor table

SERVICE_AUTO_START

SERVICE_BOOT_START

services.exe

services.msc

SetWindowsHookEx() routine

SFSU, see San Francisco State University

SGDT instruction

Shell registry value

short jump

SI data source index register

SIDT instruction

Silberman, Peter

single-stepping

slack space

small memory dump

SMM, see system management mode smss.exe

SNORT

Sofer, Nir

software interrupt

Sony

SP stack pointer register

Sparks, Sherri

Spector Pro

spoofing

spyware

SQL injection attack

SS stack segment register

SSDT, see system service dispatch table

SSN, see system service number

SSPT, see system service parameter table

SST, see system service table

static executable analysis

STDCALL calling convention

stealth malware

Stevens, Marc

stoned virus

Strider GhostBuster tool

strings.exe tool

stripped symbol file

stub program

SubVirt rootkit

Sun Tzu

SUS, see Microsoft software Update Service

symbol files

symbolic link

symchk.exe tool

SYSENTER instruction

sysinternals suite

SYSTEM account

system call interface

system management mode (SMM)

SYSTEM registry hive

system service dispatch table (SSDT)

system service dispatcher, see KiSystemService

system service number (SSN)

system service parameter table (SSPT)

system service table (SST)

System Volume Information directory

system volume

T

t debugger command

target machine

TCPView.exe tool

TDI, see transport driver interface

Team WzM

TEB, see thread environment block

terminate and stay resident program (TSR)

TF trap flag

The grugq

The Sleuth Kit (TSK)

Thompson, Irby

thread environment block (TEB)

Token field

touch.exe

trampoline

transport address

transport driver interface (TDI)

trap

trap gate descriptor

TSR, see terminate and stay resident program

U

u debugger command

U/S flag

Ultimate Packer for eXecutables (UPX)

UMA, see upper memory area

UMBs, see upper memory blocks

Uninformed.org

UniqueProcessId field

upper memory area (UMA)

upper memory blocks (UMBs)

UPX, see Ultimate Packer for eXecutables

user mode Client-Server runtime subsystem, see csrss.exe

user mode

user space

UserInit registry value

userinit.exe

V

VBR, see volume boot record

VERSIONINFO resource statement

virtual address

virtual address space

virus

Vitriol rootkit

VMware

Vodafone-Panafon

volatile data

volume boot record (VBR)

W

wget tool

Whirlpool hash algorithm

Whirlpooldeep tool

win32 subsystem

windbg.exe debugger

windowing

Windows Automated Installation Kit (WAIK)

Windows boot loader, see winload.exe

Windows calling conventions

Windows Driver Framework (WDF)

Windows Driver Kit (WDK)

Windows Driver Model (WDM)

Windows Encrypting File System (EFS)

Windows loader

Windows on Windows (WOW) subsystem

Windows SDK

Windows Services for Unix (SFU) subsystem

Windows Sockets 2 API

Windows subsystem

Windows volume boot record

wininit.exe

winload.exe

winlogon.exe

WinMerge

winobj.exe tool

Winsock Kernel API (WSK)

Winsock, see Windows Sockets 2 API

WireShark tool

worm

WRMSR instruction

WSK, see Winsock Kernel API

Ws2_32.dll

X

x debugger command

Z

Zango Hotbar

zombie

Zovi, Dino

Zw*() calls