Chapter 1 Empty Cup Mind
1.1 An Uninvited Guest
1.2 Distilling a More Precise Definition
1.3 Rootkits != Malware
1.4 Who Is Building and Using Rootkits?
1.5 Tales from the Crypt: Battlefield Triage
1.6 Conclusions
Chapter 2 Overview of Anti-Forensics
2.1 Incident Response
2.2 Computer Forensics
2.3 AF Strategies
2.4 General Advice for AF Techniques
2.5 John Doe Has the Upper Hand
2.6 Conclusions
Chapter 3 Hardware Briefing
3.1 Physical Memory
3.2 IA-32 Memory Models
3.3 Real Mode
3.4 Protected Mode
3.5 Implementing Memory Protection
Summary
Chapter 4 System Briefing
4.1 Physical Memory under Windows
4.2 Segmentation and Paging under Windows
4.3 User Space and Kernel Space
4.4 User Mode and Kernel Mode
4.5 Other Memory Protection Features
4.6 The Native API
4.7 The BOOT Process
4.8 Design Decisions
Chapter 5 Tools of the Trade
5.1 Development Tools
5.2 Debuggers
5.3 The KD.exe Kernel Debugger
Chapter 6 Life in Kernel Space
6.1 A KMD Template
6.2 Loading a KMD
6.3 The Service Control Manager
6.4 Using an Export Driver
6.5 Leveraging an Exploit in the Kernel
6.6 Windows Kernel-Mode Security
6.7 Synchronization
6.8 Conclusions
Part II: Postmortem
Chapter 7 Defeating Disk Analysis
7.1 Postmortem Investigation: An Overview
7.2 Forensic Duplication
7.3 Volume Analysis
7.4 File System Analysis
7.5 File Signature Analysis
7.6 Conclusions
Chapter 8 Defeating Executable Analysis
8.1 Static Analysis
8.2 Subverting Static Analysis
8.3 Runtime Analysis
8.4 Subverting Runtime Analysis
8.5 Conclusions
Part III: Live Response
Chapter 9 Defeating Live Response
9.1 Live Incident Response: The Basic Process
9.2 User-Mode Loaders (UMLs)
9.3 Minimizing Loader Footprint
9.4 The Argument Against Stand-Alone PE Loaders
Chapter 10 Building Shellcode in C
10.1 User-Mode Shellcode
10.2 Kernel-Mode Shellcode
10.3 Special Weapons and Tactics
10.4 Looking Ahead
Chapter 11 Modifying Call Tables
11.1 Hooking in User Space: The IAT
11.2 Call Tables in Kernel Space
11.3 Hooking the IDT
11.4 Hooking Processor MSRs
11.5 Hooking the SSDT
11.6 Hooking IRP Handlers
11.7 Hooking the GDT: Installing a Call Gate
11.8 Hooking Countermeasures
11.9 Counter-Countermeasures
Chapter 12 Modifying Code
12.1 Tracing Calls
12.2 Subverting Group Policy
12.3 Bypassing Kernel-Mode API Loggers
12.4 Instruction Patching Countermeasures
Chapter 13 Modifying Kernel Objects
13.1 The Cost of Invisibility
13.2 Revisiting the EPROCESS Object
13.3 The DRIVER_SECTION Object
13.4 The Token Object
13.5 Hiding a Process
13.6 Hiding a Driver
13.7 Manipulating the Access Token
13.8 Using No-FU
13.9 Kernel-Mode Callbacks
13.10 Countermeasures
13.11 Counter-Countermeasures
Chapter 14 Covert Channels
14.1 Common Malware Channels
14.2 Worst-Case Scenario: Full Content Data Capture
14.3 The Windows TCP/IP Stack
14.4 DNS Tunneling
14.5 DNS Tunneling: User Mode
14.6 DNS Tunneling: WSK Implementation
14.7 NDIS Protocol Drivers
14.8 Passive Covert Channels
Chapter 15 Going Out-of-Band
15.1 Additional Processor Modes
15.2 Firmware
15.3 Lights-Out Management Facilities
15.4 Less Obvious Alternatives
15.5 Conclusions
Part IV: Summation
Chapter 16 The Tao of Rootkits
16.1 Core Stratagems
16.2 Identifying Hidden Doors
16.3 Architectural Precepts
16.4 Engineering a Rootkit
16.5 Dealing with an Infestation
Index