When I was first considering the idea of writing about rootkits, someone asked me: ''Aren't you worried that you'll be helping the bad guys?" The answer to this question is a resounding "NO." The bad guys already know this stuff. It's the average system administrator who needs to appreciate just how potent rootkit technology can be. Trying to secure the Internet by limit-ing access to potentially dangerous information is a recipe for disaster.
Ultimately, I'm a broker. What I have to offer in this book is ideas and source code examples. What you choose to do with them is your business.
Prerequisites
For several decades now, the standard language for operating system imple-mentation has been C. It started with UNIX in the 1970s and Darwinian forces have taken over from there. Hence, people who pick up this book will need to be fluent in C. Granted there will be a load of material related to device driver development, some x86 assembler, and a modicum of sys-tem-level APls. It's inescapable. Nevertheless, if I do my job as an author all you'll really only need to know C. Don't turn tail and run away if you spot something you don't recognize, I'll be with you every step of the way.
Conventions
In this book, the Consolas font is used to indicate text that is one of the following:
• Source code
• Console output
• A numeric or string constant
• Filename
• Registry key name or value name
Preface: Metadata
I've tried to distinguish source code and console output from regular text using a grey background. In some cases, particularly important items are highlighted in black. If an output listing is partial, in the interest of saving space, I've tried to indicate this using three trailing periods.
int Level;
level = 5;
level++; //thlS lS really lmportant code, It'S hlghllghted /*
This is a really long comment. It goes on and on ...
*/
Registry names have been abbreviated according to the following standard conventions:
• HKEY_LOCAL_MACHINE = HKLM
• HKEY_CURRENT_USER = HKCU
Registry keys are indicated by a trailing backslash. Registry key values are not suffixed with a backslash.
HKLM\5Y5TEM\CurrentControlSet\Services\NetBI05\
HKLM\SYSTEM\CurrentControlSet\Services\NetBI05\ImagePath
Words will appear in italic font in this book for the following reasons:
• When defining new terms
• To place emphasis on an important concept
• When quoting another source
• When citing a source
Numeric values appear throughout the book in a couple of different formats.
Hexadecimal values are indicated by either prefixing them with "ex" or appending "H" to the end. Source code written in C tends to use the former and IA-32 assembly code tends to use the latter.
9xFF92 9FF92H
Binary values are indicated either explicitly or implicitly by appending the letter "8". You'll see this sort of notation primarily in assembly code.
9119111B
xxv
Preface: Metadata
xxvi
Acknowledgments
As with many things in life, this book is the culmination of many outwardly unrelated events. In my mind, this book has its origins back in December of 1999 while I was snowed in during a record-breaking winter storm in Minne-apolis. Surfing at random, I happened upon Greg Hoglund's article inPhrack magazine, "A
*
REAL*
NT Rootkit, patching the NT Kernel." Though I'll admit that much of the article was beyond me at the time, it definitely planted a seed that grew over time.Without a doubt, this book owes a debt of gratitude to pioneers like Greg who explored the far corners of the matrix and then generously took the time to share what they learned with others. I'm talking about researchers like Sven Schreiber, Mark Ludwig, Joanna Rutkowska, Mark Russinovich, Jamie Butler, Sherri Sparks, Vinnie Liu, H.D. Moore, the Kumar tag-team over at NVIabs, Crazylord, and the grugq. A great deal of what I've done in this book builds on the publicly available foundation of knowledge that these people left behind, and I feel obliged to give credit where it's due. I only hope this book does the material justice.
On the other side of the great divide, I'd like to extend my thanks to Richard Bejtlich, Harlan Carvey, Keith Jones, and Curtis Rose for their contributions to the field of computer forensics. The books that these guys wrote have helped to establish a realistic framework for dealing with incidents in the wild. An analyst who is schooled in this framework, and has the discipline to follow the processes that it lays out, will prove a worthy adversary to even the most skilled attacker.
During my initial trial by fire at San Francisco State University, an admin by the name of Alex Keller was kind enough to give me my first real exposure to battlefield triage on our domain controllers. For several hours I sat shotgun with Alex as he explained what he was doing and why. It was an excellent introduction by a system operator who really knows his stuff. Thanks again, Alex, for lending your expertise when you didn't have to, and for taking the heat when your superiors found out that you had.
As usual, greetings are also in order. I'd like to start with a shout out to the CHHS IT Think Tank at SFSU (Dan Rosenthal, David Vueve, Dylan Mooney, Jonathan Davis, and Kenn Lau). When it comes to Counter-Strike, those mopes down at the Hoover Institute have nothing on us! I'd particularly like to give my respects to the Notorious Lucas Ford, our fearless leader and offi-cial envoy to Las Vegas; a hacker in the original sense of the word. Mad props also go to Martin Masters, our covertly funded sleeper cell over in the SFSU
Preface: Meladala
Department of Information Technology. Don't worry, Marty; your secret is safe with me.
Going back some fifteen years, I'd like to thank Danny Solow, who taught me how to code in C and inspired me to push forward and learn Intel assembly code. Thanks and greetings also go out to Rick Chapman, my handler in Con-necticut and the man who lived to tell of his night at Noorda's Nightmare.
George Matkovitz is a troublemaker of a different sort, a veteran of Control Data and a walking history lesson. If you wander the halls of Lawson Soft-ware late at night, legend has it that you will still hear his shrill Hungarian battle cry: "God damn Bill Gates, son-of-a-bitch. NT bastards!"
Last, but not least, I'd like to give thanks to Tim McEvoy, Martha McCuller, and all of the other hardworking folks at Wordware for making this book happen.
0(eX),
Reverend Bill Blunden www.belowgotham.com
xxvii
Pa rt I Foundations
Chapter 1 Setting the Stage
Chapter 2 Into the Catacombs: IA-32 Chapter 3 Windows System Architecture Chapter 4 Rootkit Basics
1
,
\ .,Chapter 1
01010010, 01101111, 01101111, 01110100, 01101011, 01101001, 01110100, 01110011, 0 0 1 _ , 01000011, 01001000, 00110001