Hi.
Since I was unable to acquire a user mode RK for x64, I decided to give kernel land RKs a try.
In my house I then found a book "ROOTKITS" "Subverting Windows Kernel" back from 2006, written by James Butler and Greg Hoglund.
However, I have recently read some facts about the new kernel patch guard in x64 OSs, and now I doubt on the functionality of some of the rootkit techniques described in that book. These are:
- Kernel hooks on GDT, LDT, SSDT, IDT tables (IS gonna lead for sure to a bug check, ->http://msdn.microsoft.com/en-us/windows ... 87350.aspx)
- Runtime patching (does this also count among kernel patching?)
- DKOM (I would say that DKOM IS of course a kind of kernel patching, isn't it?)
But that that guy thinks different of it:
So which techniques I'm I still allowed to use for hiding files, drivers or processes without getting a CRITICAL_STRUCTURE_CORRUPTION bug check? (It's obvious that for example DKOM cannot be used for hiding files..)
And if you, EP_0XFF, read this, I dunno why you blasted my previous post in which I put a lot of effort, in trashcan like I would have been asking "eh guys tell me how to build an undetectable super VIRII!!!!". And I don't wanna comment that. But please, PLEASE, dont blast this one away, or just don't blast it away without telling me any constructive critics about what I've done wrong. Thank you.
Maybe someone knows a good book regarding rootkits, which is actual and takes microsofts patch guard into account?
Or a website it's worth to read?
Best regards
Microwave
Since I was unable to acquire a user mode RK for x64, I decided to give kernel land RKs a try.
In my house I then found a book "ROOTKITS" "Subverting Windows Kernel" back from 2006, written by James Butler and Greg Hoglund.
However, I have recently read some facts about the new kernel patch guard in x64 OSs, and now I doubt on the functionality of some of the rootkit techniques described in that book. These are:
- Kernel hooks on GDT, LDT, SSDT, IDT tables (IS gonna lead for sure to a bug check, ->http://msdn.microsoft.com/en-us/windows ... 87350.aspx)
- Runtime patching (does this also count among kernel patching?)
- DKOM (I would say that DKOM IS of course a kind of kernel patching, isn't it?)
But that that guy thinks different of it:
tzuk wrote:(Read about DKOM rootkits to see that rootkits do not need to patch the kernel to hide their processes. PatchGuard does not protect system data areas and a rootkit can simply "delete" the information associated with its processes. It will still execute, just won't show up in Task Manager.)
So which techniques I'm I still allowed to use for hiding files, drivers or processes without getting a CRITICAL_STRUCTURE_CORRUPTION bug check? (It's obvious that for example DKOM cannot be used for hiding files..)
And if you, EP_0XFF, read this, I dunno why you blasted my previous post in which I put a lot of effort, in trashcan like I would have been asking "eh guys tell me how to build an undetectable super VIRII!!!!". And I don't wanna comment that. But please, PLEASE, dont blast this one away, or just don't blast it away without telling me any constructive critics about what I've done wrong. Thank you.
Maybe someone knows a good book regarding rootkits, which is actual and takes microsofts patch guard into account?
Or a website it's worth to read?
Best regards
Microwave