Chapter 15  Going Out-of-Band


Our quest to foil postmortem analysis led us to opt for memory-resident tools. Likewise, in an effort to evade memory carving tools at runtime, we decided to implement our rootkit using kernel-mode shellcode. Nevertheless, in order to score some CPU time, somewhere along the line we’ll have to modify the targeted operating system so that we can embezzle a few CPU cycles. To this end, the options we have at our disposal range from sophomoric to subtle (see Table 15.1).

Table 15.1 Ways to Capture CPU Time

Strategy Tactic Elements Altered
Modify static elements Hooking IAT, SSDT, GDT, IDT, MSRs
In-place patching System calls, driver routines
Detour patching System calls, driver routines
Modify dynamic elements ...

Get The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.