Chapter 15 Going Out-of-Band
Our quest to foil postmortem analysis led us to opt for memory-resident tools. Likewise, in an effort to evade memory carving tools at runtime, we decided to implement our rootkit using kernel-mode shellcode. Nevertheless, in order to score some CPU time, somewhere along the line we’ll have to modify the targeted operating system so that we can embezzle a few CPU cycles. To this end, the options we have at our disposal range from sophomoric to subtle (see Table 15.1).
Table 15.1 Ways to Capture CPU Time
| Strategy | Tactic | Elements Altered |
| Modify static elements | Hooking | IAT, SSDT, GDT, IDT, MSRs |
| In-place patching | System calls, driver routines | |
| Detour patching | System calls, driver routines | |
| Modify dynamic elements ... |
Get The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
