Purchased Rootkits | Subverting the Windows Kernel

A month ago I have bought Rootkits, Subverting the Windows Kernel by Greg Hoglund and James Butler and I find it superb.  If you are a rootkit developer or looking to be one, this is a must have book that you need to get a hold of.  It teaches you generally the stuffs you want to learn such as hiding processes, files and directories, registries and lots more.  Conquering the kernel level as well as beating up Antiviruses are one of the topics that are discussed on!  Recently I am busy with my final years so I hope I can find time to post some useful articles.

Protecting by hooking ZwOpenProcess

Want to know how Antivirus and rootkits protect themselves from being terminated? You might have tried running Windows Task Manager and find it impossible to kill avp.exe by Kaspersky. This is because the process is being protected by a higher privilege, the kernel.  This article assume that you know how to write using Windows Driver Kit.

Article: http://unlmtd.wordpress.com/2007/07/27/protecting-by-hooking-zwopenprocess/

Creating your own driver loader in C | Driver Loader | Source Code | Rootkit

Technically, there’s 2 way of loading a rootkit according to Greg Hoglund when he wrote Rootkits: Subverting the Windows Kernel book.  One is called The Quick-And-Dirty Way to Load a Driver.  This method allows you to “load a driver into the kernel without having to create any registry keys.  “Pageable” refers to memory that can be swapped to disk. If a driver is pageable, any part of the driver could be paged out (that is, swapped from memory to disk). Sometimes when memory is paged out, it cannot be accessed; an attempt to do so will result in the infamous Blue Screen of Death (a system crash)” by using an undocumented API call.  Read the rest of this entry »

Rootkits | Subverting the Windows Kernel

Are you a programmer that loves to design malicious application?  Do you find malicious applications that you have made are easily detected by anti-virus software (oh come on, Fully Un-detectable (FUD) isn’t going to last long)?  Do you know the difference of user and kernel space?  Ever wanted to be able to stay on the same level as the anti-virus as well as getting rid of it?

Take yourself into a whole new level by learning how to develop a rootkit! Read the rest of this entry »