Wrox Programmer Forums

Need to download code?

View our list of code downloads.

Go Back   Wrox Programmer Forums > Other Programming > BOOK: Professional Rootkits ISBN: 978-0-470-10154-4
Password Reminder
Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
BOOK: Professional Rootkits ISBN: 978-0-470-10154-4
This is the forum to discuss the Wrox book Professional Rootkits by Ric Vieler; ISBN: 9780470101544
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Professional Rootkits ISBN: 978-0-470-10154-4 section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developersí questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Thread Tools Display Modes
  #1 (permalink)  
Old January 20th, 2010, 03:37 AM
Registered User
Join Date: Jan 2010
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Lightbulb CH1 unidentified struct _DRIVER_DATA identified.

So I was digging around trying to identify the unknown data structure that we try to duplicate in CH2, pg. 10 and may have come across the actual windows structure that this is trying to simulate.

typedef struct _DRIVER_DATA
	LIST_ENTRY listEntry;
	DWORD dwUnknown1;
	DWORD dwUnknown2;
	DWORD dwUnknown3;
	DWORD dwUnknown4;
	DWORD dwUnknown5;
	DWORD dwUnknown6;
	DWORD dwUnknown7;
This is not the only book to reference this structure pointed to by DRIVER_OBJECT.DriverSection (at 0x014). Rootkits Subverting the Windows Kernel also references the structure in CH 7, pg 186.
typedef struct _MODULE_ENTRY
	LIST_ENTRY module_list_entry;
	DWORD Unknown1[4];
	DWORD base;
	DWORD driver_start;
	DWORD unknown2;
	UNICODE_STRING driver_Path;
	UNICODE_STRING driver_Name;
So I came across this obscure reference in a paper called GREPEXEC: Grepping Executive Objects from Pool Memory by Chris from bugcheck.org on May 30, 2006 in section 4.4.3, pg. 12 that claims the DRIVER_OBJECT.DriverSection (at 0x014) actually points to NT!_LDR_DATA_TABLE_ENTRY.

WinDbg shows that this structure consists of:
1: kd> dt nt!_LDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY
   +0x008 InMemoryOrderLinks : _LIST_ENTRY
   +0x010 InInitializationOrderLinks : _LIST_ENTRY
   +0x018 DllBase          : Ptr32 Void
   +0x01c EntryPoint       : Ptr32 Void
   +0x020 SizeOfImage      : Uint4B
   +0x024 FullDllName      : _UNICODE_STRING
   +0x02c BaseDllName      : _UNICODE_STRING
   +0x034 Flags            : Uint4B
   +0x038 LoadCount        : Uint2B
   +0x03a TlsIndex         : Uint2B
   +0x03c HashLinks        : _LIST_ENTRY
   +0x03c SectionPointer   : Ptr32 Void
   +0x040 CheckSum         : Uint4B
   +0x044 TimeDateStamp    : Uint4B
   +0x044 LoadedImports    : Ptr32 Void
   +0x048 EntryPointActivationContext : Ptr32 Void
   +0x04c PatchInformation : Ptr32 Void
Everything seems to match up correctly. I wanted to test this new struct in place of _DRIVER_DATA or MODULE_ENTRY, but I was unsure what type to define Uint2B and Uint4B as. I believe they are unsigned ints but that is where I am stuck. Any ideas?

I thought Ric Vieler could use this information to update his book (online and in any future releases).
Reply With Quote
  #2 (permalink)  
Old January 20th, 2010, 04:20 AM
Registered User
Join Date: Jan 2010
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Talking Confirmed!

Ok, so I was thinking too hard about the datatypes. Here is the complete structure:
typedef unsigned char BYTE, *PBYTE, *LPBYTE;
typedef int BOOL, *PBOOL, *LPBOOL;
typedef unsigned long DWORD, *PDWORD, *LPDWORD;
typedef unsigned long ULONG, *PULONG;
typedef unsigned short WORD, *PWORD, *LPWORD;
typedef char TCHAR;
typedef void *PVOID;
typedef unsigned short UINT2;
typedef unsigned int UINT4;

   LIST_ENTRY InLoadOrderLinks;
   LIST_ENTRY InMemoryOrderLinks;
   LIST_ENTRY InInitializationOrderLinks;
   PVOID DllBase;
   PVOID EntryPoint;
   UINT4 SizeOfImage;
   UINT4 Flags;
   UINT2 LoadCount;
   UINT2 TlsIndex;
   LIST_ENTRY HashLinks;
   PVOID SectionPointer;
   UINT4 CheckSum;
   UINT4 TimeDateStamp;
   PVOID LoadedImports;
   PVOID EntryPointActivationContext;
   PVOID PatchInformation;
In WinDBG I left the existing Driver_Data struct and compared it with the new struct. They point to the same information and its correctly filled out for all entries in the new struct! YAY!

I'd love to hear from some of the more experienced rootkit writers if there are other methods to make a rootkit driver disapear more securely with this newly identified complete structure.
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
ch1 userId nativerun BOOK: PHP and MySQL: Create-Modify-Reuse ISBN: 978-0-470-19242-9 3 January 15th, 2010 07:38 AM
Possible Error? - CH1 Regiser.php ArthurDent BOOK: PHP and MySQL: Create-Modify-Reuse ISBN: 978-0-470-19242-9 2 August 12th, 2008 02:50 AM
Ch1, why using CollectionBase class? NewTitle2007 BOOK: ASP.NET 2.0 Instant Results ISBN: 978-0-471-74951-6 3 August 5th, 2007 06:32 AM
An unidentified error has occured p2ptolu MySQL 0 October 28th, 2005 07:40 AM
A unidentified error has occured. malachany Dreamweaver (all versions) 6 February 4th, 2005 09:31 AM

All times are GMT -4. The time now is 12:10 PM.

Powered by vBulletin®
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.