Source: rootkit_com Author: Clandestiny translation: fqh
"Help! I am a novice! I need a robot of Rootkit invading friends ... I want to write my own rootkit ... I want to start developing code ... Where to start?"
Such problems are constantly appearing on rootkit.com, and repeatedly answering some of the same questions asking for a lot of time, I think we should edit a short document to make a general narrative. The following discussion is far from being complete, and experienced people in the community can propose to expand it.
Do you want to know where to get started? Ok, first, if you come here, you can find the genex method of intrusion your friend's machine, you can come to the place! Rootkit.com is mainly a knowledge website that provides some information about rootkit development and related programming articles. On the other hand, if you are a newcomer who wants to learn how to write your own rootkit, you need some suggestions how to get started, please read ... Unfortunately, rootkit development and software development requires quite a few prerequisites you must master:
1. First, you have to learn a language. C / C is the best choice. Unlike other languages, C has the ability to embed assembly language. Although most programmers use very few assembly languages, rootkit's development sometimes requires the flexibility of assembly language, so x86 compilation should be your auxiliary programming language. Randall Hyde's "Art of Assmbly" is one of the best reference programming. This book has two acquisition versions of printing and e-books.
"Art of assembly" download URL is
Http://webster.cs.cr.edu/aoa/dos/
2. You need to learn some of the theory of operating systems. Although the university's design operating system theory course is not required, several chapters of reading university computer discipline materials are beneficial. Especially the knowledge, thread, memory management, etc., you have to know.
This is a good book with two:
"Operating System Concepts", SilberSchatz, Galvin, and Gagne
"Operating Systems" Deitel & Deitel
3. You have to apply theoretical knowledge, understand how the operating system in the real world is actually working. Although Windows does not open source code, there are a lot of cattle who are keen to reverse analysis of the system kernel working principle and discloses their discovery. To make this book, such as the "undocumented Windows 2000 Secrets" or Prasad Dabak, Milind Borate, and Sandeep Phadke written by Sven Schreiber Write "undocument Windows NT".
4. If you want to develop kernel rootkit, you have to learn how to write a kernel mode driver (KMD). Unfortunately, there are very few techniques about nuclear programming on the Internet. However, Four-4 wrote a few good Win32 assembly tutorials, they can
Http://www.assembly-journal.com/sitemap.php Get. In addition, this book is also some: "The Windows 2000 Device Driver Book", including Art Baker and Jerry Lozano, and "Programming the Microsoft Windows Driver Model" for Walter Oney 蓍.
5. Learn the basics of reverse code analysis, that is, for binary files without source code (by reverse analysis) to understand information about information. Practice the protection mechanism of the reverse analysis software (serial number, time inspection, shelling, demo software function, etc.) is an interesting way to develop this skill. There are many programmers to write small programs for training. These programs are called "CRACKMES" and "Reversemes", we can use them to practice. At http://www.crackmes.de and
A large number of such a small program is collected on http://www.reversemes.de.
Http://www.woodmann.com has a large number of high-handed resources about reverse engineering.
Http://bib.Universitas-virtualis.org/ There are also several excellent tutorials and articles. Reverse analysis also requires some special tools, including reverse polliers and debuggers. IDA Pro is the preferred reverse mandatory, Softice (kernel modulator) and OLLYDebug is a commercially available debugger. Other a wide range of such tools
Http://protools.cjb.net
6. Finally, this site discusses some intrusion tools and rootkit. If you need to understand their information, I recommend Greg Hoglund's "Exploiting Software" (this site) and "Shell Coder's Handbook". Both will provide you very good entry knowledge. "Exploiting Software" has a chapter introduces basic rootkit technology. Generally, based on their data interception method, rootkit can be divided into two types: either hang, either direct kernel object operation (DKOM). In order to understand the hook technology, the following links may be helpful to you.
API detection technology (API SPYING TECHNIQUES)
http://www.internals.com/articles/apispy/apispy.htm
Hanging hook advanced function (Advanced Function Hooking)
http://www.phrack.org/show.php?p=58&a=8
Hanging WINDOWS NT Services (Windows NT Service Table Hooking)
http://www.wiretapped.net/~fyre/sst.html
Hooking Windows NT System Services (Hooking Windows NT System Services)
http://www.windowsitlibrary.com/content/356/06/2.html
Hamming WINDOWS NT System Call (Windows Nt System-Call Hooking)
http://www.ddj.com/articles/1997/9701/
To understand DKOM, you can read the source code of Fu Rookit written by Fuzen_op, which can be obtained in this site.