Sysinternal suit Procmon Process explorer. Regmon ,Regshot Pe view Systracer
1982 Siberian pipeline sabotage 2001 Magic Lantern 2005 Sony BMG copy protection rootkit scandal digital rights management software called Extended Copy Protection. Mark Russinovich 2004–2005 Greek wiretapping case Rootkit.Duqu.A
is just a technology Subverting standard operating system. the design goals of a rootkit are to provide three services:1>remote access.2> monitoring.3>concealment.
Real mode :-ring 3-MS-DOS kernel .- Interrupt Service Routines (ISRs). & Interrupt vector table(IVT) . protected mode:- ring 0-system os loads in protected mode called ring 0 or os kernel mode-unprivileged area called ring 3 or user mode.
HookedNtQuerySystemInformation(__in SYSTEM_INFORMATION_CLASS SystemInformationClass,__inout PVOID SystemInformation,__in ULONG SystemInformationLength,__out_opt PULONG ReturnLength )Call to original NtQuerySystemInformationPMY_SYSTEM_PROCESS_INFORMATION pNext = (PMY_SYSTEM_PROCESS_INFORMATION)SystemInformation;if (!wcsncmp(pNext->ImageName.Buffer, L"calc.exe", pNext- >ImageName.Length))Return result
Get Address of SSDT Get offset address of functions from SSDT Save Address Write Address of our function into SSDT If query call is for our file deny access If not call original function from saved address.