Book note _ Rootkit Technology _ in-depth Patches

Previously we introduced the function at the entrance.CodePatch, because it is easy to find functions in the memory, so this method is easy to implement. But the anti-rootkit is also easy to detect this patch, because it can only check the integrity of the 20 bytes at the beginning of the function to detect whether it is patched. If code changes are placed after the initial 20 bytes, these software cannot detect them.

You can search for specific Code bytes in the function to install patches. If these codes are unique, you only need to search for them in the memory and patch them. If the code is not unique, you can check whether the code in the attachment has a unique one, but be sure to hit it accurately. Otherwise, it will not achieve the effect you need or cause a system crash.

The authentication function is also a good place for code modification. It can be completely disabled so as to always provide access capabilities. More complex patches allow backdoor passwords or usernames.

The kernel function patch can be used to install the driver.ProgramAnd software programs provide potential, a very suitable patch location is to start the kernel's own boot program, you can patch the integrity check function so that they can no longer detect Trojan horse or modified files. Network function patches can be used to sniff messages and other data. Firmware and bios patches are hard to detect.

During patching and code insertion, you may need to insert a large number of new commands. From the driver's perspective, the best way to handle this is to allocate memory to the non-Paging address pool. But for a more secret Patch, you may want to put the code into unused memory. Many memory pages have unused memory segments at the bottom. Using these lower areas of an existing page is sometimes called a cavern infection ).