rootkit start

FA Q : Where do I start?

"Help! I'm a newbie! I need a rootkit to hack my friend's box… I want to write my own rootkit… I want to start exploiting code… Where do I start?"

These type of questions appear repeatedly on rootkit.com and rather than re-inventing the wheel every time someone asks one of these questions, it occurred to me that we could compile a short document to generically address them. The following discussion is by no means complete, but it can be expanded based upon the suggestions of experienced individuals in the community.

So you want to know where to start? Well, first off, if you've come here looking for a ready-made solution to hack your friend's box, you've come to the wrong place! Rootkit.com is primarily a knowledge based site intended to provide information about rootkit development and related programming issues. On the other hand, if you're a newbie with a desire to learn how to write your own rootkit and you need some idea of where to begin, please read on…

Unfortunately, rootkit development and software exploitation have a rather long list of pre- requisite knowledge that must be acquired.

1. First, you must learn a programming language. C / C++ is the preferred choice. Unlike many other languages, C has the capability of supporting inline assembly language. Although most programmers have little use for assembly, rootkit development occasionally requires this flexibility and x86 assembly should be your second programming language. The Art Of Assembly by Randall Hyde is one of the best references on this subject. It is available both in print and in electronic format (free!).

Art of Assembly (downloadable version) http://webster.cs.ucr.edu/AoA/DOS/

2. You need to learn a little theory about operating systems. Although a graduate course in theoretical operating system design is not required, reading a few chapters in any undergraduate computer science textbook will help. Specifically, you need to understand processes, threads, and memory management.

2 decent books on the subject:

Operating System Concepts by Silberschatz, Galvin, and Gagne

Operating Systems by Deitel & Deitel

3. You need to apply the theory to understanding how a real world operating system like Windows actually works. Although Windows is closed-source, there are a number of smart individuals who have spent time reversing it's internal workings and publishing their findings. Get a book like Undocumented Windows 2000 Secrets by Sven Schreiber or Undocumented Windows NT by Prasad Dabak, Milind Borate, and Sandeep Phadke.

4. If you want to get into kernel rootkits, you will also need to learn how to write a kernel mode driver (KMD). Unfortunately, there are very few beginner tutorials available online with regard to kernel programming. Four-4, however, does have several excellent win32 assembly tutorials which can be found at: http://www.assembly - journal.com/sitemap.php Additionally, there are quite a few books on the subject including The Windows 2000

Device Driver Book by Art Baker and Jerry Lozano and Programming The Microsoft

Windows Driver Model by Walter Oney.

5. You need to learn the basics of "reversing" code, that is to say gaining an understanding of a binary for which you don't have any source code. A fun way to develop these skills

is to practice reversing software protections (serials, time trials, unpacking, demo-cripple-

ware, ect). Many programmers have written small "training" training programs called "crackmes" and "reversemes" which can also be used for practice. A large collection of them can be found at http://www.crackmes.de and http://www.reversemes.de A great resource of knowledgeable people for reverse code engineering is http://www.woodmann.com . Also, http://bib.universitas - virtualis.org/ has some good tutorials and papers. Reversing also requires some specialized tools including a disassembler and a debugger. IDA Pro is preferred for disassembly while either Soft ICE (kernel debugging) or OllyDebug will work as a debugger. Miscellaneous reversing related tools can be found at http://protools.cjb.net .

6. Finally, if you need resources to get started understanding some of the vulnerabilities and rootkits discussed on this site. I would recommend both Exploiting Software by Greg Hoglund (one of the guys that runs this site and the Shell Coder's Handbook. Both of these will give you a good introduction. Exploiting Software also has a chapter explaining basic rootkit techniques. Rootkits can, in general, be divided into 2 categories based

upon their method of data interception: that is either hooking or direct kernel object

manipulation (DKOM). For understanding hooking techniques, the following links may be useful.

API Spying Techniques http://www.internals.com/articles/apispy/apispy.htm

Advanced Function Hooking http://www.phrack.org/show.php? p=58&a=8

Windows NT Service Table Hooking http://www.wiretapped.net/~fyre/sst.html

Hooking Windows NT System Services http:// www.windowsitlibrary.com/Content/356/06/2.html

Windows NT System-Call Hooking http://www.ddj.com/articles/1997/9701/

For understanding DKOM, you should look at the source for FU rookit here on this site written by fuzen_op.