Hiding Files and Directories

While we're on the topic of hiding things using call hooks, it would make sense to hide a directo we have somewhere to place log files and utilities. Again, this can be handled through a single hook. Under NT the call hook is QueryDirectoryFile(). Our replacement version will hide any

use. The files and directories still actually exist, and you can reference them normally. Only the

Exploitingdirectory/fileSoftwarelistingHowprogramto B eak Codewill be in the dark. You can still change locations into the directory

execute/open a hidden file. Of course, you had better remember the name you use!

ByGreg Hoglund,Gary McGraw

Publisher: Addison Wesley

Pub Date: February 17, 2004

ISBN: 0-201-78695-8

Pages: 512

NTSTATUS NewZwQueryDirectoryFile(

How does software break? How do attackers make software break on purpose? Why are

IN HANDLE hFile,

firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers.

IN HANDLE hEvent OPTIONAL,

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and techniquesINusedPIObyAPCbad_ROUTINEguys to breakIoApcRoutinesoftware. IfOPTIONAL,you want to protect your software from attack, you must first learn how real attacks are really carried out.

IN PVOID IoApcContext OPTIONAL,

This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddieOUTtreatmentPIO STATUSfoundBLOCKin manypIoStatusBlock,hacking books, you will learn about

OUT PVOID FileInformationBuffer,

Why software exploit will continue to be a serious problem

IN ULONG FileInformationBufferLength,

When network security mechanisms do not work

IN FILE_INFORMATION_CLASS FileInfoClass,

Attack patterns

IN BOOLEAN bReturnOnlyOneEntry,

Reverse engineering

IN PUNICODE_STRING PathMask OPTIONAL,

Classic attacks against server software

SurprisingIN BOOLEANattacks againstbRestartQueryclient software

) Techniques for crafting malicious input

{ The technical details of buffer overflows

Rootkits

NTSTATUS rc;

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break

CHAR aProcessName[PROCNAMELEN];

software.

GetProcessName( aProcessName );

DbgPrint("rootkit: NewZwQueryDirectoryFile() from %s\n", aProcessName)

{

int iPos = ((ULONG)p) -

(ULONG)FileInformationBuffer;

int iLeft =

•Table of Contents

(DWORD)FileInformationBufferLength - iPos - p->dwLenToNext;

•Index

Exploiting Software How to Break Code

RtlCopyMemory( (PVOID)p,

ByGreg Hoglund,Gary McGraw

(PVOID)( (char *)p + p->dwLenToNext ), (DWORD)iLeft );

How does software break? How do attackers make software break on purpose? Why are

p = (PDirEntry)((char *)p + p->dwLenToNext ) firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys?

What tools can be used to break software? This book provides the answers.

} while( !bLastOne );

Exploiting Softwareis loaded with examples of real attacks, attack patterns, tools, and

}

techniques used by bad guys to break software. If you want to protect your software from

attack, you must first learn how real attacks are really carried out.

}

This must-have book may shock you—and it will certainly educate you.Getting beyond the return(rc);

script kiddie treatment found in many hacking books, you will learn about

}

Why software exploit will continue to be a serious problem

When network security mechanisms do not work

Attack patterns

Reverse engineering

Classic attacks against server software

Surprising attacks against client software

Techniques for crafting malicious input

The technical details of buffer overflows

Rootkits

Exploiting Softwareis filled with the tools, concepts, and knowledge necessary to break

software.