I have obsession with rootkits and I’d like to start making as many rootkits as possible to test inside of my VM and for educational purposes of course and practice. I’m not yet a Malware analyst nor am I a reverse engineer but I am certainly interested in this type of stuff and I plan on taking courses and learning by reading. Please advise me and leave some suggestions.
What should I know in terms of programming languages to make rootkits User mode, kernel mode rootkits and/or hypervisor rootkits (ring -1)? I think I know we require C/C++ but I know more of C than C++. What do I need to know inside of those languages (eg what libraries and techniques )
What is the fast and the best way to learn reverse engineering and become a Malware analyst?
I hope you understand what I mean and my intentions. I love learning and I’m hungry for this knowledge so feed me if you can. Nice forums btw I love it.
Welcome to Malware Analysis Forums.
These resources should be useful to you:
https://www.amazon.com/Rootkits-Subverting-Windows-Greg-Hoglund/dp/0321294319/ref=sr_1_1?ie=UTF8&qid=1522140984&sr=8-1&keywords=rootkits (This book is older but still has a lot of useful fundamentals… Just note there are way more security features in the OS now)
That should get you started.
@hyperootkit also note that with modern Windows, a good idea is to be familiar with how drivers work and how user-mode code communicates with drivers. for example you should learn about IOCTLs and DeviceIoControl() API. If you are able to find a vulnerability in a common driver, you could install a rootkit this way because you will have code execution in the kernel memory space. This is important now because of protections against SSDT hooking and PatchGuard.
Microsoft’s MSDN site has pretty good guides on how to develop drivers now if you really want to learn a lot. Try Device Drivers and MiniFilter drivers for practice. But you will need WinDbg, VirtualKD, and VMWare to do this effectively.
I’m a bit late to the party here, but No Starch Press has a book coming out soon on rootkits that should be a bit more updated : https://nostarch.com/rootkits
They have a sample chapter posted as a PDF: https://nostarch.com/download/RootkitsandBootkits_sample_Chapter6_updated.pdf
@kernelpanic24 Hell yeah that’s badass thanks for the info!