Hoglund’s article is dated 1999, and based on research into the Windows kernel conducted the previous year and published on Usenet by a programmer from Sri Lanka. Back in 1995, Jeffrey Richter, a Windows programming guru, disclosed techniques for intercepting system calls in user mode in his famous book "Advanced Windows" and its fourth edition, which was called "Programming Applications for Microsoft Windows". These techniques were later implemented in many rootkits, which even went as far as to copy source code directly from the book.
Techniques for intercepting system calls in kernel mode were disclosed publicly in two other classic programming manuals: Schreiber’s “Undocumented Windows 2000 Secrets", published in 2001, and "Undocumented Windows NT" by P. Dabak et al, 1999.
The first Windows rootkits
Researchers continued to investigate Windows system protection, and soon after NTRootkit was released several other tools appeared, all designed to hide objects in the operating system:
- 2000 – he4hook, designed by a Russian programmer. The tool is not malicious, but it does hide files. It works in kernel mode. Interestingly, even the author doesn't call this program a rootkit.
- 2002 – Hacker Defender (aka HacDef). This is also just a tool, but a more powerful one: it can be used to hide files, processes and registry keys with flexible settings in the configuration file. It also works in kernel mode.
- 2003 – Vanquish. This tool can be used to hide files, directories and registry keys. Moreover, it has a malicious payload – it log passwords. Vanquish works in user mode.
It is immediately clear that the thoughts of those researching such issues were changing course, with the focus moving from neutral tools to tools designed with ulterior motives, including malicious ones.
- 2003 – Haxdoor (aka A-311 Death and Nuclear Grabber, a modified variant of the same program). This is already more than a tool – it is a backdoor that uses rootkit techniques to conceal its presence in the system. It works primarily in user mode.
- 2004 – FU – a tool to conceal processes. This tool introduces a new technique based on modifying the system structure itself, rather than modifying access to the system. It works in kernel mode.