Visit https://ebooknice.

com to download the full version and

explore more ebooks

(Ebook) The Rootkit Arsenal: Escape and Evasion

in the Dark Corners of the System by Bill
Blunden ISBN 9781598220612, 1598220616

_____ Click the link below to download _____

https://ebooknice.com/product/the-rootkit-arsenal-
escape-and-evasion-in-the-dark-corners-of-the-
system-1408008

Explore and download more ebooks at ebooknice.com

Here are some suggested products you might be interested in.
Click the link to download

(Ebook) The Rootkit Arsenal: Escape and Evasion in the Dark Corners of
the System by Bill Blunden ISBN 9781449626365, 144962636X

https://ebooknice.com/product/the-rootkit-arsenal-escape-and-evasion-
in-the-dark-corners-of-the-system-4680258

(Ebook) Offshoring IT: The Good, the Bad, and the Ugly by Bill Blunden
(auth.) ISBN 9781430207405, 9781590593967, 143020740X, 1590593960

https://ebooknice.com/product/offshoring-it-the-good-the-bad-and-the-
ugly-4491208

(Ebook) Riches Among the Ruins: Adventures in the Dark Corners of the
Global Economy by Robert P. Smith, Peter Zheutlin ISBN 9780814410608,
081441060X

https://ebooknice.com/product/riches-among-the-ruins-adventures-in-
the-dark-corners-of-the-global-economy-4448310

(Ebook) Managing the Insider Threat: No Dark Corners and the Rising
Tide Menace by Nick Catrantzos ISBN 9781032274201, 1032274204

https://ebooknice.com/product/managing-the-insider-threat-no-dark-
corners-and-the-rising-tide-menace-46522242
(Ebook) The Visual Effects Arsenal: VFX Solutions for the Independent
Filmmaker by Bill Byrne ISBN 9780240811352, 0240811356

https://ebooknice.com/product/the-visual-effects-arsenal-vfx-
solutions-for-the-independent-filmmaker-1265696

(Ebook) Managing the Insider Threat: No Dark Corners by Nick

Catrantzos ISBN 9781439872925, 1439872929

https://ebooknice.com/product/managing-the-insider-threat-no-dark-
corners-4741746

(Ebook) Memory Management: Algorithms and Implementation in C C++ by

Bill Blunden ISBN 9781556223471, 1556223471

https://ebooknice.com/product/memory-management-algorithms-and-
implementation-in-c-c-2147976

(Ebook) Virtual Machine Design and Implementation C/C++ by Bill

Blunden, ISBN 9781556229039, 1556229038

https://ebooknice.com/product/virtual-machine-design-and-
implementation-c-c-34170680

(Ebook) Managing the Insider Threat: No Dark Corners by Safari, an

O'Reilly Media Company.; Catrantzos, Nick ISBN 9781439872932,
1439872937

https://ebooknice.com/product/managing-the-insider-threat-no-dark-
corners-21963830
The Rootkit Arsenal Escape and Evasion in the Dark
Corners of the System 1st Edition Bill Blunden Digital
Instant Download
Author(s): Bill Blunden
ISBN(s): 9781598220612, 1598220616
Edition: 1
File Details: PDF, 81.33 MB
Year: 2009
Language: english
The Rootkit Arsenal
Escape and Evasion in the
Dark Corners of the System

Reverend Bill Blunden

Wordware Publishing, Inc.

Library of Congress Cataloging-in-Publication Data

Blunden, Bill , 1969-

The rootkit arsenal ! by Bill Blunden.
p. cm.
Indudes bibliographical references and index.
ISBN 978-1-59822-061 -2 (pbk. : alk. paper)
1. Computers- Access control. 2. Computer viruses. 3. Computer hackers. I. Title.
QA76.9.A25B5852009
005./3--{Jc22 2009008316

© 2009, Wordware Publishing, Inc.

An imprint of Jones and Bartlett Publishers
All Rights Reserved
H OO Summit Ave., Suite 102
Plano, Texas 75074

No part of this book may be reproduced in any form or by any means

without permission in writing from Wordware Publishing, Inc.

Printed in the United States of America

ISBN-13: 978-1-59822-061-2
ISBN-I0: 1-59822-061-6
10 9 8 7 6 5 4 3 2 1
0905

Microsoft, PowerPoint, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries. Computrace is a registered trademark of Absolute Software, Corp .. EnCase is a
registered trademark of Guidance Software, Inc. Eudora is a registered trademark of Quakomm Incorporated. File
Scavenger is a registered trademark of QueTek Consulting Corporation. Ghost and PowerQuest are trademarks of
Symantec Corporation. GoToMyPC is a registered trademark ofCitrix Online, LLC. KeyCarbon is a registered trademark of
www.keycarbon.com. Metasploit is a registered trademark of Metasploit, LLC. OpenBoot is a trademark of Sun
Microsystems, Inc. PC Tattletale is a trademark of Parental Control Products, LLC. ProDiscover is a registered trademark of
Technology Pathways, LLC. Spector Pro is a registered trademark of SpectorSoft Corporation. Tripwire is a registered
trademark of Tripwire, Inc. VERlSIGN is a registered trademark of VeriSign, Inc. VMware is a registered trademark of
VMware, Inc. Wires hark is a registered trademark of Wireshark Foundation. Zango is a registered trademark of Zango, Inc.
Other brand names and product names mentioned in this book are trademarks or service marks of their respective
companies. Any omission or misuse (of any kind) of service marks or trademarks should not be regarded as intent to infringe
on the property of others. The publisher recognizes and respects all marks used by companies, manufacturers, and
developers as a means to distinguish their products.
This book is sold as is, without warranty of any kind, either express or implied, respecting the contents of this book and
any disks or programs that may accompany it, indudi ng but not limited to implied warranties for the book's quality,
performance, merchantability, or fitness for any particular purpose. Neither Jones and Bartlett Publishers nor its dealers or
distributors shall be liable to the purchaser or any other person or entity with respect to any liability, loss, or damage caused
or alleged to have been caused directly or indirectly by this book.

All inquiries for volume purchases of this book should be addressed to Wordware Publishing, Inc.,
at the above address. Telephone inquiries may be made by calling:
(972) 423-0090
Thi ' d dicated to Sun Wukong,
s book IS e , chl'ef-maker,
the quintessen tial mlS
Contents

Preface: Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XIX

Part 1- Foundations
Chapter 1 Setting the Stage . . . . . . . . . . . . . . . . . . . · . . . . . 3
1.1 Forensic Evidence .3
1.2 First Principles. . . . . . . . . . . . . . . . . . . . . . · . . . . . . 8
Semantics . . . . . . . . . . . . . . . . . . . . . . .. . · . .. . . . 9
Rootkits: The Kim Philby of System Software . . . . .. 11
Who Is Using Rootkit Technology? · 13
The Feds .. · 13
The Spooks . . . . .. . · 13
The Suits . . . . . . . . · 15
1.3 The Malware Connection. · 15
Infectious Agents . . . · 16
Adware and Spyware . . . · 17
Rise of the Botnets . . . . · 17
Malware versus Rootkits . · 19
Job Security: The Nature of the Software Industry . · 19
1.4 Closing Thoughts. . . . . . . . . . . . . . . · 21
Chapter 2 Into the Catacombs: IA-32 . . . . . . . . . . . . . . . . . . 23
2.1 IA-32 Memory Models. . 24
Physical Memory . . . . . . · 25
Flat Memory Model. . . . . . 27
Segmented Memory Model · 27
Modes of Operation. . . 28
2.2 Real Mode. . . . . . . . . . .29
Case Study: MS-DOS . . . . . 30
Isn't This a Waste of Time? Why Study Real Mode? . . . . . . . 32
The Real-Mode Execution Environment . 33
Real-Mode Interrupts .. . . . . .. . · 35
Segmentation and Program Control . . . .38
Case Study: Dumping the IVT . . . . . . .40
Case Study: Logging Keystrokes with a TSR . · 41
Case Study: Hiding the TSR . . . . . . . . . . .45

v
(ontents

Case Study: Patching the tree.com Command . . . . 50

Synopsis . . . . . . . . . . . . . . . . . .. . . .. .. 53
2.3 Protected Mode. . . . . . . . . . . . . . . . . · .54
The Protected-Mode Execution Environment. .54
Protected-Mode Segmentation . . . . . . .57
Protected-Mode Paging . . . . . . . . . . · 61
Protected-Mode Paging: A Closer Look . .63
2.4 Implementing Memory Protection . . . . . 66
Protection through Segmentation . . . . · 67
Limit Checks . . . .67
Type Checks . . . . . . . . . . · .68
Privilege Checks. . . . . . . . .68
Restricted-Instruction Checks .69
Gate Descriptors . . . . . . . . . .70
Protected-Mode Interrupt Tables · 73
Protection through Paging . . . 74
Summary . . . . . . . . . . . . . . . . .76
Chapter 3 Windows System Architecture . • . . . • • . . . . . . . . . . 79
3.1 Physical Memory . . . . . . . . . . .80
Physical Address Extension (PAE) . . . · 81
Data Execution Prevention (DEP) . . . . .82
Address Windowing Extensions (AWE) . .82
Pages, Page Frames, and Page Frame Numbers .83
3.2 Memory Protection . .83
Segmentation . . . . . . . . . . . . . .. . . . . . .84
Paging . . . . . . . . . . . . . . . . . .. . . . . . .86
Linear to Physical Address Translation . · 91
Longhand Translation . . . · 91
A Quicker Approach . . . . .92
Another Quicker Approach .93
3.3 Virtual Memory . . . . . . . . .93
User Space Topography . . . . .96
Kernel Space Dynamic Allocation . · .97
Address Space Layout Randomization (ASLR) . · .98
3.4 User Mode and Kernel Mode . 100
How versus Where . . . . 100
Kernel-Mode Components 101
User-Mode Components 103
3.5 The Native API .. .. . . · 105
The IVT Grows Up . . . . · 106
Hardware and the System Call Mechanism · 107
System Call Data Structures . . 108
The SYSENTER Instruction. . . . . . . . . . . . . 109

vi
 Contents

The System Service Dispatch Tables . 110

Enumerating the Native API . . . 113
Nt*O versus Zw*O System Calls. 114
The Life Cycle of a System Call . 116
Other Kernel-Mode Routines . .. 119
Kernel-Mode API Documentation 122
3.6 The Boot Process . . . . . . 124
Startup for BIOS Firmware . . 124
Startup for EFI Firmware. . . 126
The Windows Boot Manager . 126
The Windows Boot Loader . 127
Initializing the Executive. 130
The Session Manager . 132
Wininit.exe. . . . . 134
Winlogon.exe. . . . 134
The Major Players. · 134
3.7 Design Decisions . · 136
How Will Our Rootkit Execute at Run Time? . 137
What Constructs Will Our Rootkit Manipulate? . · . 138
Chapter 4 Rootkit Basics . . . . . . . . 141
4.1 Rootkit Tools . . . . 142
Development Tools · 142
Diagnostic Tools . . · 143
Reversing Tools . . · 144
Disk Imaging Tools 145
Tool Roundup. . . . 147
4.2 Debuggers. . . . . 148
Configuring Cdb.exe . 150
Symbol Files . . . · 150
Windows Symbols. · 151
Invoking Cdb.exe . . · 153
Controlling Cdb.exe . · 154
Useful Debugger Commands. · 155
Examine Symbols Command (x) . 155
List Loaded Modules (1m and !lmi) 157
Display Type Command (dt) . 158
Unassemble Command (u) . 158
Display Command (d*) . . . 159
Registers Command (r) .. . 161
The Kd.exe Kernel Debugger 161
Different Ways to Use a Kernel Debugger . . · . 162
Configuring Kd.exe . . . . · 164
Preparing the Hardware . . . . . . . . . . · . 164

vii
Contents

Preparing the Software. . . . . . . . . . ' . . .. 166

Launching a Kernel Debugging Session . . . 168
Controlling the Target. . . . . . . . . . . . . 169
Useful Kernel-Mode Debugger Commands .. 170
List Loaded Modules Command (1m) 170
!process . . . . . . . . . . . · .. .. 171
Registers Command (r) .. . · . .. . 173
Working with Crash Dumps . . · . . . . 173
Method 1 . . . . . . . · 174
Method 2 . . . . . .. . · 175
Crash Dump Analysis .. 175
4.3 A Rootkit Skeleton. . . . . 176
Kernel-Mode Driver Overview. 176
A Minimal Rootkit . 178
Handling IRPs . 181
DeviceType . · 185
Function . · 186
Method .. . · 186
Access .. . . · 186
Communicating with User-Mode Code 187
Sending Commands from User Mode 190
Source Code Organization .. . 193
Performing a Build . . . . . . . 194
WDK Build Environments . 194
Build.exe . . . . . . . . . . · 195
4.4 Loading a KMD . . . . . .. . 198
The Service Control Manager (SCM) . · 198
Using sC.exe at the Command Line . · 199
Using the SCM Programmatically . .200
Registry Footprint . . . . . . . . . . .202
ZwSetSystemInformationO. . . . . . . . . . 203
Writing to the \Device\PhysicaIMemory Object. . 208
Modifying Driver Code Paged to Disk . .208
Leveraging an Exploit in the Kernel . · 210
4.5 Installing and Launching a Rootkit. . . · 210
Launched by the Operating System . . · 211
Launched by a User-Mode Application. · 212
Use the SCM . . . . . . . . . . . . . . . . . .. . . . . . . . . 212
Use an Auto-Start Extensibility Point (ASEP) .. . . . . . . . 213
Install the Launcher as an Add-On to an Existing Application . 215
Defense in Depth . . . 216
Kamikaze Droppers . . 216
Rootkit Uninstall. . . . 219

viii
 Contents

4.6 Self-Healing Rootkits . . . . . . . . . . .. .. . . . . . . . . .. 220

Auto-Update . . . . . . . . . . . . . . . . . .. ... .. .. ... 224
4.7 Windows Kernel-Mode Security . .. . . . . . . . . . . . .. . . 225
Kernel-Mode Code Signing (KMCS) . . . . . ... . . . . . . . . 225
Kernel Patch Protection (KPP) . . . . . . . . . . . . . . . . . . . 229
Restricted Access to \Device\PhysicaIMemory . . . . . . . . . . 230
4.8 Synchronization . . . . . . . . . . . . . . . . . . . . . .. . . 230
Interrupt Request Levels . . . . . . . . . . .. . .. 230
Deferred Procedure Calls (DPCs) . . . . . .. ... . . . . . 234
Implementation . . . . 235
4.9 Commentary. . . . . . . . . . . . . . . . . . . . . ... . . .. 240

Part II - System Modification

Chapter 5 Hooking Call Tables. . . . . . . . . . . . . . . . . . . . . . 243
5.1 Hooking in User Space: The lAT . . . . . . . . . . . . . . . . . . 245
DLL Basics . . . . . . . . . . . . . . . . . . .. ... .. . . . . . 246
Accessing Exported Routines. . . . .. . 247
Load-Time Dynamic Linking . . . . . . 248
Run-Time Dynamic Linking . . . .. . 249
Injecting a DLL . . . . . . . . . . . 250
The AppInit_DLLs Registry Value. . 250
The SetWindowsHookExO API Call . . 251
Using Remote Threads . . . . . . . . . 252
PE File Format . . . . . . . . . . . . . . . 255
The DOS HEADER . . . . . .. . . . . . .. . .. .. 255
RVAs . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .. 256
The PE Header . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Walking through a PE on Disk . . . . . . . . . . . . . . . . . . 260
Hooking the IAT . . . . . . . . . . . . . ... . . . . . . . . . 265
5.2 Hooking in Kernel Space . . . . . . . . . . . . . . . . . . 269
Hooking the IDT . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Handling Multiple Processors - Solution 1 . . . . . . . . . . 271
Naked Routines . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Issues with Hooking the IDT . . . . . . . . . . . . . . . . . . 278
Hooking Processor MSRs . . . . . . . . . . . . . . 279
Handling Multiple Processors - Solution 2 . . 282
Hooking the SSDT. . . . . . . . . . . . . . 286
Disabling the WP Bit - Technique 1 . . 288
Disabling the WP Bit - Technique 2 . . 289
Hooking SSDT Entries . . . . . . . . . . 291
SSDT Example: Tracing System Calls. . ... 293
SSDT Example: Hiding a Process. . . . . . . . . . . . . . . 296

ix
Contents

SSDT Example: Hiding a Directory . . . . . . . · 301

SSDT Example: Hiding a Network Connection. .305
Hooking IRP Handlers . . . . . . . . . . . . 306
Hooking the GDT - Installing a Call Gate . 308
5.3 Hooking Countermeasures . . . . . · 317
Checking for Kernel-Mode Hooks. · 318
Checking IA32 _SYSENTER_ EIP. · 321
Checking INT Ox2E . . . . 322
Checking the SSDT . . . . . . . . 324
Checking IRP Handlers . . . . . . 325
Checking for User-Mode Hooks .327
Parsing the PEB - Part 1. . .330
Parsing the PEB - Part 2. . .336
5.4 Counter-Countermeasures . .337
Chapter 6 Patching System Routines. . . . . . . . . . . . . 339
Binary Patching versus Run-time Patching . 340
The Road Ahead . . .340
6.1 Run-time Patching. .340
Detour Patching . . · 341
Detour Jumps . . . .344
Example 1: Tracing Calls . 346
Detour Implementation. · 351
Acquire the Address of the NtSetValueKeyO . .354
Initialize the Patch Metadata Structure . . . . .354
Verify the Original Machine Code against a Known Signature . 356
Save the Original Prolog and Epilog Code. . 357
Update the Patch Metadata Structure. . . . 357
Lock Access and Disable Write Protection .358
Inject the Detours . .358
The Prolog Detour . .359
The Epilog Detour . · 361
Post-Game Wrap-Up . 365
Example 2: Subverting Group Policy. . . · . . . 365
Detour Implementation. . . . . . . . . . 367
Initializing the Patch Metadata Structure . · . . . 367
The Epilog Detour . . . . . . . . . . . . . · . . . 368
Mapping Registry Values to Group Policies. .373
Example 3: Granting Access Rights . . . . 374
Detour Implementation. . . . . . . . . . . 376
6.2 Binary Patching . . . . . . . . . . . . . . . . 379
Subverting the Master Boot Record . . . . .380
The MBR in Depth . .380
The Partition Table . . . . . . . . . . . . . . 383

x
 Contents

Patch or Replace? ... . .. . .386

Hidden Sectors . . . . . . . . . . 387
Bad Sectors and Boot Sectors . . 388
Rogue Partition . . 389
MBR Loader ... . 390
IA-32 Emulation. . . 393
Vbootkit ... .. . . 395
6.3 Instruction Patching Countermeasures . .399
Chapter 7 Altering Kernel Objects. . . . . . . . . . . . . . . . . . . . 401
7.1 The Cost of Invisibility . . . . . . . . 401
Issue 1: The Steep Learning Curve . . . . . 401
Issue 2: Concurrency . . . . . . . . . . . . . 402
Issue 3: Portability and Pointer Arithmetic . 403
Branding the Technique: DKOM . . . . . . . 405
Objects? . . . . . . . . . .. ... .. . ... .. ... . . ... 405
7.2 Revisiting the EPROCESS Object . . 406
Acquiring an EPROCESS Pointer . 406
Relevant Fields in EPROCESS . . 409
UniqueProcessId . . . 409
ActiveProcessLinks . . 410
Token . . . . . . . . . 411
ImageFileName . . . . 411
7.3 The DRIVER_SECTION Object. . 411
7.4 The TOKEN Object . . . . . . . 414
Authorization on Windows . . . . . 414
Locating the TOKEN Object. . . . 416
Relevant Fields in the TOKEN Object . . 418
7.5 Hiding a Process. . . . . . . . . . 422
7.6 Hiding a Driver . . . . . . . . . . 428
7.7 Manipulating the Access Token. . 432
7.8 Using No-FU . . . . . . . 434
7.9 Countermeasures . . . . . . . . . 436
Cross-View Detection . . . . . . . 436
High-Level Enumeration: CreateToolhelp32SnapshotO . . 437
High-Level Enumeration: PID Bruteforce . 439
Low-Level Enumeration: Processes. . 442
Low-Level Enumeration: Threads. . 444
Related Software. . . . . . . . 451
Field Checksums. . . . . . . . . . . . . 452
Counter-Countermeasures . . . . . . . 452
7.10 Commentary: Limits of the Two-Ring Model . 453
7.11 The Last Lines of Defense . . . . . . . . . . . 454

xi
(ontents

Chapter 8 Deploying Filter Drivers. . . . . . . . . . . . . . . . . . . . 457

8.1 Filter Driver Theory. . . . . . . . .458
Driver Stacks and Device Stacks. . . . . . .458
The Lifecycle of an IRP . . . . . . . . . . . .460
Going Deeper: The Composition of an IRP . 461
IRP Forwarding . . . . . . . . . . .464
IRP Completion . . . . . . . . . . . . . . . .465
8.2 An Example: Logging Keystrokes . . . . . .467
The PS/2 Keyboard Driver and Device Stacks . .467
Lifecycle of an IRP . . . . . . . . . . . . . . . .469
Implementation . . . . . . . . . . . . . . . . .470
8.3 Adding Functionality: Dealing with IRQLs. . 475
Dealing with the Elevated IRQL . . .475
Sharing Nicely: The Global Buffer . .477
The Worker Thread . . . . . . . . . .479
Putting It All Together . . . . . . . .483
8.4 Key Logging: Alternative Techniques . . 484
SetWindowsHookEx. . . . . . . . .485
GetAsyncKeyState . . . . . . . . .488
8.5 Other Ways to Use Filter Drivers .489

Part 111 - Anti-Forensics

Chapter 9 Defeating Live Response . . . . . . . . . . . . . . . . . . . 493
IDS, IPS, and Forensics . . . 494
Anti-Forensics . . . . .495
Data Destruction . . .496
Data Hiding . . . . . . 496
Data Transformation .497
Data Contraception. .497
Data Fabrication . . . .497
File System Attacks .497
9.1 The Live Incident Response Process .498
The Forensic Investigation Process .498
Collecting Volatile Data . . . .500
Performing a Port Scan . . . . . . .504
Collecting Nonvolatile Data .. .. .505
The Debate over Pulling the Plug .508
Countermeasures . . . . . . .508
9.2 RAM Acquisition . . . . . . . . . · . 509
Software-Based Acquisition .. . · . 510
KnTDD.exe. . 510
Autodump+ . . . . . . . .. . · .511

xii
 Contents

LiveKd.exe . . . . . . . . . · 513
Crash Dumps . . . . . . . . · 513
Hardware-Based Acquisition. · 514
Countermeasures . . . . . . . · 515
Chapter 10 Defeating File System Analysis. . . . . . . . . . 517
10.1 File System Analysis . .. · 517
Forensic Duplication . . . . · 519
Recovering Deleted Files . · 521
Enumerating ADSes . . . . · 521
Acquiring File Metadata . . . 523
Removing Known Good Files. .527
File Signature Analysis . . . . . 529
Static Analysis of an Unknown Executable . 530
Run-time Analysis of an Unknown Executable · 533
10.2 Countermeasures: Overview . .. . .. . .537
10.3 Countermeasures: Forensic Duplication . · 538
Reserved Disk Regions . . . . . . . . . . .538
Live Disk Imaging. . . . . . . . . . . . . . 539
10.4 Countermeasures: Deleted File Recovery. · 542
10.5 Countermeasures: Acquiring Metadata . 544
Altering Timestamps . . . . . . . . . . . . .544
Altering Checksums . . . . . . . . . . . . . .546
10.6 Countermeasures: Removing Known Files · 547
Move Files into the "Known Good" List . · 547
Introduce "Known Bad" Files . .. .. . . .548
Flood the System with Foreign Binaries . . 548
Keep Off a List Entirely by Hiding . . 549
Out-of-Band Hiding .. . . .. . . 549
In-Band Hiding .. . . . . . . . . . . . 555
Application Layer Hiding: M42 . . . .566
10.7 Countermeasures: File Signature Analysis · 567
10.B Countermeasures: Executable Analysis . .568
Foiling Static Executable Analysis . .568
Cryptors . . . . . . .. .. . . .571
Encryption Key Management. . . . . 580
Packers . . . . . . . . .. . . . .. . · 581
Augmenting Static Analysis Countermeasures · 583
Foiling Run-time Executable Analysis . · 585
Attacks against the Debugger. . . . . .586
Breakpoints . . . . . . . . . . . . . . . 586
Detecting a User-Mode Debugger . . · 587
Detecting a Kernel-Mode Debugger. . 588
Detecting a User-Mode or Kernel-Mode Debugger · 588

xiii
(ontents

Detecting Debuggers via Code Checksums. . · 589

Land Mines .. . . . . . . . . .590
Obfuscation . . . . . . . . . . . . .590
Obfuscating Application Data. · 591
Obfuscating Application Code · 592
The Hidden Price Tag . . . . . 595
10.9 Borrowing Other Malware Tactics . . 596
Memory-Resident Rootkits . . . . . . 596
Data Contraception . . . . . . . . . · 597
The Tradeoff: Footprint versus Failover . . 599
Chopter 11 Defeating Network Analysis . . . . • . . . . . . . . . . . . 603
11 .1 Worst-Case Scenario: Full Content Data Capture . . . . . . . . . 604
11 .2 Tunneling: An Overview . . 605
HTTP. .606
DNS . . . . . . . . . .607
ICMP . . . . . . . . .607
Peripheral Issues . .609
11.3 The Windows TCPIIP Stack · 610
Windows Sockets 2 . .611
Raw Sockets . . . . . · 612
Winsock Kernel API . · 613
NDIS . . . . . . . . . · 614
Different Tools for Different Jobs. · 616
11 .4 DNS Tunneling . · 617
DNS Query . . . . . . . . . . . . · 617
DNS Response . . . . . . . . . . · 619
11.5 DNS Tunneling: User Mode . . . · 621
11 .6 DNS Tunneling: WSK Implementation. · 625
Initialize the Application's Context. .. .632
Create a Kernel-Mode Socket . . . . . .632
Determine a Local Transport Address . · 634
Bind the Socket to the Transport Address. · 635
Set the Remote Address (the C2 Client). · 636
Send the DNS Query . . . . . 638
Receive the DNS Response. . . . . . . . .639
11.7 NDIS Protocol Drivers . . . . . . . . . . · 641
Building and Running the NDISProt 6.0 Example. · 642
An Outline of the Client Code . 646
An Outline of the Driver Code .649
The ProtocolxxxO Routines. .652
Missing Features. . . . . . . . .656

xiv
 Contents

Chapter 12 Countermeasure Summary . . . · . . . 659

12.1 Live Incident Response . .660
12.2 File System Analysis . . . 662
12.3 Network Traffic Analysis . 663
12.4 Why Anti-Forensics? .. .664

Port IV - End Material

Chapter 13 The Tao of Rootkits . . . . . . . · . . . 669
Run Silent, Run Deep . . . . . . . 669
Development Mindset. . . . . . . 670
On Dealing with Proprietary Systems . · 670
Staking Out the Kernel . . . . . . . . . .671
Walk before You Run: Patching System Code . · 672
Walk before You Run: Altering System Data Structures ... 672
The Advantages of Self-Reliant Code · 673
Leverage Existing Work · 675
Use a Layered Defense .. . .. . · 675
Study Your Target . . . . . . . . . . 676
Separate Mechanism from Policy . · 676
Chapter 14 Closing Thoughts . . . . . . . . . . . . . · . . . 677

Appendix
Chapter 2 . . . . . . . . 683
Project: KillDOS. . . 683
Project: HookTSR . . 684
Project: HideTSR . · 691
Project: Patch . 696
Chapter 3 . . 697
SSDT .. . . . 697
Chapter 4 . . . . .710
Project: Skeleton (KMD Component). · 710
Project: Skeleton (User-Mode Component) · 714
Project: Installer . · 721
Project: Hoglund. . . . . . . . . . . . 724
Project: SD . . . . . . .. .. .. . . .726
Project: HBeat (Client and Server) . · 729
Project: IRQL . . . . . . . 736
Chapter 5 . . . . . . . . . . . 739
Project: RemoteThread . · 739

xv
Contents

Project: ReadPE .. .. . . . . . . . .. . . . . . . . 741

Project: HookIAT . . . . . . . . . . . 746
Project: HookIDT . . . . . . . 750
Project: HookSYS . . . . . . . 756
Project: HookSSDT . . 760
Project: HookIRP . . . . . . . . . . 772
Project: HookGDT . .. . . . . .. . 774
Project: AntiHook (Kernel Space and User Space) . . . . . . . . 779
Project: ParsePEB. . . . . . . . . . . . . . . . . . . . .. . . 790
Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. 793
Project: TraceDetour . . . . . 793
Project: GPO Detour . . . . . . . . 801
Project: AccessDetour. . . . . . . . . . 804
Project: MBR Disassembly . . . . . . . . . . . . 811
Project: LoadMBR . . . . . . . . . . . . . . . . . 813
Chapter 7 . . . . . . . . . . . .. . . . .. .. . . . . . . . . . 816
Project: No-FU (User-Mode Portion) .. . . . . . . . . . . .. . 816
Project: No-FU (Kernel-Mode Portion) . . . . . . . . . . . . . . 821
Project: TaskLister . . . 834
Project: findFU . . . . .. . . . . . . . . . . . . . . . . . . . 838
Chapter 8 . . . . . . . . . .. .. . . . . . . . . . . . . . . . . . 843
Project: KiLogr-VOl . . . . .. . . . . .... . 843
Project: KiLogr-V02. . . .. . . . .. . ..... 847
Chapter 10 . . . . . . . . . .. . . . .. . . . . . . 854
Project: TSMod . . . . . . . . . . 854
Project: Slack .. . . . . . . . . . 858
Project: MFT . . . . . . . . . . 860
Project: Cryptor . .. . . . . . . . . 871
Chapter 11 . . . .. .. . . . . . . . . 876
Project: UserModeDNS . . 876
Project: WSK-DNS . . . . . . . . . . . . . . . . .. . . . . .. 883

Index . . . . . . . . . . . . . . . . . . . 895

xvi
Disclaimer
The author and the publisher assume no liability for incidental or consequen-
tial damages in connection with or resulting from the use of the information
or programs contained herein.
If you're foolish enough to wake a sleeping dragon, you're on your own.

xvii
Preface: Metadata

"We work in the dark - we do what we can - we give what we have.

Our doubt is our passion and our passion is our task.
The rest is the madness of art."
The Middle Years (1893)
- Henry James

In and of itself, this book is nothing more than a couple pounds of processed
wood pulp. Propped open next to the workstation of an experienced software
developer, however, this book becomes something more. It becomes one of
those books that they would prefer you didn't read. To be honest, the MBA
types in Redmond would probably suggest that you pick up the latest publica-
tion on .NET and sit quietly in the corner like a good little software engineer.
Will you surrender to their technical lullaby, or will you choose to handle
more hazardous material?
In the early days, back when an 8086 was cutting-edge technology, the skills
required to undermine a system and evade detection were funneled along an
informal network of Black Hats. All told, they did a pretty good job of sharing
information. Membership was by invitation only and meetings were often
held in secret. In a manner that resembles a guild, more experienced mem-
bers would carefully recruit and mentor their proteges. Birds of a feather, I
suppose; affinity works in the underground the same way as it does for the
Skull and Bones crowd at Yale. For the rest of us, the information accumu-
lated by the Black Hat groups was shrouded in obscurity.
This state of affairs is changing and this book is an attempt to hasten the
trend. When it comes to powerful technology, it's never a good idea to stick
your head in the sand (or encourage others to do so). Hence, my goal over
the next few hundred pages is to present an accessible, timely, and methodi-
cal presentation on rootkit internals. All told, this book covers more topics, in
greater depth, than any other book currently available. It's a compendium of
ideas and code that draws its information from a broad spectrum of sources.
I've dedicated the past two years of my life to ensuring that this is the case.
In doing so I've waded through a vast murky swamp of poorly documented,

xix
Preface: Metadata

partially documented, and undocumented material. This book is your oppor-

tunity to hit the ground running and pick up things the easy way.

Poorly Partially Not

Documented Documented Documented

Pick your poison...

The King's New Body Armor

A discussion of standard Black Hat tradecraft makes a lot of people nervous.
After all, as the scientific community will tell you, an open exchange of infor-
mation can lead to innovation and improvement. This is exactly what
happened with the discipline of cryptography, which for years had languished
under the auspices of national security. Likewise, there are powerful interests
who would prefer that the finer points of rootkit implementation remain out
of the public eye. An open exchange of ideas might lead to innovation and
improvement. Not to mention that the aforementioned corporate interests
could stand to lose a lot of money if consumers suddenly realized that the
products they sell are, in some cases, providing users with a false sense of
security.
These vested corporate interests have been known to throw their weight
around and make threats when they feel that their source of income has been
threatened. As the Chinese would say, these companies are worried that
someone is going to steal their bowl of rice. George Ledin, a professor at
Sonoma State University, teaches an introductory course on computer secu-
rity that offers students the opportunity to create malware first-hand. In
response, a number of security software vendors have formally announced in
writing that they'll boycott hiring Ledin's students. Pretty strong words, if
you ask me.
Another professor, John Aycock, received a similar response back in 2003
when the computer science department at the University of Calgary
announced that it would be teaching this sort of course. Two prominent
industry groups, AVIEN (Anti Virus Information Exchange Network) and

xx
 Preface: Metadata

AVIEWS (Anti Virus Information and Early Warning System), formally con-
demned Aycock's teaching methodology and admonished the University of
Calgary to revisit the decision to offer such a course. l In their public state-
ment, AVIEN and AVIEWS claimed that:
"The creation of new viruses and other types of rnalware is completely
unnecessary. Medical doctors do not create new viruses to understand how
existing viruses function and neither do anti-virus professionals. It is simply
not necessary to write new viruses to understand how they work and how
they can be prevented. There are also enough viruses on the Internet already
that can be dissected and analyzed without creating new threats. "
In the summer of 2006, Consumer Reports (an independent, nonprofit organi-
zation) drew the ire of the computer security industry when it tested a
number of well-known antivirus packages by hiring an outside firm to create
5,500 variants of existing malware executables. Critics literally jumped out of
the woodwork to denounce this testing methodology. For instance, Igor
Muttik, of McAfee's Avert Labs, in a company blog observed that: "Creating
new viruses for the purpose of testing and education is generally not consid-
ered a good idea - viruses can leak and cause real trouble."
Naturally, as you might have guessed, there's an ulterior motive behind this
response. As Jiirgen Schmidt, a columnist at Heise Security points out, "The
commandment Thou shalt not create new viruses' is a sensible self-imposed
commitment by the manufacturers of antivirus software, which prevents
them from creating an atmosphere of threat to promote their products."2
Listen to the little girl. The king is naked. His expensive new suit of armor is
a boondoggle. The truth is that Pandora's Box has been opened. Like it or
not, the truth will out. As this author can testify, if you're willing to dig deep
enough, you can find detailed information on almost any aspect of malware
creation on the Internet. Issuing ultimatums and intimidating people will do
little to stem the tide. As Mark Ludwig put it in his seminal book The Giant
Black Book of Computer Viruses, "No intellectual battle was ever won by
retreat. No nation has ever become great by putting its citizens' eyes out."

1 http://www.avien.org/publicletter.htm
2 http://www.heise-online.co.uk/security/features/77440

xxi
Preface: Metadata

General Approach
Explaining how rootkits work is a balancing act that involves just the right
amount of depth, breadth, and pacing. In an effort to appeal to as broad an
audience as possible, during the preparation of this book's manuscript I tried
to abide by the following guidelines:
• Include an adequate review of prerequisite material
• Keep the book as self-contained as possible
• Demonstrate ideas using modular examples

Include an Adequate Review of Prerequisite Material

Dealing with system-level code is a lot like walking around a construction site
for the first time. Kernel-mode code is very unforgiving. The nature of this
hard hat zone is such that it shelters the cautious and punishes the foolhardy.
In these surroundings it helps to have someone who knows the terrain and
can point out the dangerous spots. To this end, I invest a significant amount of
effort in covering the finer points of Intel hardware, explaining obscure device
driver concepts, and dissecting the appropriate system-level APls. I wanted
include enough background material so that you don't have to read this book
with two other books in your lap.

Keep the Book as Self·Contained as Possible

In the interest of keeping a steady train of thought, I've relegated complete
code listings to the appendix so that I could focus on ideas rather than every
detail of their implementation. The shell scripts and build files used to com-
pile selected projects in this book can be downloaded from the book's
resource page at www.wordware.comifileslRKArsenal.

Demonstrate Ideas Using Modular Examples

This book isn't a brain dump of an existing rootkit (though such books exist).
This book focuses on transferable ideas and strategies. Otherwise, I could
have just posted my source code online. Who wants to read a book that's
nothing more than an annotated source code listing?
The emphasis of this book is on learning concepts. Hence, I've tried to break
my example code into small, easy-to-digest, sample programs. I think that
this approach lowers the learning threshold by allowing you to focus on
immediate technical issues rather than having to wade through 20,000 lines
of production code. In the source code spectrum (see the following figure),

xxii
 Preface: Meladala

the examples in this book would probably fall into the "training code" cate-
gory. I build my sample code progressively so that I only provide what's
necessary for the current discussion at hand, while still keeping a strong
sense of cohesion by building strictly on what's already been presented.

Tease Training Code Full Example Production Code

Over the years of reading computer books, I've found that if you include too
little code to illustrate a concept, you end up stifling comprehension. If you
include too much code, you run the risk of getting lost in details or annoying
the reader. Hopefully I've found a suitable middle path, as they say in Zen.

Organization of the Book

This book is organized into four parts:
• Part I - Foundations
• Part II - System Modification
• Part III - Anti-Forensics
• Part IV - End Material
Studying rootkits is a lot like Gong Fu. True competency requires years of
dedication, practice, and a mastery of the basics. This is not something you
can buy, you must earn it. Hence, I devote Part I of this book focusing on
fundamental material. It may seem like a tedious waste of time, but it's nec-
essary. It will give you the foundation you need to comfortably experiment
with more advanced concepts later on.
Part II of the book examines how a rootkit can modify a system to undermine
its normal operation. The discussion follows a gradual progression, starting
with easier techniques and moving on to more sophisticated ones. In the end,
the run-time state of a machine is made up of machine instructions and data
structures. Patching a system with a rootkit boils down to altering either one
or both of these constituents.
On the battlefield, it's essential to understand the vantage point of your
adversary. In this spirit, Part III assumes the mindset of a forensic investiga-
tor. We look at forensic techniques that can be employed to unearth a rootkit
and then examine the countermeasures that a rootkit might utilize to evade

xxiii
Preface: Metadata

the wary investigator. In doing so, we end up borrowing many tactics that tra-
ditionally have been associated with viruses and other forms of malware.
Part IV examines what might be referred to as "macro issues." Specifically, I
discuss general strategies that transcend any particular software!hardware
platform. I also briefly comment on analogies in the political arena.

Intended Audience
When I was first considering the idea of writing about rootkits, someone
asked me: ''Aren't you worried that you'll be helping the bad guys?" The
answer to this question is a resounding "NO." The bad guys already know
this stuff. It's the average system administrator who needs to appreciate just
how potent rootkit technology can be. Trying to secure the Internet by limit-
ing access to potentially dangerous information is a recipe for disaster.
Ultimately, I'm a broker. What I have to offer in this book is ideas and source
code examples. What you choose to do with them is your business.

Prerequisites
For several decades now, the standard language for operating system imple-
mentation has been C. It started with UNIX in the 1970s and Darwinian
forces have taken over from there. Hence, people who pick up this book will
need to be fluent in C. Granted there will be a load of material related to
device driver development, some x86 assembler, and a modicum of sys-
tem-level APls. It's inescapable. Nevertheless, if I do my job as an author all
you'll really only need to know C. Don't turn tail and run away if you spot
something you don't recognize, I'll be with you every step of the way.

Conventions
In this book, the Consolas font is used to indicate text that is one of the
following:
• Source code
• Console output
• A numeric or string constant
• Filename
• Registry key name or value name

xxiv
 Preface: Metadata

I've tried to distinguish source code and console output from regular text
using a grey background. In some cases, particularly important items are
highlighted in black. If an output listing is partial, in the interest of saving
space, I've tried to indicate this using three trailing periods.
int Level;
level = 5;
level++; //thlS lS really lmportant code, It ' S hlghllghted
/*
This is a really long comment .
It goes on and on ...
*/

Registry names have been abbreviated according to the following standard

conventions:
• HKEY_LOCAL_MACHINE = HKLM
• HKEY_CURRENT_USER = HKCU

Registry keys are indicated by a trailing backslash. Registry key values are
not suffixed with a backslash.
HKLM\5Y5TEM\CurrentControlSet\Services\NetBI05\
HKLM\SYSTEM\CurrentControlSet\Services\NetBI05\ImagePath

Words will appear in italic font in this book for the following reasons:
• When defining new terms
• To place emphasis on an important concept
• When quoting another source
• When citing a source
Numeric values appear throughout the book in a couple of different formats.
Hexadecimal values are indicated by either prefixing them with "ex" or
appending "H" to the end. Source code written in C tends to use the former
and IA-32 assembly code tends to use the latter.
9xFF92
9FF92H

Binary values are indicated either explicitly or implicitly by appending the

letter " 8" . You'll see this sort of notation primarily in assembly code.
9119111B

xxv
Preface: Metadata

Acknowledgments
As with many things in life, this book is the culmination of many outwardly
unrelated events. In my mind, this book has its origins back in December of
1999 while I was snowed in during a record-breaking winter storm in Minne-
apolis. Surfing at random, I happened upon Greg Hoglund's article inPhrack
magazine, "A *REAL * NT Rootkit, patching the NT Kernel." Though I'll
admit that much of the article was beyond me at the time, it definitely planted
a seed that grew over time.
Without a doubt, this book owes a debt of gratitude to pioneers like Greg who
explored the far corners of the matrix and then generously took the time to
share what they learned with others. I'm talking about researchers like Sven
Schreiber, Mark Ludwig, Joanna Rutkowska, Mark Russinovich, Jamie Butler,
Sherri Sparks, Vinnie Liu, H.D. Moore, the Kumar tag-team over at NVIabs,
Crazylord, and the grugq. A great deal of what I've done in this book builds on
the publicly available foundation of knowledge that these people left behind,
and I feel obliged to give credit where it's due. I only hope this book does the
material justice.
On the other side of the great divide, I'd like to extend my thanks to Richard
Bejtlich, Harlan Carvey, Keith Jones, and Curtis Rose for their contributions
to the field of computer forensics. The books that these guys wrote have
helped to establish a realistic framework for dealing with incidents in the
wild. An analyst who is schooled in this framework, and has the discipline to
follow the processes that it lays out, will prove a worthy adversary to even
the most skilled attacker.
During my initial trial by fire at San Francisco State University, an admin by
the name of Alex Keller was kind enough to give me my first real exposure to
battlefield triage on our domain controllers. For several hours I sat shotgun
with Alex as he explained what he was doing and why. It was an excellent
introduction by a system operator who really knows his stuff. Thanks again,
Alex, for lending your expertise when you didn't have to, and for taking the
heat when your superiors found out that you had.
As usual, greetings are also in order. I'd like to start with a shout out to the
CHHS IT Think Tank at SFSU (Dan Rosenthal, David Vueve, Dylan Mooney,
Jonathan Davis, and Kenn Lau). When it comes to Counter-Strike, those
mopes down at the Hoover Institute have nothing on us! I'd particularly like
to give my respects to the Notorious Lucas Ford, our fearless leader and offi-
cial envoy to Las Vegas; a hacker in the original sense of the word. Mad props
also go to Martin Masters, our covertly funded sleeper cell over in the SFSU

xxvi
 Preface: Meladala

Department of Information Technology. Don't worry, Marty; your secret is

safe with me.
Going back some fifteen years, I'd like to thank Danny Solow, who taught me
how to code in C and inspired me to push forward and learn Intel assembly
code. Thanks and greetings also go out to Rick Chapman, my handler in Con-
necticut and the man who lived to tell of his night at Noorda's Nightmare.
George Matkovitz is a troublemaker of a different sort, a veteran of Control
Data and a walking history lesson. If you wander the halls of Lawson Soft-
ware late at night, legend has it that you will still hear his shrill Hungarian
battle cry: "God damn Bill Gates, son-of-a-bitch. NT bastards!"
Last, but not least, I'd like to give thanks to
Tim McEvoy, Martha McCuller, and all of
the other hardworking folks at Wordware
for making this book happen.

0(eX),
Reverend Bill Blunden
www.belowgotham.com

xxvii
Pa rt I Foundations
Chapter 1 Setting the Stage
Chapter 2 Into the Catacombs: IA-32
Chapter 3 Windows System Architecture
Chapter 4 Rootkit Basics

,
1 \
.,
 Chapter 1
01010010, 01101111, 01101111, 01110100, 01101011, 01101001, 01110100, 01110011, 001_, 01000011, 01001000, 00110001

SeHing the Stage

"The best safecrackers in the business never steal a penny.
They work for UL."
- Underwriters Laboratories
"China and Russia have thousands of well-trained cyberterrorists
and we are just sitting ducks."
- Professor George Ledin, Sonoma State University

In this chapter, we'll see how rootkits fit into the greater scheme of things.
Specifically, we'll look at the etymology of the term rootkit and then discuss
who's using rootkit technology, and to what end. To highlight the discernable
features of a rootkit, we'll contrast them against various types of mal ware and
examine their role in the typical attack cycle. To provide you with an initial
frame of reference, the chapter begins with an examination of the forensic
evidence that was recovered from an attack on one of the machines at San
Francisco State University (SFSU).

1.1 Forensic Evidence

When I enlisted as an I.T. foot soldier at SFSU, it was like being airlifted to a
hot landing zone. Bullets were flying everywhere. The university's network
(a collection of subnets in a class B address range) didn't have a firewall to
speak of, not even a NAT device. Thousands of machines were just sitting out
in the open with public IP addresses, listening for connections. In so many
words, we were free game for every script kiddy and bot-herder on the
planet.
The college that hired me managed roughly 500 desktop machines and a rack
of servers. At the time, these computers were being held down by a lone sys-
tem administrator and a contingent of student assistants. To be honest, the
best that this guy could hope to do was focus on the visible problems and pray
that the less conspicuous problems didn't creep up and bite him in the

3
 Chapter 1 / Selling the Stage

backside. The caveat of this mindset is that it tends to allow the smaller fires
to grow into larger fires, until the fires unite into one big firestorm. But, then
again, who doesn't like a good train wreck?
It was in this chaotic environment that I ended up on the receiving end of
attacks that used rootkit technology. A couple of weeks into the job, a
coworker and I found the remnants of an intrusion on a computer that had
been configured to share files. The evidence was stashed in the System
Volume Information directory. This is one of those proprietary spots that
Windows wants you to blissfully ignore. According to Microsoft's online docu-
mentation, the System Volume Information folder is "a hidden system folder
that the System Restore tool uses to store its information and restore
points."! The official documentation also states that "you might need to gain
access to this folder for troubleshooting purposes." Normally, only the operat-
ing system has permissions to this folder and many system administrators
simply dismiss it (making it the perfect place to stash hack tools).
The following series of batch file snippets is a replay of the actions that
attackers took once they had a foothold. My guess is they left this script
behind so they could access it quickly without having to send files across the
WAN link. The attackers began by changing the permissions on the System
Volume Information folder. In particular, they changed things so that every-
one had full access. They also created a backup folder where they could store
files and nested this folder within the System Volume directory to conceal it.
@echo off
xcacls "c: \System Volume Information" IG EVERYONE: F IV
mkdir "c:\System Volume Information\catalog\{GUID}\backup"

attrib.exe +h +s +r "c:\System Volume Information"

attrib.exe +h +s +r "c:\System Volume Information\catalog"
attrib.exe +h +s +r "c:\System Volume Information\catalog\{GUID}"
attrib.exe +h +s +r "c:\System Volume Information\catalog\{GUID}\backup"

caclsENG "c:\System Volume Information" IT IG system:f Administrators:R

caclsENG "c:\System Volume Information\catalog" IT IG system:f
caclsENG "c:\System Volume Information\catalog\{GUID}" IT IG system:f
caclsENG "c:\System Volume Information\catalog\{GUID}\backup" IT IG system:f

The calcsENG. exe program doesn't exist on the standard Windows install.
It's a special tool that the attackers brought with them. They also brought
their own copy of touch. exe, which was a Windows port of the standard
UNIX program.

1 Microsoft Corporation, "How to gain access to the System Volume Information folder,"
Knowledge Base Article 309531, May 7, 2007.

4 I Port I
 Chapter 1 / Selling the Stage

> Nole: For the sake of brevity, I have used the string "GUID"
to represent the global un ique identifier
"F7S0E6C3-38EE-ll Dl-8SES-OOC04FC29SEE ."

To help cover their tracks, they changed the timestamp on the System
Volume Information directory structure so that it matched that of the Recycle
Bin, and then further modified the permissions on the System Volume Infor-
mation directory to lock down everything but the backup folder. The tools
that they used probably ran under the System account (which means that
they had compromised the server completely). Notice how they placed their
backup folder at least two levels down from the folder that has DENY access
permissions. This was, no doubt, a move to hide their presence on the com-
promised machine.
touch -g "c: \RECYCLER" "c: \System Volume Infonnation"
touch -g "c: \RECYCLER" "c: \System Volume Infonnation\catalog"
touch -g "c: \RECYCLER " "c: \System Volume Infonnation\catalog\{GUID}"
touch -g "c: \RECYCLER" "c: \System Volume Infonnation\catalog\{GUID}\backup"

xcacls "c: \System Volume Infonnation\catalog\{GUID}\backup" IG EVERYONE: F IY

xcacls "c:\System Volume Infonnation\catalog\{GUID}" IG SYSTEM:F IY
xcacls "c: \System Volume Infonnation\catalog" ID EVERYONE IY
xcacls "c: \System Volume Infonnation" IG SYSTEM: F IY

After setting up a working folder, they changed their focus to the System32
folder, where they installed several files (see Table 1-1). One of these files
was a remote access program named qttask. exe.
cd\
c:
cd %systemroot%
cd system32
qttask.exe Ii
net start LdmSvc

Under normal circumstances, the qttask. exe executable would be Apple's

QuickTime player, a standard program on many desktop installations. A
forensic analysis of this executable on a test machine proved otherwise
(we'll discuss forensics and anti-forensics later on in the book). In our case,
qttask. exe was a modified FiP server that, among other things, provided a
remote shell. The banner displayed by the FiP server announced that the
attack was the work of "Team WzM." I have no idea what WzM stands for,
perhaps "Wort zum Montag." The attack originated on an IRe port from the
IP address 195.157.35.1, a network managed by Dircon.net, which is head-
quartered in London.

Port I I5
 Chapter 1 / Selling the Stage

Table 1-1
File name Desmptlon
qttask.exe FTP-based command and control server
pWdumpS.exe Dumps password hashes from the SAM database2
lyae.cmm ASCII bannerfile
pci. acx ASCII text, configuration parameters
wci.acx ASCII text, filter sellings of some sort
icp.nls,icw.nls Language support files
libeay32 . dll,ssleay32.dll DLLs used by OpenSSL
svcon. crt PKI certificate used by DLLs3
svcon . key ASCII text, registry key entry used during installation

Once the ITP server was installed, the batch file launched the server. The
qttask. exe executable ran as a service named LdmSvc (the display name was
"Logical Disk Management Service"). In addition to allowing the rootkit to
survive a reboot, running as a service was also an attempt to escape detec-
tion. A harried system administrator might glance at the list of running
services and (particularly on a dedicated file server) decide that the Logical
Disk Management Service was just some special "value-added" OEM
program.
The attackers made removal difficult for us by configuring several key ser-
vices, like RPC and the event logging service, to be dependent upon the
LdmSvc service. They did this by editing service entries in the registry (see
HKLM\SYSTEM\CurrentControlSet\Services). Some of the service registry
keys possess a REG_MUL TI_SZ value named DependOnService that fulfills this
purpose. Any attempt to stop LdmSvc would be stymied because the OS
would protest (i.e., display a pop-up window), reporting to the user that core
services would also cease to function. We ended up having to manually edit
the registry to remove the dependency entries, delete the LdmSvc sub-key,
and then reboot the machine to start with a clean slate.
On a compromised machine, we'd sometimes see entries that looked like:
C:\>reg query HKLM\SYSTEM\CurrentControlSet\Services\RpcSs
HKEY_lOCAl_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs
DisplayName REG_SZ @oleres.dIl,-se10
Group REG_SZ CCM Infrastructure
ImagePath REG_EXPAND_SZ svchost.exe -k rpcss

2 http://passwords.openwall.netlmicrosoft-windows-nt-2000-xp-2003-vista
3 http://www.openssl.org/

6 I Port I
 Chapter 1 I Selling the Stage

Description REG_SZ @oleres.dll,-Sall

ObjectName REG_SZ NT AUTHORITY\NetworkService
ErrorControl REG_!HlRD axl
Start REG_!HlRD ax2
Type REG_!HlRD ax2a
DependOnService REG_MJLTI_SZ DcomLaunch\LdmSvc
ServiceSidType REG_!HlRD axl

Note how the DependOnService field has been set to include LdmSvc, the
faux logical disk management service.
Like many attackers, after they had established an outpost, they went about
securing the machine so that other attackers wouldn't be able to get in. For
example, they shut off the default hidden shares.
net share Idelete C$ Iy
net share Idelete D$ Iy
REM skipping E$ to Y$ for brevity
net share Idelete Z$ Iy
net share Idelete $RPC
net share Idelete $NT
net share Idelete $RA SERVER
net share Idelete $SQL SERVER
net share Idelete ADMIN$ Iy
net share Idelete IPC$ Iy
net share Idelete lwc$ Iy
net share Idelete printS

reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters"

Iv AutoShareServer It REG_!HlRD Id a If
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters"
Iv AutoShareWks It REG_!HlRD Id a If

Years earlier, the college's original IT director had decided that all of the
machines (servers, desktops, and laptops) should all have the same password
for the local system administrator account. I assume this decision was insti-
tuted so that we wouldn't have to remember that many passwords, or be
tempted to write them down. However, once the attackers ran pwdump5, giv-
ing them a text file containing the file server's LM and NTLM hashes, it was
the beginning of the end. No doubt, they brute forced the LM hashes offline
with a tool like John the Ripperi and then had free reign to every machine
under our supervision (including the domain controllers). Game over, they
sank our battleship.
In the wake of this initial discovery, it became evident that Hacker Defender
had found its way onto several of our mission-critical systems and the intrud-
ers were gleefully watching us thrash about in panic. To further amuse

4 http://www.openwall.com/john/

Part I I7
 Chapter 1 / Setting the Stage

themselves, they surreptitiously installed Microsoft's Software Update Ser-

vices (SUS) on our web server and then adjusted the domain's group policy to
point domain members to the rogue SUS server.
Just in case you're wondering, Microsoft's SUS product was released as a way
to help administrators provide updates to their machines by acting as a
LAN-based distribution point. This is particularly effective on networks that
have a slow WAN link. While gigabit bandwidth is fairly common in American
universities, there are still local area networks (e.g., Kazakhstan) where
dial-up to the outside is as good as it gets. In slow-link cases, the idea is to
download updates to a set of one or more web servers on the LAN, and then
have local machines access updates without having to get on the Internet.
Ostensibly this saves bandwidth because the updates only need to be down-
loaded from the Internet once.
While this sounds great on paper, and the MCSE exams would have you
believe that it's the greatest thing since sliced bread, SUS servers can
become a single point of failure and a truly devious weapon if compromised.
The intruders used their faux SUS server to install a remote administration
suite called DameWare on our besieged desktop machines (which dutifully
installed the .msi files as if they were a legitimate update). Yes, you heard
right. Our update server was patching our machines with tools that gave the
attackers a better foothold on the network. The ensuing cleanup took the
better part of a year. I can't count the number of machines that we rebuilt
from scratch. When a machine was slow to respond, or had locked out a user,
the first thing we did was to look for DameWare.

1.2 First Principles

In the parlance of the UNIX world, the system administrator's account (i.e.,
the user account with the least number of security restrictions) is often
referred to as the root account. This special account is sometimes literally
named "root," but it's a historical convention more than a requirement. Com-
promising a computer and furtively acquiring administrative rights is referred
to as rooting a machine. An attacker who has attained root account privileges
can claim that he's rooted the box.
Another way to say that you've rooted a computer is to declare that you own
it, which essentially infers that you can do whatever you want because the
machine is under your complete control. As Internet lore has it, the proximity
of the letters "p" and "0" on the standard computer keyboard have led some
people to substitute pwn for own.

8 I Port I
 Chapter 1 / Selling the Stage

Semantics
What exactly is a rootkit? One way to understand what a rootkit is, and is not,
can be gleaned by looking at the role of a rootkit in the lifecycle of a network
attack (see Figure 1-1). In a remote attack, the intruder will begin by gather-
ing general intelligence on the targeted organization. This phase of the attack
will involve sifting
through bits of infor-
mation like an
organization's DNS
registration and the
public IP address
ranges that they've
been assigned. Once
the Internetfootprint
of the targeted organi- Brute Force- Attack
zation has been (e.,., Ra inbow Tables)

established, the
attacker will use a tool
like Nmap5 try to enu-
merate live hosts, via
ping sweeps or tar-
geted IP scans, and
then examine each
live host for standard Figure 1-1
network services.
After attackers have identified an attractive target and compiled a list of the
services that it provides, they will try to find some way to gain shell access.
This will allow them to execute arbitrary commands and perhaps further
escalate their rights, preferably to that of the root account (though, on a Win-
dows machine sometimes being a power user is sufficient6) . For example, if
the machine under attack is a web server, the attackers might launch a SQL
injection attack against a poorly written web application to compromise the
security of the associated database server. They can then leverage their
access to the database server to acquire administrative rights. Perhaps the
password to the root account is the same as the database administrator's?
In general, the tools used to root a machine will run the gamut from social
engineering, to brute force password cracking, to getting the target machine

5 http://sectools.org
6 Mark Russinovich, "The Power in Power Users," Sysinternals.com/blog, May I , 2006.

Port I I9
 Chapter 1 I Setting the Stage

to run a buffer overflow exploit. There are countless possible avenues of

approach. Books have been written about this process.7 Based on my own
experience and the input of my peers, software exploits and social engineer-
ing are two of the most frequent avenues of entry for mass-scale attacks
against a network.
In the case of social engineering, the user is usually tricked into opening an
e-mail attachment or running a file downloaded from a web site (though there
are policies that an administrator can enforce to help curb this). When it
comes to software exploits, the vendors are to blame. While certain vendors
may pay lip service to security, it often puts them in a difficult position
because implementing security can be a costly proposition. In other words,
the imperative to make a buck and the desire to keep out the bad guys can be
at odds. Would you rather push out the next release or spend time patching
the current one?
Strictly speaking, you don't need to seize an administrator's account to root a
computer. Ultimately, rooting a machine is about gaining the same level of
raw access as the administrator. For example, the System account on a Win-
dows machine, which represents the operating system itself, actually has
more authority than accounts in the Administrators group. If you can exploit a
Windows program that's running under the System account, it's just as effec-
tive as being the administrator (if not more so). In fact, some people would
claim that running under the System account is superior because tracking an
intruder who's using this account becomes a lot harder. There are so many
log entries created by the System that it would be hard to distinguish those
produced by an attacker.
Nevertheless, rooting a machine and keeping root access are two different
things Gust like making a million dollars and keeping a million dollars). There
are tools that a savvy system administrator can use to catch interlopers and
then kick them off a compromised machine. Intruders who are too noisy with
their newfound authority will attract attention and lose their prize. The key
then, for intruders, is to get in, get privileged, monitor what's going on, and
then stay hidden so that they can enjoy the fruits of their labor.
This is where rootkits enter the picture. A rootkit is a collection of tools (e.g.,
binaries, scripts, configuration files) that allow intruders to conceal their activity
on a computer so that they can covertly monitor and control the system for an
extended period. A well-designed rootkit will make a compromised machine
appear as though nothing is wrong, allowing attackers to maintain a logistical

7 McClure, Scambray, Kurtz, Hacking Exposed, 5th Edition, McGraw-Hill Osborne Media, 2005.

10 I Pa rt I
 Chapter 1 / Setting the Stage

outpost right under the nose of the system administrator for as long as they
wish.
The manner in which a rootkit is installed can vary. Sometimes it's installed
as a payload that's delivered by an exploit. Other times, it's installed after
shell access has been achieved. In this case the intruder will usually use a
tool like wget8 or the machine's native FTP client to download the rootkit
from a remote outpost. What about your installation media? Can you trust it?
In the pathological case, a rootkit could find its way into the source code tree
of a software product before it hits the customer. Is that obscure flaw really a
bug, or is it a cleverly disguised back door that has been intentionally left
ajar?

Rootkits: The Kim Philby of System Software

Harold "Kim" Philby was a British intelligence agent whom, at the height of
his career in 1949, served as the MI6 liaison to both the FBI and the newly
formed CIA. For years, he moved through the inner circles of the Anglo-U.S.
spy apparatus, all the while funneling information to his Russian handlers.
Even the CIA's legendary chief of counterintelligence, James Jesus Angleton,
was duped. During his tenure as liaison, he periodically received reports
summarizing translated Soviet messages that had been intercepted and
decrypted as a part of project Venona. 9 Philby was eventually uncovered, but
by then most of the damage had already been done. He eluded capture until
his defection to the Soviet Union in 1963.
Like a software incarnation of Kim Philby, rootkits embed themselves deep
within the inner circle of the system (and wield a considerable degree of influ-
ence), where they proceed to feed the executive false information and leak
sensitive data to the enemy. In other words, rootkits are usually employed to
provide three services:
• Concealment
• Command and control (C2)
• Surveillance
Without a doubt, there are packages that offer one or more of these features
that aren't rootkits. Remote administration products like OpenSSH,1O
GoToMyPC by Citrix, and Windows Remote Desktop are well-known stan-
dard tools. There's also a wide variety of software packages that enable

8 http://www.gnu.org/software/wget/
9 http://www.nsa.gov/venonalindex.cfm
10 http://www.openssh.org/

Po rt I I 11
 Chapter 1 / SeMing the Stage

monitoring and data exfiltration (e.g., Spector Pro and PC Tattletale). What
distinguishes a rootkit from other packages is that it facilitates both of these
features, and it allows them to be performed surreptitiously. When it comes
to rootkits, stealth is the primary concern. Regardless of what else happens,
you don't want to catch the attention of the system administrator. Over the
long run, this is the key to surviving behind enemy lines. Sure, if you're in a
hurry you can crack a server, set up a telnet session with admin rights, and
install a sniffer to catch network traffic. But your victory will be short lived if
you can't conceal what you're doing.

> Note: When it comes to defining a rootkit, try not to get hung up on
implementation details . A rootkit is defined by the services that it provides
rather how it realizes them . This is an important point. Focus on the end
result rather than the means . If you can conceal your presence on a
machine by hiding a process, so be it. But there are plenty of other ways
to conceal your presence, so don't assume that all ro otkits hide processes
(or some other predefined system object) .

The remaining chapters of this book investigate the three services men-
tioned above, though the bulk of the material covered is focused on
concealment: Finding ways to design a rootkit and modifing the operating
system so that you can remain undetected.

Aside
In military parlance, aforce multiplier is a factor that significantly
increases the effectiveness of a fighting unit. For example, stealth
bombers like the B-2 Spirit can attack a strategic target without
the support aircraft that would normally be required to jam radar,
suppress air defenses, and fend off enemy fighters. In the domain
of information warfare, rootkits can be viewed as such - a force
multiplier. By lulling the system administrator into a false sense of
security, a rootkit facilitates long-term access to a machine and
this, in turn, translates into better intelligence.

12 I Po rt I
 Chapter 1 I Se"ing the Stage

Who Is Using Rootkit Technology?

"Ignorance is never better than knowledge."
- Enrico Fermi
Some years back, I worked with a WWII veteran of Hungarian descent who
observed that the moral nature of a gun often depended on which side of the
barrel you were facing. One might say the same thing about rootkits. In my
mind, a rootkit is what it is. Asking whether rootkits are inherently good or
bad is a ridiculous question. I have no illusions about what this technology is
used for and I'm not going to try and justify, or rationalize, what I'm doing by
churching it up with ethical window dressing. As an author, I'm merely acting
as a broker and will provide this information to whoever wants it.
The fact is that rootkit technology is powerful and potentially dangerous. Like
any other tool of this sort, both the sides of the law take a peculiar (almost
morbid) interest in it.

The Feds
Historically speaking, rookits were originally the purview of Black Hats.
Recently, however, the Feds have also begun to find them handy. For exam-
ple, the FBI developed a program known as Magic Lantern which, according
to reports,ll could be installed via e-mail or through a software exploit. Once
installed, the program surreptitiously logged keystrokes. It's likely that they
used this technology, or something very similar, while investigating reputed
mobster Nicodemo Scarfo Jr. on charges of gambling and loan sharking. 12
According to news sources, Scarfo was using PGP13 to encrypt his files and
the FBI would've been at an impasse without the encryption key. I suppose
one could take this as testimony to the effectiveness of the PGP suite.

The Spooks
Though I have no hard evidence, it would probably not be too far a jump to
conclude that our own intelligence agencies (CIA, NSA, DoD, etc.) have been
investigating rootkits and related tools. In a 2007 report entitled Cybercrime:
The Next Wave, antivirus maker McAfee estimated that some 120 countries
were actively studying online attack strategies. The Chinese, specifically,
were noted as having publicly stated that they were actively engaged in pur-
suiI!g cyber-espionage.

11 Ted Bridis, "FBI Develops Eavesdropping Tools," Washington Post, November 22, 200!.
12 John Schwartz, "U.S. Refu ses to Disclose PC Trackjng," New York Times, August 25, 200l.
13 http://www.gnupg.org/

Port I 113
 Chapler 1 I Setting Ihe Slage

The report also quoted Peter Sommer, a visiting professor at the London
School of Economics as saying: "There are signs that intelligence agencies
around the world are constantly probing other governments' networks look-
ing for strengths and weaknesses and developing new ways to gather
intelligence." Sommer also mentioned that "Government agencies are doubt-
less conducting research on how botnets can be turned into offensive
weapons."
Do you remember what I said earlier about rootkits being used as a force
multiplier?
State sponsored hacking? Now there's an idea. The rootkits that I've dis-
sected have all been in the public domain. Many of them are admittedly dicey,
proof-of-concept implementations. I wonder what a rootkit funded by a
national security budget would look like. Furthermore, would McAfee agree
to ignore it just as they did with Magic Lantern?
In its 2008 Report to Congress, the U.S.-China Economic and Security
Review Commission noted that "China's current cyber operations capability
is so advanced, it can engage in forms of cyber warfare so sophisticated that
the United States may be unable to counteract or even detect the efforts."
According to the report, there were some 250 different hacker groups in
China that the government tolerated (if not openly encouraged).
National secrets have always been an attractive target. The potential return
on investment is great enough that they warrant the time and resources nec-
essary to build a military-grade rootkit. For instance, in March of 2005 the
largest cellular service provider in Greece, Vodafone-Panafon, found that four
of its Ericsson AXE switches had been compromised by a rootkit.
The rootkit modified the switches to both duplicate and redirect streams of
digitized voice traffic so that the intruders could listen in on calls. Ironically,
they leveraged functionality that was originally in place to facilitate legal
intercepts on behalf of law enforcement investigations. The rootkit targeted
the conversations of over 100 highly placed government and military officials,
including the prime minister of Greece, ministers of national defense, the
mayor of Athens, and an employee of the U.S. embassy.
The rootkit patched the switch software so that the wiretaps were invisible,
none of the associated activity was logged, and the rootkit itself was not
detectable. Once more, the rootkit included a back door to enable remote
access. Investigators reverse-engineered the rootkit's binary image to create
an approximation of its original source code. What they ended up with was

14 I Po rl I
 Chapter 1 I Setting the Stage

roughly 6,500 lines of code. According to investigators, the rootkit was imple-
mented with "a finesse and sophistication rarely seen before or since."14

The Suits
Finally, business interests have also found a use for rootkit technology. Sony,
in particular, used rootkit technology to implement Digital Rights Manage-
ment (DRM) functionality. The code, which installed itself with Sony's CD
player, hid files, directories, tasks, and registry keys whose names begin with
$syS$.15The rootkit also phoned home to Sony's web site, disclosing the
player's ill and the IP address of the user's machine. After Mark
Russinovich, of System Internals fame, talked about this on his blog the
media jumped all over the story and Sony ended up going to court.
When the multinationals aren't spying on you and me, they're busy spying on
each other. Industrial espionage is a thriving business. During the fiscal year
2005, the FBI opened 89 cases on economic espionage. By the end of the
year they had 122 cases pending. No doubt these cases are just the tip of the
iceberg. According to the Annual Report to Congress on Foreign Economic
Collection and Industrial Espionage - 2005, published by the office of the
National Counterintelligence Executive (NCIX), a record number of countries
are involved in pursuing collection efforts targeting sensitive U.S. technology.
The report stated that much of the collection is being done by China and
Russia.

1.3 The Malware Connection

Given the effectiveness of rootkits, and their reputation as powerful tools, it's
easy to understand how some people might confuse rootkits with other types
of software. Most people who read the news, even technically competent
users, see terms like "hacker" and "virus" bandied about. The subconscious
tendency is to lump all these ideas together, such that any potentially danger-
ous software module is instantly a "virus."
Walking through the corporate cube farm, it wouldn't be unusual to hear
someone yell out something like: "Crap! My browser keeps shutting down
every time I try to launch it, must be one of those damn viruses again."

14 Vassilis Prevelakis and Diomidis SpineUis, "The Athens Affair," IEEE Spectrum Online,
July 2007.
15 Mark Russinovich, "Sony, Rootkits and Digital Rights Management Gone Too Far,"
Sysinternals.com, October 31, 2005.

Part I 115
 Chapter 1 I Setting the Stage

Granted, this person's problem may not even be virus related. Perhaps all
that is needed is to patch the software. Nevertheless, when things go wrong
the first thing that comes into the average user's mind is "virus."
To be honest, most people don't necessarily need to know the difference
between different types of malware. You, however, are reading a book on
rootkits and so I'm going to hold you to a higher standard. I'll start off with a
brief look at infectious agents (viruses and worms), then discuss adware and
spyware. Finally, I'll complete the tour with an examination of botnets.

Infedious Agents
The defining characteristic of infectious software like viruses and worms is
that they exist to replicate. The feature that distinguishes a virus from a worm
is how this replication occurs. Viruses, in particular, need to be actively exe-
cuted by the user, so they tend to embed themselves inside an existing
program. When an infected program is executed, it causes the virus to spread
to other programs. In the nascent years of the PC, viruses usually spread via
floppy disks. A virus would lodge itself in the boot sector of the diskette,
which would run when the machine started up, or in an executable located on
the diskette. These viruses tended to be very small programs written in
assembly code. 16
Back in the late 1980s, the Stoned virus infected 360 KB floppy diskettes by
placing itself in the boot sector. Any system that booted from a diskette
infected with the virus would also be infected. Specifically, the virus loaded by
the boot process would remain resident in memory, copying itself to any
other diskette or hard drive accessed by the machine. During system startup,
the virus would display the message: "Your computer is now stoned."
Once the Internet boom of the 1990s took off, e-mail attachments,
browser-based ActiveX components, and pirated software became popular
transmission vectors. Recent examples of this include the ILOVEYOU
virus,1 7 which was implemented in Microsoft's VBScript language and trans-
mitted as an attachment named LOVE- LETTER - FOR- YOU. TXT. vbs. Note how
the file has two extensions, one that indicates a text file and the other that
indicates a script file. When the user opened the attachment (which looks like
a text file on machines configured to hide file extensions) the Windows Script
Host would run the script and the virus would be set in motion to spread

16 Mark Ludwig, The Giant Black Book of Computer Viruses, 2nd Edition, American Eagle
Publications, 1998.
17 http://us.mcafee.comivirusinfo/default.asp?id=description&virus_k=98617

16 I Port I
Exploring the Variety of Random
Documents with Different Content
"No, no; you know I never touch such a thing," said Maureen.
"Then whyiver have ye turned so white? Be the powers! ye can't luv
herself?"
"I—I think perhaps—perhaps I do a little," said Maureen. "If she
wouldn't call me 'charity child' I'd love her. Pegeen, darling, what
does charity child mean?"
"Bless yer swate heart, it's what ye'll niver be. Why, there ain't a
bhoy in Ireland that wouldn't stand up and say no to that!"
"Is it very awful?" asked Maureen.
"Don't ax no questions and ye'll be tolt no lies," was Pegeen's
remark.
Maureen remained a minute or two longer in the kitchen, then she
looked at the clock and went slowly up to her shabby bedroom.
"Charity child or not," thought the little girl, "I must try and save her.
It's a long walk, but the day is early yet. I could quiet the poor
O'Shee. I haven't forgotten what father told me. How well I
remember his saying, 'Just a touch of your hand, Maureen, very firm
and very coaxing, and you'll get any horse to follow you round the
world.'" So the child in her little brown frock, which looked
exceedingly shabby, and with a small old, worn-out brown hat to
match, started on her walk to Rathclaren.
Nobody saw her go. The servants, taking advantage of both master
and mistress being absent, were talking loudly in the big kitchen.
The gardeners had joined the group. Pegeen was helping the
company to porter and great chunks of kitchen cake, and they were
all laughing and joking, praising Maureen, shaking their heads
sorrowfully about the masther, and grinning with delight at the way
they hoped The O'Shee would sarve herself.
Pegeen was a confirmed gossip, and told the story of what the child
had just said to her.
"Charity child, indade! Bless her, bless her! Why, I—I'd just die for
the likes uf her," said one of the men; and these remarks were
echoed by both men and women. "Their darling—their Miss Maureen
—their purty—purty wan! Why, now, ain't she just the light o' our
eyes," said one and all.
And meanwhile the dinner for the poor Rector was being destroyed
in the oven, the potatoes and peas were overboiled, and all that
remained of Maureen's nice dinner was a glass dish of piled-up
strawberries and a dish of cream.
"May the Vargin help me! The duck is done to rags!" cried Pegeen.
"Whativer now will Miss Maureen say, and the masther may be back,
bate out, anny minit. Oh, worra, worra, whativer am I to do?"
"I'll kill a fresh wan for yez and pluck it, and ye can push it in the
oven," offered an affectionate gardener, who, according to the Irish
way, preferred any business to his own.
Meanwhile Maureen went rapidly on her way. There was not a bit of
the country that she did not know as though it were a map stretched
out before her. She was therefore able to take several short cuts
through woods rich with summer foliage, where periwinkles and
other flowers of all sorts and descriptions grew in abundance, where
moss pressed softly under her feet, where the birds sang, the doves
cooed, and all nature was at rest and peace.
At another time Maureen would have stood silent in the midst of the
wood and clasped her hands and thanked God for His beautiful
world, but she was too anxious to do anything of the sort now. She
must at any risk, at any cost, save step-auntie. She was a very quick
walker for her age, and got over the ground in great style. Suddenly
she found herself close to Rathclaren, having gone most of the way
through shady woods and dells. Close to the gates of Rathclaren she
distinctly saw the marks of horses' hoofs, but as she examined them
they seemed to be going away from the stately old place. There was
a decided scuffle at the beginning of a boreen or lane, and then the
marks of the said hoofs going very fast indeed.
Maureen clasped her hands in distraction. She knew this boreen. It
was one of the most dangerous in the neighbourhood, and led
straight to the great bog of Anniskail. Suddenly she saw two men
coming to meet her; one was Colonel Herbert, who was always a
special friend of hers, and the other was poor Jacobs, who looked
absolutely wild with distraction and fear.
"Where have you dropped from, baby?" said the pleasant voice of
the Colonel.
"Oh—oh, Colonel Herbert," gasped Maureen, "I know a little bit
about horses, being trained when I was in India, and—and I'm so
terrified about Auntie!—And what are you doing here, Jacobs?" The
child's voice got quite angry. "Why ever are you not with your
mistress?"
"It warn't my fault, missie; it warn't, indade!"
"Oh, don't say whose fault it was. What has happened?"
"She laid the sthroke of the whip acrost me first and thin acrost The
O'Shee, and was it to be wondered at that the baste wouldn't sthand
the whip, niver having tasted it in all his life! He jest shivered from
head to foot, and afore I could git up ahint on the dogcart, he was
off and away like a streak o' greased lightning. She druv him herself
and whipped him all the time. I went up to tell the Colonel and——"
"Don't—don't say any more," said Maureen.—"Colonel, will you help
me?"
"I will, my dear little girl."
"There is Anniskail at the other end of this road," said the child. "Oh,
oh, how am I to bear it!"
"There's my dogcart coming down the avenue, dear. Jump up beside
me, and we'll go straight for the bog. I have ropes and things handy,
and we may pull her out if we don't delay a second."
Maureen, like a little sprite of the air, was soon seated beside the
Colonel on the dogcart. How fast they went—how fast! How close
they got to disaster, to tragedy unspeakable! The Colonel guessed
the worst; he did not attempt to speak. The child shivered but kept
her self-control.
Jacobs and the Colonel's own groom were seated at the back of the
dogcart. Colonel Herbert's powerful horse covered the ground with
right good-will. Almost the whole of the lane was more or less
boggy, and great splashes of soft mud flew up as the dogcart got
over the ground.
Suddenly the Colonel pulled up his horse, threw the reins to his
groom, and motioned to Jacobs to follow him.
"There has been a spill," he said. "It is no sight for little girls. You'd
best stay where you are, Maureen, acushla. We'll do all that human
beings can, and a lot of peasants are there already."
"And do you think I am going to stay behind?" said Maureen. "Oh,
there, I see her pink dress! Oh, poor step-auntie! Yes, I will go—I
will! She has only fallen—she'll be all right. You can't keep me back—
I will go. She may call me charity child every day of her life, but I
don't mind. I'm going to her now."
The Colonel took the little hot hand. There was something
impossible to resist about Maureen.
In a very few minutes they found themselves the centre of a group
of rough-looking men and women.
"Ah, thin, bless yer heart, Colonel dear; ah, thin, it's the neck of her
is broke entirely. See for yer-self. She was a foolish woman. The bog
would have quieted the horse, and she'd have had a few minutes
afore she went under; but no, she'd no sinse at all, at all, and out
she lepped on to that big lot o' stones, and the neck of her was
broke."
"I war the first to find her, sir," said an old peasant. "I saw at wanst
she was as dead as a tenpenny nail, so I tuk her sash and made a
sort o' rope wid it and pulled the poor baste ashore. He's safe
enough is The O'Shee; but herself, glory be to God, she's bruk her
neck! Why, Miss Maureen, I didn't see ye, me darlint; don't ye cry
now!"
"I'm not going to cry," said the child. "Do turn her round very gently.
Do at least try to make her look nice! Poor, poor step-auntie, poor
step-auntie! Colonel, get me some water. I want to wash her face.
Colonel, you must help me to tell Uncle Pat."
The amazing presence of mind of the child soothed the excited Irish
folk. One after another they brought her what she required, and
finally the poor body was laid on a shutter and brought into a cabin
near by. It looked quite peaceful, and no one living had seen that
terrible leap nor heard that most piercing shriek.
"We must leave her here at present," said the Colonel, turning to
Maureen.
"Yes; she and I will stay together," said the child. "She isn't angry
with me any longer. God has taken away her anger. See, she smiles.
You must break it to Uncle Pat, Colonel. I'll stay with her until she
can be moved."
"She shall be moved to my house at Rathclaren," said the Colonel.
"It can easily be managed, my brave little girl. But you can do no
good here. Had you not better come with me?"
"No, no; I'll stay with her. She's not angry with me any longer.
Please, Colonel, be very quick, and don't frighten Uncle Pat, for he's
far from strong."
 CHAPTER VI.
COLONEL HERBERT TO THE RESCUE.

There are times in life when the brain ceases to act—that is,
consecutively—when the heart ceases to perform its usual functions,
and when all life, and all that life means, becomes topsy-turvy. This
happened to be the case with little Maureen O'Brien. When she
entered Colonel Herbert's house looking brave and upright, never
shedding a tear nor uttering a sigh, that brave little heart of hers
suddenly gave way. She fell down in a deep and prolonged swoon.
When she came to herself again she was in a small white bed, and
two nurses were taking care of her. She did not recognise the room,
and she did not recognise the nurses. They were of no moment to
her. She passed quickly away again into a sort of trance, not a death
trance by any means, but a fever trance. During that time she talked
a great deal about step-auntie, and said with bright, uplifted eyes: "I
don't mind being a charity child, step-auntie; I don't mind one little
bit."
Uncle Pat came to see her, and so did Dominic, but she did not know
either of them. She kept on with her eternal moan, "I don't mind
being a charity child."
Then grave professional men came and stood by the little white bed
and felt the fluttering pulse, and said gravely that the child was
suffering from shock of a severe description.
Uncle Pat said: "Is Maureen in danger?"
They replied, "Yes, she is in great danger."
Then Uncle Pat took up his abode at Rathclaren, and Colonel Herbert
endeavoured to cheer him all he could. There was a post-mortem
examination on the poor wife who had broken her neck, and then
there was her funeral, which was attended by almost everyone in
the country, for the Irish are great at going to funerals, and do not
need nor expect invitations thereto. They were interested in Mrs.
O'Brien, and, although they had hated her in life, they quite loved
her in death, because her death was so sudden and romantic, and,
in short, what so exactly fitted their Celtic natures.
So Mrs. O'Brien was laid in the old family vault of the O'Briens in
great state and unbounded respect, and the Rector gave away
money freely, and so did Colonel Herbert, and the people got more
drunk than ever that night at public houses; and that was the
earthly end of this miserable woman.
But meanwhile a child, quite a young child, lay close to the eternal
shores, upstairs in Colonel Herbert's house. Very weak she grew and
very faint, and the fever ran high and yet higher, until at last
Dominic, in a fit of ungovernable grief, entered the room without any
leave and held one of the little burning bands between his two
manly ones; and he held it so long and so firmly that the little hand
ceased to struggle and drops of dew came out on the white low
forehead. Then Dominic motioned to the nurse to bring eau de
Cologne and water, and the nurse, wondering at the lad and the
power he showed, obeyed him to the letter.
All night long Dominic stayed by Maureen's side. What he suffered in
body no words can describe, but he would have gone through worse
torture for Maureen.
The doctors came and looked and whispered to each other, and one
said, "This is too wonderful," and the other said, "She is asleep.
Whatever happens, she must not be awakened."
Then the first doctor said to the boy, "Can you bear to kneel just as
you are kneeling all night long?"
And Dominic answered, "I could bear it for every night of my life if it
would save her."
So then the doctors, by Colonel Herbert's desire and by Mr. O'Brien's
desire, supported the lad as best they could with pillows, and gave
him sips of wine to drink, and one of the nurses got him to lean
partly against her. But the cramp which was so slight at first became
terrific, and the boy could have shrieked with agony. But he did not
shriek, he did not stir, for he knew without anyone telling him that
he was saving the life of his little mate.
Dominic knelt by that bedside from six in the evening until six the
following morning, and all that time Maureen slept away her fever
and awoke to consciousness.
"Why, Dom!" she said, in the weak, weak voice of a little bird; but
Dominic was in a dead faint on the floor, and was carried out of the
room without Maureen seeing what happened.
He soon revived and was as well as ever again, but as long as he
lived he never forgot that night when he saved the life of his little
playmate.
From that moment Maureen was pronounced out of danger. A turn
for the better set in, and, although the convalescence was slow, it
was also sure. She was too weary to ask questions, and for the first
week of her recovery she slept most of the time. Then Uncle Pat
came in and kissed her, and she kissed him back and looked into his
sweet, grave eyes, but still she asked no questions, nor did he
volunteer any information.
After that, weeks and weeks and weeks passed, and the summer
entered into autumn and the autumn into winter; and the winter
was a very cold one even for the south of Ireland, but Colonel
Herbert's house was well-warmed and Maureen's room contained
every luxury. The two nurses, Nurse Cecilia and Nurse Hora,
delighted in their life in the luxurious mansion, and Maureen thought
her own deep thoughts.
Autumn passed into winter, and on Christmas day Maureen was well
enough to be dressed in a pretty soft little tea-gown of white
cashmere, which Nurse Nora had made for her. Then she was laid on
the couch by the glowing turf fire, and she was told that Colonel
Herbert would like to see her.
"Oh, but I want to see Uncle Pat," said Maureen. "I'm beginning to
remember things a little. Can I see Uncle Pat, Nurse Cecilia?"
"I don't think you can to-day, my pretty, but the Colonel is very
anxious to have a little chat with you; only first he says you must
have your dinner. Nurse Nora has gone to fetch it now."
Her dinner consisted of a delicious snipe, for these dainty birds
abound in the boggy parts of Ireland; and she had a little glass of
wine, very stimulating and strong. The wine brought the colour into
her sweet cheeks and made her eyes look softer and larger than
ever.
A few minutes later Colonel Herbert entered the room. He was one
of the most distinguished men in the entire county, and Rathclaren
was a perfectly kept place. The Colonel did not know much about
girls or women, however, and was a trifle nervous as he entered the
room, but when he saw the little figure on the sofa, the pink colour
in the cheeks, the soft glow in the brown eyes, the hair which had
been cut off during her illness but was now curling in tight rings all
over her pretty head, made this child of one of his greatest friends
look altogether adorable to him.
Maureen had not lost her straightforward way. She held out a tiny
hand now, which was no longer plump or brown.
"Dear Colonel," she said, "you are good."
"I hate thanks," was the Colonel's reply.
"How funny," said Maureen, with one of her merry laughs; "so do I."
"That's right, my pushkeen; then I quite expect you and I will suit
each other."
"We have always suited each other," said Maureen.
"Yes, that's quite true," replied the Colonel. "And we need not talk of
the past, need we, Maureen, acushla?"
"Why, of course not," said Maureen; "that is," she added, "not unless
you wish to. I am beginning to remember everything now most
beautifully."
"Don't talk of it, child; don't talk of it," said the Colonel.
"I won't—if it really hurts you," said Maureen. "I would not dream of
hurting one so good; but please, dear Colonel—you do not mind my
calling you dear Colonel, do you?"
"Not one little scrap, alanna."
"That is all right," said Maureen. "You must see that I cannot help
loving you. I hope you do not mind that."
"Well—upon my word," replied Colonel Herbert, "I did not know that
any one living loved me."
"Oh! but I do most truly. You see that you are a great soldierly man,
and my father was your friend and the bravest of all brave soldiers.
You see, dear Colonel, we are really close together. I, the daughter
of a soldier; you, a soldier your very self. I cannot help loving you
and feeling close to you, and I hope—I do hope that you do not
mind—I want you to love me oh! so dreadfully badly, and I—well, I
love you with all my heart."
The stern old Colonel never felt tears nearer to his eyes.
"Keep it up, child. I do not mind; in fact, I—I rather like it," he said.
"And may I call you 'dear Colonel'?"
"Yes, young 'un, yes."
"How, please, I have been in your house a long time."
"Since the summer," said the Colonel. "A matter of close on six
months."
"Well, you see, in that time a little girl gets hungry."
"Good gracious! Sakes alive! Don't they give you enough to eat?"
"Oh, yes," said Maureen; "lashins and lavins. But it isn't that hunger.
It's here——" She put her little white hand against her heart. "I'm
hungry for Uncle Pat, and for darling Dominic, and for Denis and
Kitty. When may I see them?"
"That's what I have come to you about, acushla. You see, it is this
way: You had a good bit of serious illness—you're as right as a trivet
now, but it might have been the other way round. Well, things
happened that we needn't talk about, and your Uncle Pat wouldn't
leave the house—not he, blessed man!—while you were in any sort
of danger; but when all the danger was past (and I tell you, alanna,
we did have one night of it)—when it was past and over and you
were quite on the mend, the doctors who were looking after you
took a good haul of him. My word, didn't they pull him about.
Sounding him here and patting him there—they were great men,
these doctors—and they said that if your Uncle Pat went off
immediately to Egypt for the winter—why, he might get well or very
nearly quite well. So, Maureen, you must forgive me; but I made
him go, and there is a curate at Templemore; and as he couldn't go
alone, Dominic went with him, and Denis and Kitty are both at
boarding-school—not the school they used to go to, but a first-rate
one in no less a place than old England; and I says to myself, says I,
'I can't have those bouncing brats back for the holidays; they'll be
too much for Maureen.'"
"They wouldn't," murmured Maureen, but her voice was very low,
and her eyes were really now full of tears, for she was too weak to
keep them back. "They are not bouncing brats, Colonel; they are
darlings!"
"Well, well, child, they may be so to you; but you see I'm an old
bachelor and I have my notions. So it was arranged that the pair of
them should stay at school for the Christmas holidays, and for that
matter for Easter as well; and the long and short of it is this,
Maureen, that you have to put up with the old Colonel until the
warm weather comes and your Uncle returns. For when he finds
Egypt too hot, he is ordered by the doctors to go to different parts
of Switzerland, and the news of him is just of the very best. I have a
letter in my pocket for you, Maureen, written by himself with orders
that I should give it to you on Christmas Day if it was suitable."
"Is this Christmas Day?" cried Maureen.
"Why, yes, baby; have you forgotten everything? I wanted to bring
you up some plum-pudding, but Nurse Cecilia wouldn't allow it.
She's something of a tyrant is that woman, though she's a first-rate
nurse."
"Indeed, she is; and so is Nurse Nora," said the child. "Oh, have I
indeed forgotten so much, and has the time gone by at such a rate
—and aren't you—aren't you sick of me, dear Colonel?"
"Well, this is about the tune of the thing," said Colonel Herbert: "I
have taken a sort of fancy to you! Oh, there, child, for the Lord's
sake! What are you doing?" For Maureen had slipped off her couch
and had twined her weak little arms round the Colonel's neck, and
given the confirmed old bachelor the first kiss he had ever received
since his mother died.
"Child, child, you'll faint, or something awful will happen!"
"No, I won't. I'm not a bit fainty. I want to tell you that I love you"—
here came a kiss—"and you love me"—another kiss.
"To be sure, pushkeen."
"Then that's all right. Put me back on the sofa, dear Colonel, and
then give me Uncle Pat's letter, and then go away, please; only
before you go, will you promise me one thing?"
"What is that, acushla machree?"
"I want you to come to me every day as you have come to-day until
I am well enough to go to you, for we have just an awful lot to do
and talk over before Uncle Pat comes back. Will you promise me,
dear Colonel?"
"Yes, child. God help me, I think I'd promise you anything."
"Then that's all right and I am happy. I think I am about the
happiest little girl in the world. I don't seem to have a care anywhere
at all—only, please, my letter!"
"Yes, baby, only don't for goodness' sake, go and cry over it."
"You don't like cry-babies either," said Maureen.
"Of course not; they are detestable."
"Now my letter, please. Whatever you find in me, you won't find me
a cry-baby."
The Colonel dropped a little packet into the child's bands and softly
left the room.
"'Pon my word," he muttered to himself. "'Pon my word. I never
could abide a wife, but a child like that of my very own, I could put
up with her—'pon my word!"
Maureen lay for a few minutes after Colonel Herbert had left her
with the unopened packet clasped in her two little white bands; and
her eyes looked brighter than ever and her cheeks more rosy. In the
packet were first of all quantities of enormous violets, which could
be put into warm water and would revive by-and-by. Then there
came two letters, one from Dominic and one from Uncle Pat.
Uncle Pat's letter was rather short. It ran somewhat as follows:

"Best of Darlings:—I get grand news of you from that fine fellow,
Herbert, and if you are well enough to receive my Christmas
 greeting, here it is for you! The violets are from Dom. He's
turning into a grand lad, and talks French to the manner born.
Oh, what stories I shall have to tell you when I come home, for,
Maureen—dear little Maureen—I am getting well. Each day I
feel stronger. I am quite certain that with God's help I shall be
with you when the long days come round again, and then what
'lashins' we'll have to talk to each other. Meanwhile, it is thought
best for you to stay with the Colonel. You must be very sweet to
him, and not bother him more than you can help; but you might
ask him to lend you some books, for he has got quantities, and
he is quite a famous Egyptologist, and you will like to know
about the place where I am now regaining my health.
"God bless you, my darling. God above keep you!
Uncle Pat."
"P.S.—I send you a cheque for £500 to do what you like with."

The other letter was also short, but it seemed to go straight into
Maureen's heart:

"Hurrah, playmate, good news—the best! The pater is getting

well. We're having a right jolly time in this jolly place, and if you
were with us it would be nothing short of perfection. I never did
see such a magnificent country as Egypt. Oh, Maureen, the blue
of the sky! And, oh, the soft delicious feel of the air; and no
thought of rain, for of course it never rains. One day a week ago
I went out and saw the three pyramids. I went out with a boy I
came across, and he explained everything to me. He is a jolly
sort, and his name is Oliver. There was the Great Pyramid with
its steps, and we climbed it—every single step up to the top,
and the two smaller pyramids; but the most wonderful thing of
all was the Sphinx. I can't describe her to you except that she
looked inscrutable and wise with all the wisdom of all the ages.
There was a majesty about her; but there, I can't write
tommyrot. We had tea afterwards at the Meena House Hotel,
and then we came back in the cool of the evening. Oh,
Maureen, the world is a big, big place, and I want to be a big
traveller and see every inch of it. Good-bye for the present, my
little darling.—Your loving old Dom."
 CHAPTER VII.
HAPPINESS.

There come in life moments, perhaps hours, perhaps days, perhaps

even months of perfect bliss, and this glorious happening—these
sunshiny days, hours, and months—came to little Maureen O'Brien
while she lived with Colonel Herbert. She had undoubtedly had a
most severe shock, and as her illness had been long and dangerous,
so undoubtedly was her recovery somewhat tedious; but by degrees
her little larklike voice could be heard singing about the house; and
then all kinds of indescribable changes took place at Rathclaren. It
was a handsome and stately home before Maureen arrived there,
but now it became a beautiful home. The Colonel could not quite
make out what had altered it. He did not know that a great nest of
daffodils in a certain corner of his vast library made the room all
aglow with light. He could not guess why the piano began to sound
in the old-fashioned drawing-room, and why a pretty soft voice sang
all kinds of old-fashioned songs—"The Dark Rosaleen" for one, "The
Wearing o' the Green" for another, and Moore's inimitable melodies—

"Oh, there's nothing half so sweet in life

As love's young dream!"

The Colonel had heard those words ages ago, and he now crept
cautiously into the drawing-room and stood behind the little singer.
Certainly her voice was not strong, but it was at that stage of her
growth a high soprano, and very clear and very true, so when she
sang "When Malachi Wore His Collar of Gold," "The Vale of Avoca,"
"Believe Me, if all those Endearing Young Charms," "The Minstrel
Boy," "Those Evening Bells," "Rich and Rare Were the Gems She
Wore," "The Last Bose of Summer," and "The Harp that Once
Through Tara's Halls," the Colonel felt as though he were living in a
new world.
When he discovered Maureen's gift he did not get the piano tuned,
which most men would have done, but got a beautiful new boudoir
grand put in its place; and a master came twice a week from
Kingsala to train a voice that needed no training, for it was Nature's
voice, just as the birds' voices are. Thus the Colonel was intensely
happy. The days sped by, and Maureen's passion for music was
gratified. Evening after evening the "dear Colonel" and Maureen
used to enjoy those incomparable melodies together, the child
singing her heart away, the man listening, never speaking, never
praising, but with his own heart full to the brim of love for this queer
little creature. He loved to spend money on Maureen, and consulted
his excellent housekeeper, and bought the child suitable frocks and
pretty jackets and hats, and when she was strong enough he took
her out riding with him.
The first ride was a bit of a trial to the child, for she could not help
thinking of poor step-auntie and The O'Shee, but after that she
enjoyed herself immensely. To the astonishment of the Colonel, he
found that he had to teach her nothing. She could ride by a sort of
instinct; she was part of her horse. He got her a dark Lincoln green
habit, and a little green velvet cap with a heron's feather in it; and
no sweeter sight could have been seen than the little maid and the
elderly man as they crossed country side by side.
 She could ride by a sort of instinct; she was part
of her horse.—Page 85.
But the Colonel knew what Maureen did not, that this golden time in
his life was but an episode, that Maureen did not belong to him, and
that soon—ah! too soon—the sweet presence and the voice like a
bird's, and the lovely brown eyes, would leave Rathclaren and go
back again to old Templemore, where Dominic and his father would
be anxiously waiting for her.
While these things were happening at Rathclaren and Maureen by
no effort at all on her part was making herself the idol of the entire
establishment, the Rector—dear man!—was making leaps and
bounds towards health. The feeling of health was in his veins, the
keenness of health was in his eyes. Egypt had begun to save him,
and Switzerland—selected parts, of course—did the rest of the
business. He would certainly be able to return to his parish duties in
the early summer, just when Templemore was in its prime, when the
fat kine were prosperous, and the lean kine had disappeared for the
present.
The Rector was by no means sorry to live. He had been content to
die—God's will was his—and he never struggled against the
inevitable; but now that earthly life was really restored to him in the
most marvellous and unexpected way, he gave himself up to the
enjoyment of it. His wife's will troubled him, however, not a little. At
first, that is, immediately after her death, it troubled him profoundly,
but then Maureen's severe illness caused every thought, except of
her, to fade from his mind; but when she got better and the danger
passed away, the Rector's conscience smote him very hard with
regard to the will. He went to see Murphy at Kingsala, he went to
see O'More and Walters, and he said the same thing to each and all,
"That will ought not to be acted on. My poor wife died through an
accident. Had she lived she would have altered her will, for she told
me so just before her death, poor dear. In fact, I was supposed to
know nothing of this will, which was made just before our marriage,
when she fancied she loved me; but she certainly told me most
distinctly quite lately that all her money would belong to her own
two daughters. Then she was killed—you know how. The will turned
up. You had a copy, O'More, and we have heard from Debenham
and Druce; but I cannot possibly see how we can act upon it—I
mean as gentlemen and Christians. We take advantage of a terrible
accident to destroy all my poor wife's hopes with regard to her girls."
Then Murphy said, "Now whist awhile, your Reverence, and I'll come
and see you in a few days at Templemore. This requires thinking
over. These aren't the days of chivalry, O'Brien, my man. Go home,
rest quiet, be thankful the life of the little one is spared, and do
nothing until you see me, for I'll come over to Templemore one fine
morning, and have a bit of news for you as like as not."
The Rector waited with what patience he could, and the longer he
waited the more sensitive did his conscience become. But at last, to
his unbounded amazement, Dominic rushed in to inform him that an
outside car was coming down the avenue, and there were four men
on it, to say nothing of the driver; and when the four men stepped
into the old house, which looked most sadly shabby without
Maureen's care, the Rector found himself in the presence of Murphy
the lawyer, of Mr. O'More, Mr. Walters, and of Mr. Debenham, head
of the great firm of solicitors in Chancery Lane.
Now these men began at once to talk to the Rector, and they talked
in a wonderfully convincing way. Their argument was this: First and
foremost, the late Mrs. O'Brien had very much undervalued her
property, which amounted not to fifty thousand pounds, but after all
death duties had been paid would represent the very comfortable
figure of between eighty and ninety thousand pounds. This money,
by the lady's desire, had remained untouched since her second
marriage, and the lawyers, Debenham and Druce, by wise
investments had increased the original capital very much. How by
the terms of the will this sum was to be divided in equal portions
among Mrs. O'Brien's two daughters, the Misses Mostyn, the Rector's
three children and his niece, Maureen O'Brien, and further, an equal
share was to be given to the Rector himself.
"That is precisely how the will stands, Mr. O'Brien," said Debenham,
in his extremely refined English voice, "and as all the inheritors, with
the exception of yourself, are much under age, nothing whatsoever
can be done to alter it until your youngest child comes of age. Now I
drew up this will for the late Mrs. O'Brien. She was most sincere in
her wish at the time that you and yours should share her wealth
with her own two daughters. The fact is, the late Mostyn was old
enough to be her father. He was a city merchant and made his pile,
although it amounted to nothing like what he would have made, had
he not been suddenly stricken down by apoplexy. His wife and he led
a cat-and-dog life together, and I think his death was a great relief
to the poor woman. Anyhow, be that as it may, Mr. O'Brien, you can
part with your share of the property if you like, but the portions set
aside for the children cannot possibly be interfered with. I and my
partner are trustees for the children's share of the property, and I
shall provide them with ample means, which the will allows for their
education, until they each come of age; more I cannot do. They will
each be fairly well off, and I should strongly advise you, Mr. O'Brien,
to take your own share and make no bones about it. The whole
thing seems to me to be an interposition of Providence to prevent an
angry and irresponsible woman from carrying out her designs. You
will all be comfortably off, and I think if she could speak to you now,
she would beg of you not to make your family unhappy by refusing
to receive your share of the profits. After all, Mr. O'Brien, it was you
she loved when she made the will. She did not know the children."
"God help me!" said Mr. O'Brien. "Poor Constance, I never
understood her! If you really think it would please her, sirs——"
"Please her—naturally it would please her!" said O'More.
"And I shall not require it long," continued the Rector, who little
guessed on that sorrowful day that he was to become quite well
once more.
"There is a provision made for that in the will, sir," said Mr.
Debenham, "which gives your share in equal proportions to the six
children, so I do not see how in any case you can touch it or
interfere with it. That's a fine boy of yours," continued Debenham. "I
rather guess that he will make money of his own, and not require
any help from any one."
All these things happened while Maureen was ill, and she naturally
knew nothing about them, and nothing whatever about the little
fortune which had been left her by step-auntie; but as the days flew
on, and April followed March and May followed April, more and more
deeply did Colonel Herbert hate that will, for if it were not in
existence he would simply force O'Brien to give him Maureen to be
his forever, to share his money, his love, and his home.
How it so happened that while the Rector was coming by leaps and
bounds back again to life and health, two girls at school were
mourning not so much for their mother, who, as a matter of fact,
they did not like, but because they were not the heiresses they had
hitherto called themselves to their schoolfellows.
Mr. Debenham called to see these girls, one day, at their showy
school near Dublin. They were like each other, and painfully like the
dead woman. The lawyer could not help uttering a quick sigh when
he saw them. Henrietta was the taller and stronger of the two. She
was what might be described as a "bouncing young maid," very
much developed in figure, with her mother's fiery blue eyes and her
mother's auburn hair which tended to red. That hair was all fluffy
and curly and untidy about her head. She was not a pretty girl; she
had too many freckles for that; and her nose had a little tilt up at the
end, which gave to Henrietta Mostyn a particularly impertinent
appearance. Daisy was very like her sister, but with a difference; her
eyes were smaller and closer together, she had a cunning look about
her, and her hair was of a flaxen shade without a touch of gold in it.
Her eyebrows were the same colour as her hair, and her eyelashes
were white. She was altogether the sort of girl whom you would
rather not know, for there was a cunning, deceitful expression about
her face, which no effort on her part could conceal.
"Well, so we are robbed," said Henrietta. "Poor mumsie-pumsie went
to smash, and we are robbed. That's a nice look-out. Of course,
you'll manage, Mr. Debenham, that those horrid O'Briens don't get
our money."
"They shan't get your money, Miss Mostyn," said the lawyer, "but
they'll get their own."
"Whatever do you mean by that? Then we do get mumsie's fortune.
I said so to Daisy last night. When I want to tease her I call her
Dysy."
"I don't think I care to listen to your remarks," said Mr. Debenham.
"Your poor mother died in a very terrible way."
"Oh, don't tell me, or I'll shriek," said Daisy. "Hold me, Henny, hold
me, Henny; I'll shriek!"
"Silly child," said the lawyer, "have you no self-control? I have
spoken to the head-mistress of your school, Mrs. Henderson, and
she understands that owing to circumstances you are not to remain
here after the summer holidays. That is the wish of your step-father
and guardian, the Reverend Patrick O'Brien. You will probably be
sent to another school, which I will recommend."
"But our money—the chink," said Daisy; "that's the main thing."
"You get your share, Miss Daisy. Your mother's money is divided into
seven portions. Until you come of age, or marry, a certain portion
will be spent on your education. After that the capital will be yours
to do as you wish with. You each of you have, roughly speaking,
about thirteen thousand pounds."
"Is that all?" cried Henrietta. "Why, mumsie said that we were
heiresses!"
"You are, to that extent."
"But she said we should have at least fifty thousand between us,
and she was going to bring us out in Dublin, and we were going to
have no end of larks. What do you mean by saying that we'll have
thirteen thousand pounds each?"
"How old are you, Miss Mostyn?"
"We are both of us fifteen," said Daisy. "Twins, dear little twins. But
please tell us, we want to know what has become of all the rest of
mumsie's money?"
"She left her entire property," said the lawyer, "to be divided into
seven portions. These portions, were to be divided between
yourselves, Mrs. Mostyn's second husband, the Reverend Patrick
O'Brien, his three children, and his dear little niece. None of you can
touch the capital until you come of age. Kitty O'Brien is at present
only six. Her portion, therefore, will in all probability be the largest,
as there will be a greater time for it to accrue. By the way, your
mother made one provision, which I rather fought against, but she
was determined. You are not any of you to come of age until you are
twenty-five."
"Good gracious!" exclaimed Henny.
Daisy burst into tears.
"I'll be a beastly old maid by then," she sobbed.
"Well, good-bye, children, good-bye. Your poor mother is gone, and
you must make the best of what is to you a bad job. But you have
got a delightful step-father, who will do his utmost for you so as to
bring you up in the fear of God, and I am sure you cannot help liking
his dear children."
"If you mean that I am going to like that beastly little niece, you're
fine and mistook, Mr. Lawyer," said Daisy. "I think you are a horrid
man, and I believe, I really do, that you forged that will."
"Good-bye, girls, and don't be silly," said Debenham.
He said to himself as he took his seat in his motor-car: "Poor
O'Brien, I thought his troubles were ended; but I really do not think
I ever saw a more unpleasant pair of girls than the Mostyns. Their
mother over again, only worse. Thank goodness, I've saved O'Brien
from making a fool of himself. That saintly sort of person often does
that kind of thing. That poor, dear, brave little girl, I'm afraid, will
have an awful time when the Mostyns go to Templemore. Why, the
face of the one they call Daisy is as sly and as full of mischief as a
monkey's."
 CHAPTER VIII.
SUMMER WITH AN EAST WIND.

The Rector had given directions that Templemore was to be re-

painted and re-papered and to a certain extent re-furnished for his
return. He was expected home on the first of June, that day of all
days, when spring has not quite died away and summer has touched
everything with her golden wings. Maureen and Colonel Herbert met
the travellers when they entered the old house, and Maureen flung
her arms round Uncle Pat's neck and kissed him over and over
again. She kissed Dominic, too, but she was mostly taken up with
Uncle Pat.
"Why, you look quite well; I do declare, you look young," said
Maureen.
"And you, my dearest baby," replied the Rector, "I never saw you
look better before."
"Oh, that's all owing to 'dear Colonel,'" said Maureen. "He is a
darling. He doesn't much like my leaving him, but you come first,
dearest, most dear."
"Yes, I come first, little girl," said the Rector.
He glanced at the Colonel as he spoke, and saw a shadow on his
brow and a curious blue look round his lips, and it suddenly flashed
upon the Rector that perhaps he was selfish in keeping Maureen;
but he must keep her now, he felt he must. Was she not his twin-
brother's only child, and was there not money enough now for
everything? Money certainly was a power.
The Rector went up to the Colonel and began to thank him, but the
Colonel interrupted him.
"None of that, dear old man. I'm the sort of person who cannot bear
thanks from anyone; not even from her, blessed angel. By the way, I
have bought her a horse—'Fly-away' by name. He's a thoroughbred
Arab, and I have sent his own groom with him. It would give me
sincere pleasure, Rector—unspeakable pleasure—if you would let me
pay all the expense of Fly-away and groom."
The Rector paused before he replied; then he said slowly, "It shall be
as you wish."
"I'll ride over to-morrow," said the Colonel, "and take Maureen for a
scamper across country. Oh, by the way, she has got a nice little
pipe of her own—not developed, of course—but it will be something
very good, by-and-by. She sings at present as the birds sing, and
you will find my present to her in the shape of a Blüthner grand in
your drawing-room. Now I will say good-bye.—Maureen, acushla,
one kiss. I'm coming back to-morrow."
"Yes, 'dear Colonel,' yes," said Maureen, and she pressed the
withered cheek several times with her rosy lips, and the Colonel
went away, a sadly broken-down man, although he had made such
tremendous efforts to show nothing.
"Why, Maureen, my blessing," said the Rector, "you have won
Colonel Herbert's heart. He's a right good, gentlemanly fellow, one
of the best in the county. Everyone has hitherto supposed that his
heart was made of iron, but you—you have changed all that."
"Ho, it isn't me; it is his dear self," said the child, "and he hasn't a
heart of iron, my Colonel, but a soft heart, very gentle. I think I love
him next best to you and Dominic out of all the world. He has been
so good to me while you were away. But now let's be happy. Oh,
hurrah! This is a good world. Dear old Templemore! Come for a
walk, Uncle Pat.—Come along, too, Dom.—We must see the fruit
garden and the place where the periwinkles will soon be in full
blossom. They are in bud now, but soon they'll be in blossom. Oh,
what wonderful, amazing things have happened during this past
year! God has given you back your life, my darling."
"Yes, Maureen," said the Rector, "and to see you, my little blessing,
looking as you do, is the crowning touch to my bliss."
"I wish Kitty and Denis were here," said Maureen.
"They are coming in a week's time," replied the Rector; "and in
about ten days from now their step-sisters will arrive."
"Oh," said Maureen, "the girls that step-auntie was always talking
about?"
"Yes, the same. They are pretty much about your age, Maureen—a
little older if anything. I have not seen them yet."
"We must be very good to them," said Maureen.
"Yes, acushla, yes. What a big family we'll be, with all you young
ones trotting about, and the Colonel and I—a pair of old fogies,
bedad!—watching you at your games."
"Indeed, no; nothing of that sort," said Maureen. "You'll join in our
games, for you are quite young again, and my Colonel isn't old. I
have taught him to play hide-and-seek, and he loves it. There is
nothing like play to keep people young. I shouldn't be a bit surprised
if Pegeen joined in some fine morning. She is the only really old
person in the house. But now, Uncle, please tell me all about step-
auntie's girls."
"I can't tell you anything, darling, for I have not seen them. Even
when, long ago—at least, it is five years ago now—when I asked
their poor mother to marry me, the girls were at school, and she
never would allow them to come home for the holidays. I
disapproved, but now all that is changed, for I am their guardian as
well as their step-father."
"I wonder if they'll be nice," said Maureen. "We ought to give them a
very pretty bedroom, Uncle Pat."
"I thought their poor mother's room—it is the best in the house and
the best furnished; and you can make it look very charming for them
by the time they arrive, Maureen."
"You may be certain sure of that," said Maureen, and she clasped
her little hands tightly and looked with her loving eyes full at Uncle
Pat.
The Colonel arrived the next day and took Maureen for a long ride
on Fly-away, and then Maureen insisted on his staying to dinner,
which she had herself prepared with the help of Pegeen, who of
course worshipped the "swate asthore."
Afterwards Maureen sang several old Irish songs, and a boy and two
men listened and wondered. How gay and true and clear was that
voice. The Colonel could not help sighing as he got up to go back to
his solitary home.
"If only I had a child of my own," he thought, but he kept his
thoughts to himself.
The weather was as fine this year as it had been last, and Denis and
Kitty arrived all in due course, perfectly wild with rapture and
enthusiasm. Then one day, quite unexpectedly, an outside car of the
very shabbiest make was seen trundling down the avenue. From the
car leaped a girl with flaxen hair and another girl with red hair, and
the girl with flaxen hair flew at Uncle Pat and flung her arms round
his neck and said, "Why, dad, dad, dear old dad! It is good to see
you. Let's have a good hug. I'm Daisy, you know—called Dysy when
I'm naughty—and this here is Henny-penny."
The girl with red hair was not as demonstrative as the flaxen-haired
Daisy; her eyes had a cruel look in them, and her mouth was loose
and ugly.
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

ebooknice.com