Professional Rootkits (Programmer to Programmer)

The common convention used to pass data between threads is the semaphore guarded linked list. This technique requires the use of the following functions:

• PsCreateSystemThread

• PsTerminateSystemThread

• InitializeListHead

• KeInitializeSemaphore

• KeWaitForSingleObject

• KeInitializeSpinLock

• ExInterlockedInsertTailList

• ExInterlockedRemoveHeadList

PsCreateSystemThread and PsTerminateSystemThread are used to start and stop the passive-level thread. InitializeListHead is used to initialize shared data storage. KeInitializeSemaphore and KeWaitForSingleObject are used to synchronize access to shared data storage. Finally, KeInitialize SpinLock , ExInterlockedInsertTailList, and ExInterlockedRemoveHeadList are used to transfer data to and from shared storage.