Professional Rootkits (Programmer to Programmer)

We now have a rootkit that does the following:

• Hides its device driver entry

• Hides its configuration file

• Hooks the operating system kernel

• Hooks selected processes loaded by the operating system

• Processes commands sent from user mode applications

• Communicates with a remote controller

Though this chapter only details the initial remote control connection, it should be enough to get started. Once a connection is initiated, a polling routine can check for remote commands; and a command parsing routine can provide the remote controller with any desired functionality. The next chapter introduces filter drivers.