Using DeviceIoControl


Rootkits implemented as device drivers often require the capability to communicate with external user mode applications. These external applications use a different stack and different memory; they have access to different functions and operate at different privilege levels. Communication between device drivers and applications must be performed through a channel that is not affected by these differences. This communication channel is provided by the DeviceIoControl function. Figure 5-1 shows basic I/O.

image from book
Figure 5-1

The example detailed in this chapter will add an on/off switch to the rootkit. The on/off switch will be controlled by a standard Windows console application that communicates with the rootkit through DeviceIoControl. DeviceIoControl will also be required within the injected function (added in Chapter 4) called before the original PGP encryption function. This enables the injected function to check the state of the on/off switch to determine whether processing should be allowed or blocked.

The functionality required to control the rootkit locally has been implemented by creating three new files and modifying four existing files.

The new files are as follows:

  Controller.c IoManager.c IoManager.h 

Following are the modified files:

  Ghost.c Ghost.c injectManager.c SOURCES 




Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net