Rootkits implemented as device drivers often require the capability to communicate with external user mode applications. These external applications use a different stack and different memory; they have access to different functions and operate at different privilege levels. Communication between device drivers and applications must be performed through a channel that is not affected by these differences. This communication channel is provided by the DeviceIoControl function. Figure 5-1 shows basic I/O.
Figure 5-1
The example detailed in this chapter will add an on/off switch to the rootkit. The on/off switch will be controlled by a standard Windows console application that communicates with the rootkit through DeviceIoControl. DeviceIoControl will also be required within the injected function (added in Chapter 4) called before the original PGP encryption function. This enables the injected function to check the state of the on/off switch to determine whether processing should be allowed or blocked.
The functionality required to control the rootkit locally has been implemented by creating three new files and modifying four existing files.
The new files are as follows:
Controller.c IoManager.c IoManager.h
Following are the modified files:
Ghost.c Ghost.c injectManager.c SOURCES