We now have a rootkit that does the following:
Hides its device driver entry
Hides its configuration file
Hooks the operating system kernel
Hooks selected processes loaded by the operating system
Processes commands sent from user mode applications
Communicates with a remote controller
Filters network communication
Filters file system operations
Logs key presses
The threading and logging concepts detailed in this chapter can be applied to many of the previous chapters. Logging the system configuration, the current user, file and network filtered data, and forensic data can all be achieved using the techniques detailed in this chapter.
Our rootkit is just about as complete as a training example can be. However, it’s not really a rootkit unless it contains a few more forms of concealment. Though many of the concealment techniques introduced in the next chapter are easily detectable, they are nonetheless used extensively in most modern rootkits.