I/O control, testing, 114–117
I/O functions, differentiated, 20
I/O Processing
buildController.bat, 107
code for handling IO within the device driver, 108–110
Controller.c file, 105–106
Controller.c file code, 105–106
DeviceIoControl function, 103–104
DriverEntry, 110
handling IO within the Device Driver, 107–114
injected function programming, 114
IoManager.c file, 110–112
IoManager.c file code, 110–114
IoManager.h file, 106–107
IoManager.h file code, 106–107
SOURCES, 112
summary, 117–118
testing I/O control, 114–117
The Console Application, 105–107
I/O Request Packets (IRPs), defined, 120
IceSword
autostarted application detection, 314
browser helper object detection, 314
detection methods, 312–313
detection software, 283–286
file system tamper detection, 314
freeware, 312–314
kernel module detection, 313
kernel system call table hook detection, 314
message hook detection, 314
process creation detection, 314
process termination detection, 314
registry tamper detection, 314
service detection, 314
winsock catalog entry detection, 314
IDA
advantages to using, 47–48
downloading, 2
file selection dialog box, 7
freeware, 306–307
overview, 6
plug-ins availability, 306
process injection and, 47–48
verifying, 7
index, CALL_DATA_STRUCT, 63
initialization files, installation, 248–249
InitializeComponent, function, 262–268
InitializeKeyTracking, function, 189–198
InitializeListHead, function, 170
InitializeLogThread, function, 184
Initializing and using critical selctions, Rtl routine, 41
Initializing and using resources, Rtl routine, 41
Initializing and using security objects, Rtl routine, 41
Initializing and using strings, Rtl routine, 41
Initializing and using threads, Rtl routine, 41
injected function programming
application programming versus, 114
overview, 114
injectManager.c file
code, 67–78
functions listed, 66–67
functions of, 66–67
process injection and, 66–78
user hooks, 66–78
injectManager.h file
CALL_DATA_STRUCT members, 63
code, 63–66
Ghost.h file, 50–51
user hooks, 63–66
IN_PROCESS_DATA, Ghost.h file, 50–51
insertFileFilter, function, 142–145, 145
inserting, filter drivers, 137–138
insertKeyboardFilter, function, 173–174
insertNetworkFilter, function, 142–145
Install, function, 219–231
installation
cleanup, 251–254
code, 246–247, 249–254
considerations summary, 254
End User License Agreements (EULAs), 244–245
initialization files, 248–249
intended, 243–244
persistence, 245–246
privilege escalation, 245
registry settings, 247–248
software for intended, 244
technique for Mozilla Firefox (mf), 249–251
testing, 254
through exploitation, 249–251
unintended, 245
using ZwSetSystemInformation, 246–247
installing
C# Visual Studio, 120
a Lotus Notes client filter, 241–242
the Microsoft Driver Development Kit (DDK), 4
Microsoft Visual C++ 2005 Express, 5
an Outlook client filter, 231
a rootkit, 21–25
the Windows Platform Software Development Kit (SDK), 5
InstallShield, software, 244, 287
instruction, parsing x86, 96
integrating, the SQL Server, 5
intended installation
overview, 243–244
software, 244
intercept method, IRP, 169–170
interface, overview, 256
interface-driven, low-level technology versus, 256
Interface medium, overview, 256
InterlockedExchange, function, 30
IO
control basic overview, 104
handling within the device driver, 107–114
IoAttachDeviceToDeviceStack function, IoAttachDeviceToDeviceStackSafe function versus, 138
IoManager.c file
code for Filter Drivers, 154–166
code for I/O Processing, 106–107, 110–114
code for Key Logging, 174
filter drivers, 154–165
I/O Processing, 110–112
key logging, 174
IoManager.h file
code, 150–154
filter drivers, 150–154
I/O Processing, 106–107
IP address, finding an, 121
ipconfig command, finding an IP address with the, 121
IPv4 and IPv6 operations, Rtl routine, 41
IRP intercept method, key logging and the, 169–170
IRPs (I/O Request Packets), defined, 120
IRQL = APC_LEVEL, processing level, 168
IRQL = DIRQL, processing level, 168
IRQL = DISPATCH_LEVE, processing level, 168
IRQL = PASSIVE_LEVEL, processing level, 168
isJump, function, 78, 78–96
ISO image, downloading the, 1–2
IsSameFile, function, 44–47, 54–63
IsSameString, function, 54–63