T

tagging, tracked files with ADS, 277

tamper detection, rootkit controller, 257–258

TargetController, function, 268–270

TargetController.cs file

code, 269–270

functions list, 268–269

rootkit remote controller implementation, 268–270

TargetController.mf, file, 268–270

targetListView_SelectedIndexChanged, function, 260–262

TCP/IP connection, verifying compliance with a, 258

TCP, UDP, and RAW IP port activity detection, IceSword, 313

TCPView, freeware, 305

TDI (Transport Driver Interface)

demonstrating the, 133–135

overview, 119–120

TDICompletionRoutine, function, 122–130

techniques

for installing Mozilla Firefox, 249–251

rootkit prevention, 298–299

testing

concealment, 211–212

file-hiding, 212

I/O control, 114–117

installation, 254

the Lotus Notes client extension, 242

the Outlook client extension, 231–232

registry key, 212

a rootkit, 26

threading, functions list, 170

Timer operations

Rtl routine, 41

Zw routine, 41

TimerDPC, function, 122–130

Tiny Personal Firewall, overview, 294

Token operations, Zw routine, 41

tools

Debugging, 2, 7

required for building a rootkit, 1–3

summary, 8

trace operations, functional groups for hooking, 40

trampoline, function, 48–49

trampoline

hooking detection, 277

overview, 42

process diagrammed, 49

process and ZwMapViewOfSection, 49

transferData, function, 78–96

transferDataPrefix, function, 78–96

transferInstruction, function, 78, 78–96

transferOp0F, function, 78–96

transferOp66, function, 78–96

transferOp67, function, 78–96

transferOpF6, function, 78–96

transferOpF7, function, 78–96

transferOpFF, function, 78–96

Transport Driver Interface (TDI)

demonstrating the, 133–135

overview, 119–120