tagging, tracked files with ADS, 277
tamper detection, rootkit controller, 257–258
TargetController, function, 268–270
TargetController.cs file
code, 269–270
functions list, 268–269
rootkit remote controller implementation, 268–270
TargetController.mf, file, 268–270
targetListView_SelectedIndexChanged, function, 260–262
TCP/IP connection, verifying compliance with a, 258
TCP, UDP, and RAW IP port activity detection, IceSword, 313
TCPView, freeware, 305
TDI (Transport Driver Interface)
demonstrating the, 133–135
overview, 119–120
TDICompletionRoutine, function, 122–130
techniques
for installing Mozilla Firefox, 249–251
rootkit prevention, 298–299
testing
concealment, 211–212
file-hiding, 212
I/O control, 114–117
installation, 254
the Lotus Notes client extension, 242
the Outlook client extension, 231–232
registry key, 212
a rootkit, 26
threading, functions list, 170
Timer operations
Rtl routine, 41
Zw routine, 41
TimerDPC, function, 122–130
Tiny Personal Firewall, overview, 294
Token operations, Zw routine, 41
tools
Debugging, 2, 7
required for building a rootkit, 1–3
summary, 8
trace operations, functional groups for hooking, 40
trampoline, function, 48–49
trampoline
hooking detection, 277
overview, 42
process diagrammed, 49
process and ZwMapViewOfSection, 49
transferData, function, 78–96
transferDataPrefix, function, 78–96
transferInstruction, function, 78, 78–96
transferOp0F, function, 78–96
transferOp66, function, 78–96
transferOp67, function, 78–96
transferOpF6, function, 78–96
transferOpF7, function, 78–96
transferOpFF, function, 78–96
Transport Driver Interface (TDI)
demonstrating the, 133–135
overview, 119–120