Now that you can load, unload, start, and stop a basic rootkit, you can verify the rootkit technologies detailed in this chapter.
The first test will require a system administration tool, something that can list all the active device drivers currently running on the system. The standard tool for this task is drivers.exe. This utility is supplied with most Microsoft operating system resource kits, as well as most driver development kits. Running this application with no parameters will provide a list of all running device drivers. Loading and starting MyDeviceDriver should not add the expected comint32.sys entry to the list of running device drivers.
The second test will verify the alternate data stream added to C:\Windows\Resources. The easiest way to verify this functionality is to delete C:\config32 and then stop and restart MyDeviceDriver. Because config32 no longer exists, the rootkit must retrieve configuration information from the alternate data stream. This can be verified with the DebugView utility. Debug output should indicate that the initial GetFile() failed; this is the attempt to read C:\config32. Afterward, debug output should indicate “Reading config from hidden file.” The IP and port information read from the ADS is then displayed.