This chapter introduces you to the I/O processing system. I/O processing, named pipes, and shared memory can all be used to efficiently communicate between kernel and user mode processes. Of the three, I/O processing is probably the easiest to understand and implement. This communication method is required because our rootkit is implemented as a device driver loaded into kernel memory, while controlling applications are usually loaded into user memory. In addition to separate memory sections, kernel and user mode processes also use separate stacks. This effectively prevents the use of functional pass parameters even if you could identify the location of a function from an alternate memory section.
This chapter includes the following:
The DeviceIoControl function
A basic rootkit control application
Basic I/O processing within the rootkit
A basic rootkit command
Testing a basic rootkit command