This chapter introduces low-level network communications. Low-level communication is a requirement of many rootkits for several reasons. Of primary concern is that low-level communications cannot be seen by higher-level communications, such as the socket-level communications monitored by personal firewalls. This enables rootkits to remain undetected by personal firewalls and port monitors, such as Sysinternal’s portMon. Another reason for low-level communication is the need to separate rootkit communications from general network communications, as the connection between a rootkit and its remote controller does not need to be monitored by the rootkit.
This chapter includes the following:
The Transport Driver Interface (TDI)
Connection initiation
An example of remote control communication