The Transport Driver Interface


Communication between a rootkit and its controller is by far the most likely cause of rootkit detection. To lower the possibility of detection, communication should be initiated at the lowest level possible to bypass as many detection mechanisms as possible. For the rootkit developer, this is the Transport Driver Interface, or TDI.

TDI is the kernel mode transport interface implemented just below the socket layer of the network protocol stack. This means that local socket-level firewalls and network filtering devices will not see TDI communications unless packets are purposely passed up to the socket layer.

The operating system must provide named device objects that enable high-level protocols to communicate with low-level drivers. This standard allows kernel device drivers to use ZwCreateFile to open devices such as “/device/tcp,” and route I/O Request Packets (IRPs) through IoCallDriver to communicate with the network at the lowest possible (TCP/IP capable) communication level.




Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler

Similar book on Amazon
Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
A Guide to Kernel Exploitation: Attacking the Core
A Guide to Kernel Exploitation: Attacking the Core
Reversing: Secrets of Reverse Engineering
Reversing: Secrets of Reverse Engineering
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net