Communication between a rootkit and its controller is by far the most likely cause of rootkit detection. To lower the possibility of detection, communication should be initiated at the lowest level possible to bypass as many detection mechanisms as possible. For the rootkit developer, this is the Transport Driver Interface, or TDI.
TDI is the kernel mode transport interface implemented just below the socket layer of the network protocol stack. This means that local socket-level firewalls and network filtering devices will not see TDI communications unless packets are purposely passed up to the socket layer.
The operating system must provide named device objects that enable high-level protocols to communicate with low-level drivers. This standard allows kernel device drivers to use ZwCreateFile to open devices such as “/device/tcp,” and route I/O Request Packets (IRPs) through IoCallDriver to communicate with the network at the lowest possible (TCP/IP capable) communication level.