We now have a rootkit that does the following:
Hides its device driver entry
Hides its configuration file
Hooks the operating system kernel
Hooks selected processes loaded by the operating system
Processes commands sent from user mode applications
Communicates with a remote controller
Though this chapter only details the initial remote control connection, it should be enough to get started. Once a connection is initiated, a polling routine can check for remote commands; and a command parsing routine can provide the remote controller with any desired functionality. The next chapter introduces filter drivers.