Adding a driver to the top of a stack of drivers can provide a rootkit with exceptional control over the operating system. This functionality is used by anti-virus software, encryption software, and compression software. In fact, there are so many uses, the driver loader needs to group filter drivers in order to load them all in the correct order.
The HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services registry key guides explicit service and driver loading. If you use regedit to view the contents of this key, you are likely to find hundreds of service and driver keys. This is the also the key that is populated with a MyDeviceDriver entry whenever you use SCMLoader. Up until now, SCMLoader has loaded Ghost as an on-demand (SERVICE_DEMAND_START) device driver that requires the “net start MyDeviceDriver” command. To perform file system filtering, the rootkit should be loaded as an automatic (SERVICE_AUTO_START) device driver loaded within the “Filter” group.
Autoloading is less instructive than on-demand loading, so you should continue using SERVICE_ DEMAND_START and “net start mydevicedriver” for instructional purposes, but a new SCMLoader has been provided in the Chapter 7 Ghost directory of the Wrox/Wiley download. This updated loader will enable the rootkit to be automatically loaded during the boot process. This newer SCMLoader should be used for non-development rootkit insertion.
When autoloading, the group order used to load device drivers is guided by the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Control\ServiceGroupOrder\List registry value. If you use regedit to view the contents of this value, you should see several dozen groups contained within one multi-string list. To perform file system filtering, a filter driver must be inserted after the “FSFilter Bottom” group. For most purposes, the “Filter” group is sufficient. This is also sufficient for high-level network filtering because TCP, UDP, and Raw IP drivers are loaded before generic filter drivers.
Though the network filter driver presented in this chapter can be loaded and unloaded as an on-demand device driver, the unload logic is not intended for this purpose. Care must be taken to unload the network filter only after all network connections opened after filter insertion have been closed. Because any filter in the network filter stack can be set to reference the network filter, removing the filter can lead to a system crash. Therefore, remember to shut down all the network-aware software that was started after network filter insertion before unloading the Chapter 7 rootkit. In addition, to make future loading and unloading easier, the network filter is skipped (commented out) in the remaining code examples presented in this book.