Combined Filtering

Previous page
Table of content
Next page

The separation between file filtering and network filtering could lead to the conclusion that two separate drivers are required, but this is not the case. The rootkit developed in this chapter will use the dispatch routine created in Chapter 5 to monitor not only commands from external applications, but also I/O request packets destined for filtered devices. This includes both file filter and network filters, all in one convenient rootkit. Combined filtering is shown in Figure 7-3.

image from book
Figure 7-3

Because a dispatch routine has already been added to the rootkit, the mechanism to intercept I/O request packets is in place and ready to be used. The only tasks left are to insert newly created devices onto existing device stacks, provide fast I/O routines for file system filtering, and expand the number of major functions intercepted and processed by OnDispatch.

To be thorough, every major function will be routed through OnDispatch. This is accomplished with a loop in DriverEntry assigning all major functions (zero to IRP_MJ_MAXIMUM_FUNCTION) to the OnDispatch routine. As such, OnDispatch must be modified to not only process I/O, but also to “pass through” any unprocessed I/O request packets.



Previous page
Table of content
Next page
Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler
BUY ON AMAZON
Interprocess Communications in Linux: The Nooks and Crannies
C++ How to Program (5th Edition)
Java How to Program (6th Edition) (How to Program (Deitel))
Information Dashboard Design: The Effective Visual Communication of Data
InDesign Type: Professional Typography with Adobe InDesign CS2
802.11 Wireless Networks: The Definitive Guide, Second Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy