Combined Filtering


The separation between file filtering and network filtering could lead to the conclusion that two separate drivers are required, but this is not the case. The rootkit developed in this chapter will use the dispatch routine created in Chapter 5 to monitor not only commands from external applications, but also I/O request packets destined for filtered devices. This includes both file filter and network filters, all in one convenient rootkit. Combined filtering is shown in Figure 7-3.

image from book
Figure 7-3

Because a dispatch routine has already been added to the rootkit, the mechanism to intercept I/O request packets is in place and ready to be used. The only tasks left are to insert newly created devices onto existing device stacks, provide fast I/O routines for file system filtering, and expand the number of major functions intercepted and processed by OnDispatch.

To be thorough, every major function will be routed through OnDispatch. This is accomplished with a loop in DriverEntry assigning all major functions (zero to IRP_MJ_MAXIMUM_FUNCTION) to the OnDispatch routine. As such, OnDispatch must be modified to not only process I/O, but also to “pass through” any unprocessed I/O request packets.




Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler

Similar book on Amazon
Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
A Guide to Kernel Exploitation: Attacking the Core
A Guide to Kernel Exploitation: Attacking the Core
Reversing: Secrets of Reverse Engineering
Reversing: Secrets of Reverse Engineering
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net