The separation between file filtering and network filtering could lead to the conclusion that two separate drivers are required, but this is not the case. The rootkit developed in this chapter will use the dispatch routine created in Chapter 5 to monitor not only commands from external applications, but also I/O request packets destined for filtered devices. This includes both file filter and network filters, all in one convenient rootkit. Combined filtering is shown in Figure 7-3.
Because a dispatch routine has already been added to the rootkit, the mechanism to intercept I/O request packets is in place and ready to be used. The only tasks left are to insert newly created devices onto existing device stacks, provide fast I/O routines for file system filtering, and expand the number of major functions intercepted and processed by OnDispatch.
To be thorough, every major function will be routed through OnDispatch. This is accomplished with a loop in DriverEntry assigning all major functions (zero to IRP_MJ_MAXIMUM_FUNCTION) to the OnDispatch routine. As such, OnDispatch must be modified to not only process I/O, but also to “pass through” any unprocessed I/O request packets.