At this point, we now have a rootkit that does all of the following:
Hides its device driver entry
Hides its configuration file
Hooks the operating system kernel
Hooks selected processes loaded by the operating system
Processes commands sent from user mode applications
Communicates with a remote controller
Filters network communication
Filters file system operations
As with the earlier chapters, this chapter only details enough to get you started. Once the filters are in place, you must decide which drive types and network protocols to attach to, and what types of I/O you want to exert control over.
To add to the bulleted list above, the next chapter details keyboard logging. Logging of any form adds a substantial level of difficulty to rootkit operations. Be prepared to delve into both threading and synchronization to perform PASSIVE_LEVEL logging from a DISPATCH_LEVEL callback routine.