Contents

Chapter 14 Covert Channels ....... .... . . . .663

14.1 Common Malware Channels 663

Internet Relay Chat 664

Peer-to-Peer Communication 664

HTTP 665

14.2 Worst-Case Scenario: Full Content Data Capture 668

Protocol Tunneling 669

DNS 670

ICMP 670

Peripheral Issues 672

14.3 The Windows TCP/IP Stack 673

Windows Sockets 2 674

Raw Sockets 675

Winsock Kernel API 676

NDIS 677

Different Tools for Different Jobs 680

14.4 DNS Tunneling 680

DNS Query 680

DNS Response 683

14.5 DNS Tunneling: User Mode 685

14.6 DNS Tunneling: WSK Implementation 689

Initialize the Application's Context 696

Create a Kernel-Mode Socket 697

Determine a Local Transport Address 698

Bind the Socket to the Transport Address 699

Set the Remote Address (the C2 Client) 700

Send the DNS Query 702

Receive the DNS Response 703

14.7 NDIS Protocol Drivers 705

Building and Running the NDISProt 6.0 Example 707

An Outline of the Client Code 710

An Outline of the Driver Code 713

The Protocol *0 Routines 716

Missing Features 721

14.8 Passive Covert Channels 722

xvii