What device does the cmd command 'dir' use?

Question

Sorry for the unclear question!

The command prompt command 'dir' lists all files and directories in a directory, as you probably know.

I am reading "Subverting the Windows Kernel: Rootkits" at the moment.

One example of code in the book hides TCP connections. It uses hooking. Part of the method it uses gets a pointer to TCPIP.sys, the driver that 'netstat' uses to query the current TCP connections, by using the device object associated with it.

Basically there is a function, IoGetDeviceObjectPointer(), that takes a device name (for TCPIP.sys, the device was \\DEVICE\\TCP) and returns a pointer to the device driver, in that example TCPIP.sys.

I was wondering if anyone knows whether the 'dir' command uses a device driver, and if so, what is the name of the device?

Answer 1

No, dir command not use device driver. Dir commad relies on FindFirstFile/FindNextFile API functions, which calls Ntdll.dll kernel functions internally. If I remember correctly hookingNt/ ZwQueryInformationFile hides files.