Details of the mechanics of this approach will be shown at the upcoming Black Hat USA conference by David Maynor, a research engineer with ISS, but it set my mind racing.
Device drivers are tight pieces of code that interface an add-on device, such as a PCMCIA card, to a PC. Could they really be hacked?
Until the late 1990s, no, but the arrival of Windows XP changes the ballgame, as it allows the loading of both trusted and non-trusted drivers, and identifies them as such.
In theory, if you've loaded a non-trusted device driver when installing a shiny piece of new hardware, that driver could then be overwritten by a hacker version of the driver.
This hacking approach is made easier by the fact that Windows XP - unlike earlier versions of Windows - allows device drivers to be overwritten without a prompt being displayed to the user.
So yes, if anyone were to rework a driver to call a routine from, say, the root directory - or even a Web page - then the driver could allow a PC to be remotely controlled.
I suspect there's a set of Windows call routines, however, that block such driver overwrites. That would preclude the easy updating of device drivers, but at least it would stop hacks of this nature...