Sorry for the unclear question!
The command prompt command 'dir' lists all files and directories in a directory, as you probably know.
I am reading "Subverting the Windows Kernel: Rootkits" at the moment.
One example of code in the book hides TCP connections. It uses hooking. Part of the method it uses gets a pointer to TCPIP.sys, the driver that 'netstat' uses to query the current TCP connections, by using the device object associated with it.
Basically there is a function, IoGetDeviceObjectPointer(), that takes a device name (for TCPIP.sys, the device was \\DEVICE\\TCP) and returns a pointer to the device driver, in that example TCPIP.sys.
I was wondering if anyone knows whether the 'dir' command uses a device driver, and if so, what is the name of the device?
No, dir command not use device driver. Dir commad relies on FindFirstFile/FindNextFile API functions, which calls Ntdll.dll kernel functions internally. If I remember correctly hookingNt/ ZwQueryInformationFile hides files.