Category:Digital-Forensics/Rootkits/Kernel-mode-Rootkits
Jump to navigation
Jump to search
| You are here: | Kernel-mode Rootkits
|
Description
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.
Thank you for your comprehension.
Direct Kernel Object Manipulation (DKOM)
The EPROCESS structures
EPROCESS structures are linked through a doubly-linked list:
Each entry in the EPROCESS list points to both the entry before and the entry after in the list. The list allows tools such as Task Manager to quickly display the currently-active processes.
Hiding a process
If an EPROCESS structure is removed from this list, the process (or, more specifically, the threads that make up the process), will continue to run just fine.
This is an example of DKOM. The FU rootkit uses this technique to hide processes.
.text:000110A9 call ds:IoGetCurrentProcess
.text:000110AF mov ecx, dword_13020
.text:000110B5 mov edi, [ecx+eax]
.text:000110B8 cmp [esp+0Ch+arg_0], edi
.text:000110BC mov esi, edi
.text:000110BE jz short loc_110E2
.text:000110C0 mov edx, dword_13014
.text:000110C6
.text:000110C6 loc_110C6: ; CODE XREF: sub_1109A+42�j
.text:000110C6 cmp ebx, 1
.text:000110C9 jl short loc_110CF
.text:000110CB cmp edi, esi
.text:000110CD jz short loc_110E0
.text:000110CF
.text:000110CF loc_110CF: ; CODE XREF: sub_1109A+2F�j
.text:000110CF mov eax, [edx+eax]
.text:000110D2 sub eax, edx
.text:000110D4 mov esi, [ecx+eax]
.text:000110D7 inc ebx
.text:000110D8 cmp [esp+0Ch+arg_0], esi
.text:000110DC jnz short loc_110C6
.text:000110DE jmp short loc_110E2
Comments
Pages in this category
Pages in category "Digital-Forensics/Rootkits/Kernel-mode-Rootkits"
The following 3 pages are in this category, out of 3 total.