Chapter 3. DIRECT KERNEL OBJECT MANIPULATION

All operating systems store internal record-keeping data within main memory, usually as objects—that is, structures, queues, and the like. Whenever you ask the kernel for a list of running processes, open ports, and so on, this data is parsed and returned. Because this data is stored in main memory, it can be manipulated directly; there is no need to install a call hook to redirect control flow. This technique is commonly referred to as Direct Kernel Object Manipulation (DKOM) (Hoglund and Butler, 2005).

Before I get into this topic, however, let's look at how kernel data is stored in a FreeBSD system.

Kernel Queue Data Structures

In general, a lot of interesting information is stored as a queue data structure ...

Get Designing BSD Rootkits now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Designing BSD Rootkits by

Chapter 3. DIRECT KERNEL OBJECT MANIPULATION

Kernel Queue Data Structures

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly