In the previous chapter we covered subverting the FreeBSD kernel using simple data-state changes. The discussion centered around modifying the data contained within the kernel queue data structures. In addition to record keeping, many of these structures are also directly involved in control flow, as they maintain a limited number of entry points into the kernel. Consequently, these can be hooked, too, just like the entry points discussed in Chapter 2. This technique is referred to as Kernel Object Hooking (KOH). To demonstrate it, let's hook a character device.

Hooking a Character Device

Recall from Chapter 1 that a character device is defined by its entries in a character device switch table.[1] As such, by modifying ...

Get Designing BSD Rootkits now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.