As stated in Chapter 3, DKOM is one of the most difficult-to-detect rootkit techniques. This is because you can unload a DKOM-based rootkit from memory after patching, which leaves almost no signature. Therefore, in order to detect a DKOM-based attack, your best bet is to catch the operating system in a "lie." To do this, you should have a good understanding of what is considered normal behavior for your system(s).
One caveat to this approach is that you can't trust the APIs on the system you are checking.
Finding Hidden Processes
Recall from Chapter 3 that in order to hide a running process with DKOM, you need to patch the
pidhashtbl, the parent process's child list, the parent process's process-group list, and the ...