Detecting DKOM

As stated in Chapter 3, DKOM is one of the most difficult-to-detect rootkit techniques. This is because you can unload a DKOM-based rootkit from memory after patching, which leaves almost no signature. Therefore, in order to detect a DKOM-based attack, your best bet is to catch the operating system in a "lie." To do this, you should have a good understanding of what is considered normal behavior for your system(s).

Note

One caveat to this approach is that you can't trust the APIs on the system you are checking.

Finding Hidden Processes

Recall from Chapter 3 that in order to hide a running process with DKOM, you need to patch the allproc list, pidhashtbl, the parent process's child list, the parent process's process-group list, and the ...

Get Designing BSD Rootkits now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Designing BSD Rootkits by

Detecting DKOM

Note

Finding Hidden Processes

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly