Detecting DKOM

As stated in Chapter 3, DKOM is one of the most difficult-to-detect rootkit techniques. This is because you can unload a DKOM-based rootkit from memory after patching, which leaves almost no signature. Therefore, in order to detect a DKOM-based attack, your best bet is to catch the operating system in a "lie." To do this, you should have a good understanding of what is considered normal behavior for your system(s).

Note

One caveat to this approach is that you can't trust the APIs on the system you are checking.

Finding Hidden Processes

Recall from Chapter 3 that in order to hide a running process with DKOM, you need to patch the allproc list, pidhashtbl, the parent process's child list, the parent process's process-group list, and the ...

Get Designing BSD Rootkits now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.