book

Learning Malware Analysis

by Monnappa K A

June 2018

Beginner

510 pages

13h 7m

English

Packt Publishing

Read now

Unlock full access

Content preview from Learning Malware Analysis

4.2.1 Direct Kernel Object Manipulation (DKOM)

DKOM is a technique that involves modifying the kernel data structures. Using DKOM, it is possible to hide a process or a driver. To hide a process, an attacker finds the _EPROCESS structure of the malicious process he/she wants to hide and modifies the ActiveProcessLinks field. In particular, the Flink of the previous _EPROCESS block is made to point to the Flink of the following _EPROCESS block, and the Blink of the following _EPROCESS block is set to point to the previous _EPROCESS block's Flink. As a result of this, the _EPROCESS block associated with the malware process is unlinked from the doubly linked list (as shown here):

By unlinking a process, an attacker can hide the malicious process ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Publisher Resources

ISBN: 9781788392501Other

Learning Malware Analysis

by Monnappa K A

4.2.1 Direct Kernel Object Manipulation (DKOM)

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Practical Malware Analysis

Malware Analysis Techniques

Mastering Malware Analysis

Evasive Malware

Publisher Resources