|
Direct kernel object manipulation (DKOM) is a common rootkit technique to hide potentially damaging third-party processes, drivers, files, and intermediate connections from the task manager and event scheduler. ==Overview== At its very core, a rootkit that employs DKOM hides itself from the Object Manager or Task manager. By modifying the linked list containing a list of all active threads and processes, this type of rootkit can essentially hide all traces from the Object Manager by wrapping the pointer away from the rootkit itself. This is possible due to the fact that kernels and loadable drivers have direct access to the memory from its privileged access. When the system kernel pings to find the list of all processes running in the system, it relies on the EPROCESS to find them. However, because a Windows Kernel is thread based and not processed based, pointers can be freely modified without any unintended effects.〔https://www.blackhat.com/presentations/win-usa-04/bh-win-04-butler.pdf Butler, Jamie. ''DKOM,'' HBGary. Retrieved 5/14/2014.〕 By modifying linked list pointers to wrap around the rootkit process itself, the rootkit becomes invisible to the Windows event viewer and any system integrity applications that rely on this list. This allows DKOM rootkits to have free rein over the targeted system. DKOM Uses 〔http://bsodtutorials.blogspot.com/2014/01/rootkits-direct-kernel-object.html Miller, Harry. '' BSOD Tutorials: Rootkits". BSODTUTORIALS, 27 January 2014. Retrieved 5/1/2014〕 *Hide process *Hide drivers *Hide ports *Elevate privilege level of threads and processes *Skew forensics *Full control of system 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Direct kernel object manipulation」の詳細全文を読む スポンサード リンク
|