Chapter 7. Direct Kernel Object Manipulation

Generally in war the best policy is to take a state intact; to ruin it is inferior to this.

SUN TZU

In the preceding chapters, we covered a great deal about hooking techniques. Hooking the operating system is a very effective process, especially since you cannot compile your rootkit into the manufacturer's distribution. In certain instances, hooking is the only method available to a rootkit programmer.

However, as we saw in earlier chapters, hooking has its drawbacks. If someone knows where to look, a hook can usually be detected. In fact, it is relatively easy to detect hooking. In Chapter 10, Rootkit Detection, we will cover how to detect hooks, and you will learn about a tool called VICE that does just that. Also, kernel-protection mechanisms, such as making certain memory pages read only, either today or in the future may make the hooking approach unusable.

In this chapter we discuss another technique that may serve your purposes: Direct Kernel Object Manipulation (DKOM). Specifically, you will learn how to modify some of the objects the kernel relies upon for its bookkeeping and reporting. By the time you have finished this chapter, you should be able to hide processes and drivers without installing any hooks.

You will also learn how to modify any process's token in order to gain System or Administrator privileges without making a single call to any of the process or token APIs. Preventing this type of attack is very difficult.

(Note: In discussing DKOM, the term object can be used interchangeably with the more familiar term structure. Object is the term Microsoft uses in reference to the kernel structures.)