Understanding Rootkits: The Ultimate Cybersecurity Nightmare and Direct Kernel Object Manipulation
- 47 minutes ago
- 4 min read
Rootkits have been keeping cybersecurity pros up at night for years. These sneaky pieces of malware can hide deep inside a system, making their presence nearly impossible to detect using regular security tools. They can mask processes, files, registry entries, and even network connections, making incident response a real headache.
So, what exactly is a rootkit?
Think of it like a magician’s trick—it diverts attention and manipulates what you see. A rootkit alters the system’s usual flow, rerouting commands and data to conceal itself. In some cases, rootkits can give attackers full control over a system while remaining completely invisible. This is why traditional antivirus tools often fail against them.
-----------------------------------------------------------------------------------------------------------
How Do You Detect Rootkits?
Since rootkits are built to hide, finding them requires an approach beyond standard security tools.
The best way to detect them is through memory analysis and offline disk forensics.
Every action a rootkit takes—executing code, establishing network connections, or installing drivers—leaves some trace.
The key is knowing where to look.
The Evolution of Rootkits
Rootkits have evolved over time, moving from basic techniques to highly sophisticated methods:
Userland Rootkits – These operate in the user space, where regular applications run. They modify processes by hooking the Import Address Table (IAT) or patching code in memory to redirect execution. These are easier to detect but still effective at avoiding basic security tools.
Kernel Rootkits – These are much more dangerous. They manipulate core system structures like the Interrupt Descriptor Table (IDT), System Service Descriptor Table (SSDT), and IRP (I/O Request Packets) to stay hidden. Since they work at the kernel level, they are harder to detect and remove. Microsoft has implemented security measures like PatchGuard and Driver Signature Enforcement to counter them.
Bootkits – These take things to the next level by attacking the system before the operating system even loads. A bootkit can completely take over a system by running it inside a malicious hypervisor, similar to old-school Master Boot Record (MBR) attacks, but with modern complexity.
Firmware and Hardware Rootkits – These are the latest breed and the hardest to remove. They embed themselves in system firmware, meaning they persist even after formatting the disk or reinstalling the OS.
The good news?
They’re still rare, but as cybersecurity defenses improve, attackers are shifting toward these more advanced techniques.
-------------------------------------------------------------------------------------------------------------
How to Detect and Remove Rootkits
Since rootkits are masters of deception, you need specialized tools to uncover them.
Volatility, a popular memory forensics tool, offers several plugins to detect different types of rootkit activity:
apihooks – Identifies userland hooks in the IAT and inline functions.
idt, ssdt, and driverirp – Audits kernel structures commonly targeted by rootkits.
psxview – Cross-checks process listings from multiple sources to find hidden processes.
modules and modscan – Identifies suspicious kernel modules and drivers.
Plugins in Volatility 3:
ssdt: Supported as windows.ssdt.SSDT.
driverirp: Supported as windows.driverirp.DriverIrp.
psxview: Supported as windows.psxview.PsXView.
modules: Supported as windows.modules.Modules.
modscan: Supported as windows.modscan.ModScan.
----------------------------------------------------------------------------------------------------------------
By understanding classic rootkit detection methods, security analysts can better prepare for emerging threats. And who knows? With the right skills, you might just be the one to discover a brand-new rootkit in the wild!
----------------------------------------------------------------------------------------------------------------
Understanding Direct Kernel Object Manipulation (DKOM) in the Real World
Direct Kernel Object Manipulation (DKOM) is one of the stealthiest techniques used by rootkits to hide malicious activity in an operating system. Think of it as a hacker sneaking into a party and removing their name from the guest list, yet still roaming around unnoticed.
What is DKOM?
As the name suggests, DKOM allows malware to tamper with kernel objects directly in memory. These changes never touch the disk, making detection incredibly difficult. Since traditional security tools rely on standard kernel structures to track processes and drivers, any tampering with these structures can cause certain activities to become invisible to these tools.
How DKOM Works
One of the most common ways DKOM is used is by unlinking processes from the standard kernel process list.
For instance, let's say a malicious process called attacker.exe is running. Normally, tools like tasklist.exe, Sysinternals’ pslist.exe, or even forensic tools like Volatility’s pslist would be able to detect it.
But if an attacker uses DKOM to remove attacker.exe from the process list, it will still run, but most system monitoring tools will fail to see it.
To put it simply,
DKOM exploits how the system keeps track of running processes and drivers, removing malicious ones from standard monitoring methods without actually stopping them.
----------------------------------------------------------------------------------------------------------------
Detecting DKOM with Volatility’s psxview
Even though DKOM is designed to be stealthy, it’s not completely undetectable.
Volatility’s psxview plugin is one of the best tools to catch DKOM-based process hiding. Instead of relying on just one method to list processes, psxview cross-checks multiple sources to identify discrepancies.
akashpatel@Akash-Laptop:~/Memorytool/volatility3$ python3 vol.py -f /mnt/c/Users/Akash\'s/Downloads/solarmarker/solarmarker.img windows.psxview -R > /mnt/c/Users/Akash\'s/Downloads/psxr.txtHere’s how:
pslist – Reads the EPROCESS doubly linked list (standard process tracking method).
psscan – Scans the entire memory for EPROCESS structures.
thrdproc – Looks at all running threads and maps them to processes.
pspcid – Uses the PspCid table, another kernel object tracking processes.
csrss – Uses Windows’ csrss.exe process to track child processes.
session – Lists processes based on user login sessions.
deskthrd – Checks desktop-associated threads for process tracking.
The psxview output gives a “True” or “False” indication for each of these checks.
If a process is missing from pslist but appears in other sources like psscan, it’s a red flag that something is trying to hide.
-------------------------------------------------------------------------------------------------------------
You Might ask me question Dean. If psscan can find hidden processes, why bother with psxview?
Well Because comparison is key! A process appearing in low-level scans but missing from high-level system calls suggests manipulation. Without this comparison, a hidden process might look like any other legitimate one.
-------------------------------------------------------------------------------------------------------------
We will talk more about rootkit and detection in up-coming articles so stay connected.Happy hunting see you in next one
----------------------------------------------------------------------------------------------------------
Final Thoughts
DKOM remains one of the most effective ways malware hides in a system, and while modern security features help mitigate its impact, it’s still a viable attack technique in many environments.
Using tools like psxview in Volatility provides a solid method for uncovering hidden processes and detecting rootkits in memory.
The key takeaway? If something doesn’t show up where it should, dig deeper!
----------------------------------------Dean----------------------------------------------------
Comments