Bilkent University
Department of Computer Engineering


Windows Direct Kernel Object Manipulation Techniques


Osman Pamuk
MSc. Student
Computer Engineering Department
Bilkent University

Rootkit techniques are widely used by applications to change the regular way the windows operating system functions. For malware it is a powerful mechanism to hide their existence or to escalate their privileges. On the other hand, it is a means for the protection software to accurately monitor the system and detect malware. Whatever the reason is Microsoft does not support and strongly discourages the usage of these undocumented techniques. Especially kernel rootkit techniques are powerful at attacking the windows system and a serious threat to operating system integrity. In order to address this issue Microsoft introduced several security features in its latest operating systems to prevent unauthorized changes to kernel code. These features mostly succeeded to stop the usage of the kernel rootkit techniques that depend on the static kernel code modifications which are easy to detect. On the contrary the manipulations on the dynamic kernel code are still hard to control and verify. In this work we focused on the direct kernel object manipulation (DKOM) techniques which rely on these dynamic kernel code manipulations. DKOM techniques rely on the fact that the operating system uses the kernel objects for auditing and bookkeeping. Modifying these objects will mislead the operating system and prevent to interpret the system state accurately. We also described the DKOM techniques used to hide processes, modules and manipulate tokens. Then we discussed the effectiveness of the features Microsoft implemented to protect the kernel code and the detection methods for hidden processes. To verify all, we have demonstrated the mentioned techniques. In the conclusion we show that despite temporary success of the newly introduced prevention features we can deduce that they are insufficient to prevent the DKOM techniques and the detection systems prove to be inadequate for uncovering the hidden objects.


DATE: 19 January, 2010, Tuesday @ 14:00