Contents

Chapter 13 Modifying Kernel Objects ...... . ......... . .....603

13.1 The Cost of Invisibility 603

Issue #1: The Steep Learning Curve 604

Issue #2: Concurrency 604

Issue #3: Portability and Pointer Arithmetic 605

Branding the Technique: DKOM 607

Objects? 607

13.2 Revisiting the EPROCESS Object 608

Acquiring an EPROCESS Pointer 608

Relevant Fields in EPROCESS 611

UniqueProcessId 611

Acti veProcess Li nks 611

Token ........ ... . . . 61 3

ImageFi 1 eName 613

13.3 The DRIVER SECTION Object 613

13.4 The Token Object . 615

Authorization on Windows 616

Locating the Token Object 619

Relevant Fields in the Token Object ... .. . 621

13.5 Hiding a Process 625

13.6 Hiding a Driver 630

13.7 Manipulating the Access Token 634

13.8 Using No-FU 637

13.9 Kernel-Mode Callbacks 640

13.10 Countermeasures 643

Cross-View Dctccdon . 643

High-Level Enumeration: CreateTool hel p32Snapshot() 644

High-Level Enumeration: PID Bruteforce 646

Lov�-Lcvel Enumeration: Processes 649

Low-Level Enumeration: Threads 651

Related Software 658

Field Checksums 659

13.11 Counter-Countermeasures 659

The Best Defense: Starve the Opposition 660

Commentary: Transcending the Two-Ring Model 661

The Last Line of Defense 662

xvi