DKOM is a technique that involves modifying the kernel data structures. Using DKOM, it is possible to hide a process or a driver. To hide a process, an attacker finds the _EPROCESS structure of the malicious process he/she wants to hide and modifies the ActiveProcessLinks field. In particular, the Flink of the previous _EPROCESS block is made to point to the Flink of the following _EPROCESS block, and the Blink of the following _EPROCESS block is set to point to the previous _EPROCESS block's Flink. As a result of this, the _EPROCESS block associated with the malware process is unlinked from the doubly linked list (as shown here):
By unlinking a process, an attacker can hide the malicious process from the live forensic tools that rely on walking the doubly linked list to enumerate the active processes. As you might have guessed, this technique also hides the malicious process from the pslist plugin (which also relies on walking the doubly linked list). The following is the pslist and psscan output from a system infected with the prolaco rootkit, which performs DKOM to hide a process. For the sake of brevity, some of the entries are truncated from the following output. When you compare the output from pslist and psscan, you will notice an additional process called nvid.exe (pid 1700) in the psscan output that's not present in the pslist:
$ python vol.py -f infected.vmem --profile=WinXPSP3x86 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start
--------- ------------- ---- ---- ---- ---- ---- ----- -------------------
0x819cc830 System 4 0 56 256 ---- 0
0x814d8380 smss.exe 380 4 3 19 ---- 0 2014-06-11 14:49:36
0x818a1868 csrss.exe 632 380 11 423 0 0 2014-06-11 14:49:36
0x813dc1a8 winlogon.exe 656 380 24 524 0 0 2014-06-11 14:49:37
0x81659020 services.exe 700 656 15 267 0 0 2014-06-11 14:49:37
0x81657910 lsass.exe 712 656 24 355 0 0 2014-06-11 14:49:37
0x813d7688 svchost.exe 884 700 21 199 0 0 2014-06-11 14:49:37
0x818f5d10 svchost.exe 964 700 10 235 0 0 2014-06-11 14:49:38
0x813cf5a0 svchost.exe 1052 700 84 1467 0 0 2014-06-11 14:49:38
0x8150b020 svchost.exe 1184 700 16 211 0 0 2014-06-11 14:49:40
0x81506c68 spoolsv.exe 1388 700 15 131 0 0 2014-06-11 14:49:40
0x81387710 explorer.exe 1456 1252 16 459 0 0 2014-06-11 14:49:55
$ python vol.py -f infected.vmem --profile=WinXPSP3x86 psscan
Volatility Foundation Volatility Framework 2.6
Offset(P) Name PID PPID PDB Time created
------------------ ------------ ---- ---- ---------- -------------------
0x0000000001587710 explorer.exe 1456 1252 0x08440260 2014-06-11 14:49:55
0x00000000015cf5a0 svchost.exe 1052 700 0x08440120 2014-06-11 14:49:38
0x00000000015d7688 svchost.exe 884 700 0x084400e0 2014-06-11 14:49:37
0x00000000015dc1a8 winlogon.exe 656 380 0x08440060 2014-06-11 14:49:37
0x00000000016ba360 nvid.exe 1700 1660 0x08440320 2014-10-17 09:16:10
0x00000000016d8380 smss.exe 380 4 0x08440020 2014-06-11 14:49:36
0x0000000001706c68 spoolsv.exe 1388 700 0x084401a0 2014-06-11 14:49:40
0x000000000170b020 svchost.exe 1184 700 0x08440160 2014-06-11 14:49:40
0x0000000001857910 lsass.exe 712 656 0x084400a0 2014-06-11 14:49:37
0x0000000001859020 services.exe 700 656 0x08440080 2014-06-11 14:49:37
0x0000000001aa1868 csrss.exe 632 380 0x08440040 2014-06-11 14:49:36
0x0000000001af5d10 svchost.exe 964 700 0x08440100 2014-06-11 14:49:38
0x0000000001bcc830 System 4 0 0x00319000
As mentioned earlier, the reason psscan detects the hidden process is that it uses a different technique to list the processes, called pool tag scanning.