Windows Memory Forensics and Direct Kernel Object Manipulation
DoD Cyber Crime Conference, 2011
Rootkits use Direct Kernel Object Manipulation (DKOM) to hide processes, services, files, and other things from users, but these techniques are easily exposed through memory analysis. However, what if an attacker performed DKOM in such a manner as to hide from the user AND memory analysis applications? This presentation will show how attackers may be able to accomplish just that. We will introduce specialized DKOM techniques that not only hide resources from the user but also a few well-known memory analysis applications.