Hiding with DKOM
As you've seen, the main challenge to overcome when hiding an object with DKOM is removing all references to your object in the kernel. The best way to do so is to look through and mimic the source code of the object's terminating function(s), which are designed to remove all references to the object. For instance, to identify all the data structures that reference a running process, refer to the _exit(2) system call function, which is implemented in the file /sys/kern/kern_exit.c.
Note
Because sorting through unfamiliar kernel code is never quick and easy, I didn't dump the source for _exit(2) at the beginning of Hiding a Running Process, when I first discussed hiding a running process.
At this point, you should know enough to be ...
Get Designing BSD Rootkits now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
