Corrupting Kernel Data

Before I conclude this chapter, let's consider the following: What happens when one of your hidden objects is found and killed?

In the best case scenario, nothing. In the worst case scenario, the kernel panics because when an object is killed, the kernel unconditionally removes it from its various lists. However, in this situation, the object has already been removed. Therefore, the kernel will fail to find it, and will walk off the end of its lists, corrupting those data structures in the process.

To prevent this data corruption, here are some suggestions:

Hook the terminating function(s) to prevent them from removing your hidden objects.
Hook the terminating function(s) to place your hidden objects back onto the lists before ...

Get Designing BSD Rootkits now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Designing BSD Rootkits by

Corrupting Kernel Data

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly