Concluding Remarks

Run-time kernel memory patching is one of the strongest techniques for modifying software logic. Theoretically, you can use it to rewrite the entire operating system on the fly. Furthermore, it's somewhat difficult to detect, depending on where you place your patches and whether or not you use inline function hooks.

At the time of this writing, a technique to cloak run-time kernel memory patching has been published. See "Raising The Bar For Windows Rootkit Detection" by Jamie Butler and Sherri Sparks, published in Phrack magazine, issue 63. Although this article is written from a Windows perspective, the theory can be applied to any x86 operating system.

Finally, like most rootkit techniques, run-time kernel memory patching has ...

Get Designing BSD Rootkits now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.