DKOM (Direct Kernel Object Manipulation) presented at BlackHatWindows 2004

by Jamie Butler,

Summary : This talk will address insecurities in the current implementation of today's operating systems. Because of the lack of exclusive access to kernel objects used to track privileges, report processes, and do auditing, rootkits and other subversive programs can modify them without detection in many cases. Obscurity is no longer enough! Corporations and some private consumers have tried to secure themselves by buying third party products. However, these products are not enough to prevent an attacker using the DKOM method. DKOM writes directly to memory without calling the kernel functions used to protect these objects thus bypassing the protection mechanisms of the kernel and third party tools such as HIPS (Host Intrusion Prevention Systems).
Jamie Butler is the Director of Engineering at HBGary specializing in rootkits and other subversive technologies. He is the co-author and a teacher of "Aspects of Offensive Root-kit Technologies." Prior to accepting the position at HBGary, he was a senior developer on the Windows Host Sensor at Enterasys Networks, Inc. He holds a MS in Computer Science from the University of Maryland, Baltimore County. Over the past few years his focus has been on Windows servers concentrating in host based intrusion detection and prevention; buffer overflows; and reverse engineering. Jamie is also a contributor at rootkit.com.