Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
UNCLASSIFIED
Pique PoC Outline
Direct Kernel Object Manipulation (DKOM)
(U) Executive Summary
(U) Direct Kernel Object Manipulation (DKOM) is a rootkit technique for hiding processes,
drivers, and files from the system task manager and event scheduler. Process hiding via DKOM
is accomplished by modifying the doubly linked list of active threads and processes so that
forward and backward pointers (FLINK and BLINK) of items adjacent to the process so that
they “point around” the process to be hidden. The task manager and event scheduler use
EPROCESS, which relies on enumeration of the FLINKs and BLINKs to identify running
processes, and if the FLINKs and BLINKs are modified processes become “hidden” from the
task manager and event scheduler in Figure 1.
UNCLASSIFIED
Figure 1. (U) Hiding a Process by Modifying FLINK and BLINK
(U) There are two methods of performing DKOM:
Load a kernel driver
Use the ZwSystemDebugControl() application programming interface (API) from user-mode
Raytheon Blackbird Technologies, Inc.
3
21 November 2014
Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.
UNCLASSIFIED