DKOM
DKOM is one of the most common techniques used by rootkits to hide malicious user-mode processes. This technique relies on how the OS represents processes and threads. To understand this technique, you need to learn more about the objects that are being manipulated by the rootkit: EPROCESS and ETHREAD.
The kernel objects – EPROCESS and ETHREAD
Windows creates an object called EPROCESS for each process that's created in the system. This object includes all the important information about this process, such as its Virtual Address Descriptors (VADs), which store the map of this process's virtual memory and its representation in physical memory. It also includes the process ID, the parent process ID, and a doubly linked list called ActiveProcessLinks, which connects all EPROCESS objects of all processes. Each EPROCESS includes an address to the next EPROCESS object (which represents the next process) called FLink and the address to the previous EPROCESS object...
