Persistence mechanisms and rootkits are among the most dangerous components of modern cyberattacks. Persistence allows attackers to maintain long-term access to a system, while rootkits modify the operating system itself to hide malicious activity. Both often operate partially or entirely in memory, making RAM analysis critical to detecting them.
This chapter explains how persistence appears in memory, how rootkits manipulate system structures, and how forensic tools identify signs of long-term compromise.
Understanding Persistence in Memory
Persistence refers to any technique that ensures malware or an attacker regains access after a reboot, logout, or system restart. Even though most persistence mechanisms write something to disk, they always produce traces in memory while active.
Common Persistence Mechanisms Visible in Memory
1. Scheduled Tasks / Cron Jobs
Malware often schedules tasks to execute automatically.
Indicators in memory:
-
Suspicious task names
-
Tasks pointing to unknown executables
-
Scripts in Temp, AppData, or hidden folders
2. Registry-Based Persistence (Windows)
Common locations:
-
Run/RunOncekeys -
Services
-
AppInit DLLs
-
Image File Execution Options
-
Winlogon shell modifications
RAM contains:
-
Cached registry hives
-
Loaded autostart modules
3. Startup Items
Malware may place executables in:
-
Startup folders
-
LaunchAgents (macOS)
-
LaunchDaemons (macOS)
Memory reveals:
-
Paths to startup scripts
-
Loaded daemons or agents
4. WMI Persistence
Attackers create permanent WMI event subscriptions.
Memory indicators:
-
WMI provider processes with abnormal references
-
Suspicious scripts in WMI namespaces
5. Service-Based Persistence
Malware installs itself as a system service.
Memory shows:
-
Malicious service binaries loaded
-
ServiceMain functions
6. Browser Extensions
Malicious extensions auto-load at startup.
Memory indicators:
-
Injected JavaScript
-
Abnormal browser processes
7. Fileless Persistence
Examples:
-
PowerShell profiles
-
WMI timers
-
Registry-stored payloads
Memory reveals:
-
PowerShell scripts
-
Encoded payloads
-
.NET assemblies in memory
Memory Artefacts of Persistence
Process-based persistence
Malware that repeatedly restarts itself has:
-
Long-running processes
-
Repeating parent-child patterns
Loaded modules
Persistence loaders show up as:
-
Unknown DLLs
-
Suspicious libraries
Command-line artefacts
RAM retains:
-
schtaskscommands -
sc createcommands -
powershell -encpayloads
Understanding Rootkits
Rootkits are advanced malware designed to hide processes, files, network connections, and system activity by modifying the OS kernel or core system components.
Memory forensics is the only reliable method to detect many rootkits.
Types of Rootkits
1. Userland Rootkits
Alter APIs at the user-level.
Memory indicators:
-
API hooks
-
Unusual function pointers
2. Kernel Rootkits
Modify kernel structures.
Memory indicators:
-
Tampered SSDT tables
-
Hidden kernel modules
-
Manipulated process lists
3. Bootkits
Modify bootloaders or firmware.
Memory indicators:
-
Suspicious code in early kernel memory
-
Unusual boot drivers
4. Hypervisor Rootkits
Manipulate virtualization layers.
Memory indicators:
-
Unexpected hypervisor structures
-
VM exit anomalies
Detecting Rootkits in Memory
Rootkits modify OS internals. Memory scans reveal these modifications.
1. Hidden Processes
Use:
windows.psscan
windows.pslist
Indicators:
-
Processes appear in psscan but not pslist
-
Missing or invisible processes
2. Hooked SSDT (System Service Dispatch Table)
Signs of kernel-level hooking include:
-
Function pointers pointing outside expected ranges
-
Non-Microsoft memory segments handling system calls
Tools:
windows.ssdt
3. Hidden or Unlinked Kernel Modules
Rootkits may unlink themselves from module lists.
Detect using:
windows.modscan
linux.lsmod
mac.lsmod
Indicators:
-
Modules in memory not listed in official module tables
-
Modules with no file path
4. Inline Function Hooking
Rootkits overwrite the first bytes of system functions.
Memory indicators:
-
JMP instructions at the start of API functions
-
Altered function prologues
5. Suspicious VAD or Kernel Memory Regions
Unusual properties:
-
Kernel memory marked RWX
-
Non-standard code pages
-
Memory regions without backing files
6. Network Stack Manipulation
Rootkits hide ports or connections.
Memory reveals:
-
Sockets in netscan not visible in OS
-
TCP connections not listed in system tools
Detecting Persistence with Volatility
List autoruns in memory:
windows.registry.printkey --key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
Scan for services:
windows.services
Search for WMI persistence:
windows.wmi_obj
PowerShell artefacts:
windows.pslist
windows.cmdline
windows.netscan
Detecting Rootkits with Volatility
Find hidden processes:
windows.psscan
List suspicious modules:
windows.modscan
Check SSDT hooks:
windows.ssdt
Detect inline hooks:
windows.apihooks
Detect kernel anomalies:
windows.kdbgscan
windows.kernel
Intel Dump
-
Persistence mechanisms leave traces in memory through autostart processes, registry keys, scheduled tasks, malicious services, WMI subscriptions, and startup scripts.
-
Rootkits hide processes, modules, and system activity by altering kernel structures, hooking API functions, and modifying SSDT tables.
-
Memory forensics identifies hidden processes, unlinked modules, RWX kernel memory, and suspicious code regions that reveal stealthy malware.
-
Volatility plugins such as psscan, modscan, ssdt, apihooks, and registry tools detect persistence and rootkit activity across Windows, Linux, and macOS.
-
Memory artifacts offer the strongest and often the only evidence of sophisticated persistence, fileless malware, and kernel-level compromise.