MSMVPS.COM
The Ultimate Destination for Blogs by Current and Former Microsoft Most Valuable Professionals.

Rootkit detection

Kernel Mustard

Syndication

News

  • A blog about Microsoft Windows development, focused on kernel-mode driver development, the Windows DDK, WDK, and related tools.

    To elaborate on the copyright notice at the bottom: all content produced by me on this site is copyright and licensed as follows:

    <!-- Creative Commons License --> Creative Commons License
    This work is licensed under a Creative Commons License. <!-- /Creative Commons License --> <!-- <rdf:RDF xmlns="http://web.resource.org/cc/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <Work rdf:about=""> <dc:type rdf:resource="http://purl.org/dc/dcmitype/Text" /> <license rdf:resource="http://creativecommons.org/licenses/by-nc/2.0/" /> </Work> <License rdf:about="http://creativecommons.org/licenses/by-nc/2.0/"> <permits rdf:resource="http://web.resource.org/cc/Reproduction" /> <permits rdf:resource="http://web.resource.org/cc/Distribution" /> <requires rdf:resource="http://web.resource.org/cc/Notice" /> <requires rdf:resource="http://web.resource.org/cc/Attribution" /> <prohibits rdf:resource="http://web.resource.org/cc/CommercialUse" /> <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" /> </License> </rdf:RDF> -->

    Although I work for Positive Networks, this work is my own and is not connected with my employer in any way.

    <!-- technorati again --> <script type="text/javascript" src="http://embed.technorati.com/embed/8xz8dihr.js"> </script>

A lot of people were wondering why Microsoft couldn't have (or didn't) detect the Sony DRM rootkit without writing new code. I covered that topic yesterday.

Today, an NTDEV reader named Daniel Terhell posted a tool that has the potential to detect some kinds of hooks by analyzing the system service dispatch table and seeing where the functions pointers point. Anything that points outside of the kernel is flagged as possibly hooked. The tool is known as Hook Analyzer and can be downloaded from his website.

I installed the tool and tried it with an old version of Regmon, but apparently Mark used another mechanism besides syscall hooking in the product. I haven't looked into it yet; if I get around to it I'll write my own syscall hook driver to test.

But the real question is this: what level of value do you see in a tool like this? There are, after all, legitimate reasons to use syscall hooking, although they are rare. There are plenty of other kinds of hooks that a tool like this won't cover, but what about the ones it does cover? Useful?


Posted Nov 14 2005, 12:10 AM by kernelmustard
Filed under:

Comments

kernelmustard wrote re: Rootkit detection
on 11-17-2005 14:28
There are earlier sources of Regmon and Filemon floating on the web. You could check them out before diving into reversing Regmon.
kernelmustard wrote re: Rootkit detection
on 11-21-2005 2:32
Someone asked about RegMon in Mark's blog and this was my answer:

"I got curious after reading your question and I took a look at the drivers that came with regmon.exe; the main difference that I've found is that the old NT driver imports KeServiceDescriptorTable to hook a couple of functions and the 2K3 driver doesn't import it but it imports two functions to 'hook' and 'unhook' the registry provided by Microsoft: CmRegisterCallback and CmUnRegisterCallback.

After this discovering I went to the MSDN and found that these functions are available from XP so I got confused again.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/Kernel_r/hh/Kernel_r/k102_ec214e13-1342-48b5-9a31-8c6c9da57cd6.xml.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/Kernel_r/hh/Kernel_r/k102_13cbc14e-4652-4a3d-a87e-f6eef883f912.xml.asp

I'm not sure but maybe this fact is the one that hit the target:

"For Windows XP, the system only makes post-notification calls only when a registry key is created or opened. For Microsoft Windows Server 2003 and later operating systems, the system makes post-notification calls for every registry operation"

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/Kernel_r/hh/Kernel_r/DrvrRtns_988f8f3d-4ee8-4351-8fc0-703a88bd8421.xml.asp

Anyway, all that I have said is pure speculation :=)"

http://www.sysinternals.com/blog/2005/09/multi-platform-images.html

Add a Comment

(required)  
(optional)
(required)  
Remember Me?


Copyright © is the original authors. Blog site is an independent site not sponsored by Microsoft. The Yoda blog server and the Brianna SQL server would like to thank www.ownwebnow.com and www.exchangedefender.com. They wouldn't be here and broadcasting without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems