Rootkit detection

News

A blog about Microsoft Windows development, focused on kernel-mode driver development, the Windows DDK, WDK, and related tools.

To elaborate on the copyright notice at the bottom: all content produced by me on this site is copyright and licensed as follows:

This work is licensed under a Creative Commons License.  
Although I work for Positive Networks, this work is my own and is not connected with my employer in any way.
 <script type="text/javascript" src="http://embed.technorati.com/embed/8xz8dihr.js"> </script>

Community

Email Notifications

Other Blogs

Blogs I Read

General

Technical Resources

About Me

Kernel Mustard

Reflections on Windows System Programming
Steve Dispensa, MVP - Windows DDK

A lot of people were wondering why Microsoft couldn't have (or didn't) detect the Sony DRM rootkit without writing new code. I covered that topic yesterday.

Today, an NTDEV reader named Daniel Terhell posted a tool that has the potential to detect some kinds of hooks by analyzing the system service dispatch table and seeing where the functions pointers point. Anything that points outside of the kernel is flagged as possibly hooked. The tool is known as Hook Analyzer and can be downloaded from his website.

I installed the tool and tried it with an old version of Regmon, but apparently Mark used another mechanism besides syscall hooking in the product. I haven't looked into it yet; if I get around to it I'll write my own syscall hook driver to test.

But the real question is this: what level of value do you see in a tool like this? There are, after all, legitimate reasons to use syscall hooking, although they are rare. There are plenty of other kinds of hooks that a tool like this won't cover, but what about the ones it does cover? Useful?

Posted: Nov 14 2005, 12:10 AM by Steve Dispensa | with 2 comment(s)

Filed under: Kernel Mustard

Comments

Steve Dispensa said:

There are earlier sources of Regmon and Filemon floating on the web. You could check them out before diving into reversing Regmon.

# November 17, 2005 2:28 PM

Steve Dispensa said:

Someone asked about RegMon in Mark's blog and this was my answer:

"I got curious after reading your question and I took a look at the drivers that came with regmon.exe; the main difference that I've found is that the old NT driver imports KeServiceDescriptorTable to hook a couple of functions and the 2K3 driver doesn't import it but it imports two functions to 'hook' and 'unhook' the registry provided by Microsoft: CmRegisterCallback and CmUnRegisterCallback.

After this discovering I went to the MSDN and found that these functions are available from XP so I got confused again.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/Kernel_r/hh/Kernel_r/k102_ec214e13-1342-48b5-9a31-8c6c9da57cd6.xml.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/Kernel_r/hh/Kernel_r/k102_13cbc14e-4652-4a3d-a87e-f6eef883f912.xml.asp

I'm not sure but maybe this fact is the one that hit the target:

"For Windows XP, the system only makes post-notification calls only when a registry key is created or opened. For Microsoft Windows Server 2003 and later operating systems, the system makes post-notification calls for every registry operation"

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/Kernel_r/hh/Kernel_r/DrvrRtns_988f8f3d-4ee8-4351-8fc0-703a88bd8421.xml.asp

Anyway, all that I have said is pure speculation :=)"

http://www.sysinternals.com/blog/2005/09/multi-platform-images.html

# November 21, 2005 2:32 AM

Recent Posts

Tags