Rootkit detection

A lot of people were wondering why Microsoft couldn’t have (or didn’t) detect the Sony DRM rootkit without writing new code. I covered that topic yesterday.

Today, an NTDEV reader named Daniel Terhell posted a tool that has the potential to detect some kinds of hooks by analyzing the system service dispatch table and seeing where the functions pointers point. Anything that points outside of the kernel is flagged as possibly hooked. The tool is known as Hook Analyzer and can be downloaded from his website.

I installed the tool and tried it with an old version of Regmon, but apparently Mark used another mechanism besides syscall hooking in the product. I haven’t looked into it yet; if I get around to it I’ll write my own syscall hook driver to test.

But the real question is this: what level of value do you see in a tool like this? There are, after all, legitimate reasons to use syscall hooking, although they are rare. There are plenty of other kinds of hooks that a tool like this won’t cover, but what about the ones it does cover? Useful?

3 Replies to “Rootkit detection”

  1. There are earlier sources of Regmon and Filemon floating on the web. You could check them out before diving into reversing Regmon.

  2. Someone asked about RegMon in Mark’s blog and this was my answer:

    "I got curious after reading your question and I took a look at the drivers that came with regmon.exe; the main difference that I’ve found is that the old NT driver imports KeServiceDescriptorTable to hook a couple of functions and the 2K3 driver doesn’t import it but it imports two functions to ‘hook’ and ‘unhook’ the registry provided by Microsoft: CmRegisterCallback and CmUnRegisterCallback.

    After this discovering I went to the MSDN and found that these functions are available from XP so I got confused again.

    I’m not sure but maybe this fact is the one that hit the target:

    "For Windows XP, the system only makes post-notification calls only when a registry key is created or opened. For Microsoft Windows Server 2003 and later operating systems, the system makes post-notification calls for every registry operation"

    Anyway, all that I have said is pure speculation :=)"

Leave a Reply

Your email address will not be published. Required fields are marked *