A lot of people were wondering why Microsoft couldn’t have (or didn’t) detect the Sony DRM rootkit without writing new code. I covered that topic yesterday.
Today, an NTDEV reader named Daniel Terhell posted a tool that has the potential to detect some kinds of hooks by analyzing the system service dispatch table and seeing where the functions pointers point. Anything that points outside of the kernel is flagged as possibly hooked. The tool is known as Hook Analyzer and can be downloaded from his website.
I installed the tool and tried it with an old version of Regmon, but apparently Mark used another mechanism besides syscall hooking in the product. I haven’t looked into it yet; if I get around to it I’ll write my own syscall hook driver to test.
But the real question is this: what level of value do you see in a tool like this? There are, after all, legitimate reasons to use syscall hooking, although they are rare. There are plenty of other kinds of hooks that a tool like this won’t cover, but what about the ones it does cover? Useful?