rh1nox / malwarecookbook

Automatically exported from code.google.com/p/malwarecookbook
0 stars 0 forks source link

Add detection of inline KiSystemService hooks #5

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
To detect Rustock. Thanks to Frank B. for the suggestion and methods. 

Original issue reported on code.google.com by michael.hale@gmail.com on 10 Jan 2011 at 5:46

GoogleCodeExporter commented 8 years ago
Oops I forgot we already check for inline hooks of all IDT function addresses, 
including KiSystemService:

# python volatility.py idt -f rustock-b.vmem 

[...]

2A       KiGetTickCount             0x8053da0e   ntoskrnl.exe .text
2B       KiCallbackReturn           0x8053db10   ntoskrnl.exe .text
2C       KiSetLowWaitHighThread     0x8053dcb0   ntoskrnl.exe .text
2D       KiDebugService             0x8053e5f0   ntoskrnl.exe .text
2E       KiSystemService            0x806b01b8   ntoskrnl.exe .rsrc => JMP 
0xb17a2e45

Original comment by michael.hale@gmail.com on 10 Jan 2011 at 9:07