Detection Example: DSE vs Interrupt Descriptor Table
Description: This hook (hookint.sys) was written by the authors of Undocumented Windows NT (P. Dabak, S. Phadke, M. Borate), in order to demonstrate a simple IDT hook - a low-level kernel-mode hook that is often used by rootkits. Being a kernel-mode hook this can only be performed by drivers (.sys files).
They offer this description: "The sample application hooks INT 2E (System Service Interrupt) and maintains the counters of how many times a particular system service was called."
Detection: We used the instdrv.exe tool to install and load the driver:
Now if we have a look at the Interrupt Descriptor Table (IDT) in DSE we can see that Int 2E is hooked (the interrupt for the Windows NT Native API service):
We can also see exactly which driver is hooking the interrupt - c:\hookint.sys in this case, as well as the exact location of the hook function within the hooking driver, allowing software engineers to immediately zero-in on that section of code.
Copyright © 1999 - 2010, Diamond Computer Systems Pty. Ltd. All rights reserved.