Simple Antirootkit Development Tutorial

Development Let’s develop a simple driver to detect and delete SST hooks. Therefore, our solution should not use Zw-functions and SST, as it is supposed that System Service Table is corrupted by malware. In this article, I am not going to pay attention to filter driver and function code splicers. However, I will probably do it in future.

Development

Comparing current SST with the initial one located in ntoskernel.exe is the easiest way for hooks detecting and removing.

We should perform the following steps:

  1. Find ntoskernel module in memory.
  2. Find ntoskernel section, where SST is located, and calculate relative SST offset in section.
  3. Find ntoskernel section in ntoskernel.exe.
  4. Calculate real SST address in file.
  5. Read values from file and compare them with SST.

Before implementation, we’ll consider memory-mapped files in kernel mode.

Related:- Top 9 Google Sheets Tem­plates for Teachers

Memory-mapped files in kernel mode

Memory-mapped file is a virtual memory segment that has been assigned a direct byte-for-byte correlation with some portion of a file or file-like resource.

We are going to use memory-mapped files in kernel mode, as they are quite useful for parsing PE file. In addition, their API is really easy-to-use, as it is rather similar to Win32 API.

SST unhooker demonstration

We have considered steps for developing a simple console utility named “unhooker.exe” for testing purposes. We can start it with no parameters; in this case, it will show information about its abilities:

  1. 1. The “stat” command shows statistics about SST hooking.
  2. 2. The “unhook” command cleans up SST.

The following example demonstrates how to use utility to detect and delete hooks:

Related:-How to Get Apple Reminders on Windows

Anti-rootkit building

Steps for unhooker building are just as ones, described in the “Hide Driver” article:

    1. Install Windows Driver Developer Kit 2003 http://www.microsoft.com/whdc/devtools/ddk/default.mspx
    2. Set global environment variable “BASEDIR” to path of installed DDK. Go here: Computer -> Properties -> Advanced -> Environment variables ->System Variables -> New

And set it like this: BASEDIR -> c:\winddk\3790
(You have to restart your computer after this.)

  1. If you choose Visual Studio 2003, then you can simply open UnhookerMain.sln and build it all.

Related Post

SETI@Residence finishes its community period, hunt for aliens continues

Credit rating: SETI@house For the typical general public, the Research for Extraterrestrial Intelligence (SETI) is almost over. On March 2, SETI@residence discovered its crowdsourced supercomputing software will go into hibernation

Google sibling Verily launches COVID-19 screening web site

In this Feb. 14, 2018, file photo the brand for Alphabet appears on a screen at the Nasdaq MarketSite in New York. Google sister organization Verily has introduced a internet

Facebook sues analytics firm for knowledge misuse

Facebook is suing an analytics company, accusing it of improperly accumulating data from end users of the social community Facebook on Thursday filed a federal lawsuit towards oneAudience data intelligence