Detection Example: DSE vs Hacker Defender
Description: According to its own description, "Hacker defender (hxdef) is rootkit for Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003, it may also work on latest NT based systems. The main idea of this program is to rewrite few memory segments in all running processes."
That's the key here - it modifies the code of other processes, making it a perfect candidate for Code Modification detection, amongst others.
Detection: The user-mode hxdef.exe module does most of the work, but a small kernel-mode driver called hxdefdrv.sys also remains running, and we can detect this simply by looking in the Driver List tool, and we can see in the Exists column that NO it doesn't exist (that is, it isn't visible):
Its process can also be easily detected simply by looking in the Process List tool, and here we can see that both the file and the process appear to be hidden:
Using the Hidden Processes search we can see this process in finer detail:
We can still garnish a lot more information from this hidden process. For example, here's its open handles table, which it also tries to keep hidden:
It also tries to hide its registry items:
... and its threads:
But at the heart of all this - hiding files, processes, registry items etc, are hooks - code modifications made in every running process. Here is just one process that Hacker Defender has inserted its hooks into:
Not only is it highly suspicious that there are such code modifications in every process, but also the nature of the functions being hooked is suspicious. For example, functions in WS2_32.DLL are hooked to intercept Winsock network calls, ReadFile in kernel32.dll is hooked to intercept the ability of its files from being read, and so on.
Copyright © 2008, Diamond Computer Systems Pty. Ltd. All rights reserved.