Detection Example: DSE vs Memory Descriptor List Hook
Description: This demo called Basic MDL Flags is a simple demonstration rootkit that simply tries to hide any files beginning with the prefix "_root_". Initially written by original NT Rootkit author Greg Hoglund, it has since had contributions from several other authors.
It works by changing memory protections using an MDL (Memory Descriptor List), and hooking NtQuerySystemInformation to hide files.
Detection: DSE is easily able to detect this type of attack.
First, the driver is installed:
As soon as the driver is loaded it creates its hooks. Using Code Modifications we can see the MDL modification (the 4 byte and 6 byte patches in ntkrnlpa.exe):
The System Service Table reveals that the driver has hooked the NtQuerySystemInformation function. It uses this to hide files:
The aim of the driver is to hide files & processes that have a filename prefix of "_root_". We copied the Windows Calculator program (calc.exe) to c:\_root_calc.exe and ran it. The file itself wasn't visible, nor could it be seen in the Windows Task Manager process list.
Deep System Explorer on the other hand has no problems detecting the hidden process and its thread(s):
The process and driver can also be seen in DSE's built-in Process List and Driver List tools.
Copyright © 2008, Diamond Computer Systems Pty. Ltd. All rights reserved.