Detection Example: DSE vs NT Illusion Rootkit
Description: NT Illusion, by author 'Kdm', is a purely user-mode (ring 3) rootkit - it doesn't use any kernel-mode drivers.
For this reason it can't hook system-level API functions; instead it hooks user-mode API functions in every process.
Detection: Upon starting the rootkit several debug messages are sent:
The hooks that NT Illusion employs are common inline hooks. Here we can see exactly which functions it hooks:
NT Illusion is able to hide registry items, files, and TCP ports, and you can probably determine that for yourself simply by looking at the above screenshot and observing which API functions have been modified.
The author explains in a readme file that accompanies the trojan why each function is hooked:
CharToOemBuffA/AllocAndGetTCPExTableFromStack - to defeat netstat and various port listers.
FindFirstFileA/W/FindNextFileA/W - to defeat Explorer and various file listers.
NtQuerySystemInformation - to defeat Task Manager and various process listers.
RegEnumValue - to defeat Regedit and various registry listers.
NT Illusion also creates a global SetWindowsHookEx hook, which causes Windows to automatically load it into every new process:
Copyright © 2008, Diamond Computer Systems Pty. Ltd. All rights reserved.