Detection Example: DSE vs SSDT Shadow Table Hook
Description: The ShadowTableHook demo was written by author 'metro mystery' to provide a simple demonstration of hiding window handles by using an SSDT hook, and more specifically in this case the so-called Shadow table. (Windows offers 4 tables. Most SSDT hooks use the first table, but this demo uses the 2nd).
Detection: We used the instdrv tool to install and load the driver:
Now we can easily see this hook in DSE:
Generally speaking the only programs that create SSDT hooks are some security programs, and rootkit-style malware.
In this case we can see that there is only one hook in this system, and we can see exactly which driver is doing the hook (c:\shadowtablehookdriver.sys).
We can also see the service ID (0x1138), as well as the exact location of the hook within the driver, allowing analysts to immediately zero-in on the hooking function.
Copyright © 2008, Diamond Computer Systems Pty. Ltd. All rights reserved.