Detection Example: DSE vs System Service Table Hooks
Description: This hook (hooksys.sys) was written by the authors of Undocumented Windows NT (P. Dabak, S. Phadke, M. Borate), in order to demonstrate a simple system service hook - a low-level kernel-mode hook that is often used by rootkits. Being a kernel-mode hook this can only be performed by drivers (.sys files).
The driver itself (hooksys.sys) hooks the NtCreateFile function, allowing it to capture the names of all files that are accessed. Rootkits often hook file-related functions, usually in order to hide their presence.
Detection: Here we use the common instdrv.exe tool to install & load the driver:
And here we can see DSE easily detects the hook, including which driver is doing the hooking, which function(s) it has hooked (including corresponding service ID numbers), and even the exact location of the hook within the driver, allowing security experts to immediately start analyzing the relevant code:
We can also see that there are 4 system service tables in the Windows operating system, and DSE allows you to easily examine them all.
Copyright © 2008, Diamond Computer Systems Pty. Ltd. All rights reserved.