Detection Example: DSE vs TCP I/O Request Packet Hook
Description: This hook (irphook.sys) was created by author 'fuzen op' to demonstrate the basics of TCP IRP (I/O Request Packet) hooking. These hooks can be used by firewalls as well as rootkits to gain control over the network layer. Being a kernel-level hook it requires a driver (.sys file) to accomplish this.
Detection: Installing the driver is as simple as loading it with the instdrv.exe tool:
Here we can see how easily DSE sees the hook in the I/O Request Packet subsection:
In this case we can see that the driver that is being hooked is tcpip.sys, and which devices it has (Ip, Tcp, Udp, etc). Immediately below that we can see c:\irphook.sys listed as a Hooking Driver so now we know that irphook.sys is hooking tcpip.sys.
Below that we can see the actual hooks themselves. As this TCP IRP hook demo is just a minimal demo it only has one hook - on IRP_MJ_DEVICE_CONTROL, and we can see the exact location of the hooking code within the hooking driver.
Copyright © 2008, Diamond Computer Systems Pty. Ltd. All rights reserved.