This is a mirror of official site: http://jasper-net.blogspot.com/

Simple SST Unhooker

| Thursday, March 18, 2010
1. SST: references
2. Algorithm
3. Memory mapped files
4. Implementation
5. Demonstration
6. How to build
1. SST: references

This article is a logical continuation to the article "Driver to Hide Processes and Files" by Ivan Romananko. You can find all necessary information about System Service Table (SST) and its hooking in it. In this article I would like to present how to write your own unhooker that will restore original SST hooked by drivers like Ivan's one.

2. Algorithm

My goal is to write a simple driver for SST hooking detection and removing purposes. This means that our driver should not use various Zw-functions and SST table because I suppose that SST table is corrupted by unknown rootkits. I do not care about filter drivers and function code splicers for now, but maybe I will come back to them in future. The simplest way to detect and remove hooks is to compare SST that is placed in memory with the initial SST from ntoskernel.exe file.

So the goal is:

  1. to find ntoskernel module in memory;
  2. to find the section of ntoskernel where SST is placed and to calculate relative offset of SST in the section;
  3. to find this section in the ntoskernel.exe file;
  4. to calculate real address of SST in the file;
  5. to read values from the file and to compare them with SST.

But before the implementation I would like to present some additional information.

3. Memory mapped files in kernel mode

"A memory-mapped file is a segment of virtual memory which has been assigned a direct byte-for-byte correlation with some portion of a file or file-like resource". (c) Wiki

Yeah, we want to parse the PE file and memory mapped files are very useful for this task. And it is easy enough to use mapped files API from the kernel mode, because it is very similar to Win32 API. Instead of CreateFileMapping and MapViewOfSection functions in kernel mode driver should access

Read more: Codeproject

Posted via email from jasper22's posterous

0 comments: