Rootkit Analysis: Hiding SSDT hooks

In attempt to bring our readers/listeners more technical content, the SecuraBit team has brought on a guest blogger to cover some of the current issues facing malware analysts/reverse engineers.  Nick Jogie’s first post delves into rootkit analysis and explains in great detail how to detect such when AV and perimeter security devices just aren’t enough.  Provide feedback to the SecuraBit team and let us know your thoughts!

“System Service Descriptor Table (SSDT) patching has been widely used by rootkits and is usually easily detected.  BlackEnergy version 2 has implemented a technique which successfully hides from basic rootkit detection.  Basic rootkit detectors typically only check address ranges, on function pointers, listed in the SSDT.  If the pointers are outside the kernel address range, it implies that the SSDT is hooked.

The following will illustrate a procedural check, used to uncover this technique, using a kernel debugger…”

Read more here:

Rootkit Analysis – Hiding SSDT Hooks

Written by: Nick Jogie

5 responses to “Rootkit Analysis: Hiding SSDT hooks”

  1. […] Rootkit Analysis: Hiding SSDT hooks | SecuraBit […]

  2. Sean says:

    Awesome article/whitepaper Nick! Looking forward to more.

  3. Fabian says:

    Great paper. A bit too technical for me but get the message. It would be great to see the details in plain English. Specifically, as it refers to the real life symptoms a regular user might experience when a root kit is present. This should make the paper much more interesting than it already is. Possibly to a larger audience even.

  4. vikas malve says:

    I cant see paper 🙁 Getting error page not found could you please check whats the problem or send me paper on my mail if it is not problem 🙂

    thanks in advance ..waiting for you paper 🙂

    -Vikas

  5. myne-us says:

    @Vikas issue should now be fixed.

Leave a Reply