Searching for kernel-mode rootkits

The following techniques of kernel-mode rootkit detection are implemented in Vba32 AntiRootkit:

  • searching for SYSENTER hooks;
  • searching for hooks by replacing addresses in SSDT table;
  • searching for hooks by replacing addresses in Shadow SSDT table;
  • searching for hooks by modifying IDT table;
  • searching for export table modifications of main kernel modules (ndis.sys, hal.dll, ntoskrnl.exe);
  • searching for hooks by modifiying machine code (splicing);
  • searching for hooks by replacing addresses of IRP packet handlers;
  • searching for hooks by replacing addresses of FastIO request handlers;
  • searching for kernel modules hidden in the memory. If an object is considered as hidden, it’ll be marked as Hidden in memory;
  • searching for processes hidden in memory. If an object is considered as hidden, it’ll be marked as Hidden in memory;
  • searching for kernel modules which image on the hard drive doesn’t correspond to the image in the memory. Such objects will be marked as Modified image;
  • searching for installed kernel mode notificators.

Moreover the following additional techniques are implemented:

  • scanning autoruns;
  • scanning drivers and services specified in the registry;
  • scanning all obtained objects (process files, autoruns, loaded drivers/services and kernel modules);
  • checking digital signature of all obtained objects (process files, autoruns, loaded drivers/services and kernel modules);
  • displaying additional information retrievied from file resources.

The following features are designed for neutralizing rootkits:

  • restoring hooks in SSDT table;
  • restoring hooks in Shadow SSDT table;
  • restoring hooks in IDT table;
  • restoring hooks in main kernel modules (ndis.sys, hal.dll, ntoskrnl.exe);
  • restoring hooks made by machine code modifications;
  • restoring SYSENTER hooks;
  • removing specified objects from autoruns;
  • enabling/disabling drivers/services specified in the registry;
  • copying specified files to the quarantine early in the system boot;
  • deleting specified files early in the system boot;
  • scanning and deleting autorun.inf files;
  • removing installed kernel mode notificators.

To provide feedback, the program performs collecting of system state information.

Note: Vba32 AntiRootkit doesn’t search for user-mode rootkits.

 

Searching for Kerrnel-mode Rootkits