|
Detecting Function Machine Code Modification Hooks |
|
To detect and restore hooks made by splicing, Vba32 AntiRootKit contains a disassembler and a processor command emulator. It allows analyzing entire function code (noy only the first bytes). It analyzes the KiFastCallEntry functions, functions from the SSDT and Shadow SSDT tables as well as functions in the following modules: ntoskrnl.exe, hal.dll, ndis.sys. Machine code of functions, that are exported as well as aren’t exported, is analyzed and restored. Additionally the Type field contains offset (in bytes) relative to the beginning of a function that modified code is located at. Modification type is displayed as well (the Jump, Call, Ret, Iret, Int (Int 3, Into) and other commands are detected). To restore detected hooks, use the Restore and Restore All buttons. |
