Detecting IDT Hooks

The interrupt descriptor table (IDT) binds every interrupt/exception vector with a procedure-handler descriptor. Some rootkits can replace adresses of the handlers with its own procedure-handlers. It means to install IDT hooks.

Vba32 AntiRootKit checks the integrity of the interrupt descriptor table.

Vba32 AntiRootkit idt hooks Detecting IDT Hooks
Detecting IDT hooks

When a hook has been detected, the name of the hooked handler is displayed with specifying its number in the IDT table, basic and current addresses of the service as well as the name of the module that has installed the hook.

To restore detected hooks, use the Restore and Restore All buttons.


Detecting IDT Hooks