Detecting SYSENTER Hooks

The SYSENTER command is designed for fast switch from the user mode (Ring 3) to the kernel mode (Ring 0). Starting with Windows XP it is used for quick call of system services.

SYSENTER jumps using the address specified in one of the Model-Specific Registers (MSRs). Some rootkits can modify the MSR registers to gain control instead of a system handler.

Vba32 AntiRootkit check the integrity of the MSR registers for every active processor.

Vba32 AntiRootkit sysenter Detecting SYSENTER Hooks
Detecting SYSENTER hooks

To restore the MSR registers integrity, use the Restore and Restore All buttons.

 

Detecting SYSENTER Hooks