SSDT Hook Detection
We have been working on a new feature for Helios - SSDT hook detection. A number of rootkits modify the values of System Service Dispatcher Table (SSDT) table. This table is used every time a Windows API function calls into the kernel. By changing the value of the functions in this table, the rootkit could get its own custom function called, which would then call then original function and modify the data before returning it to the user. This is a popular way of hiding data from the Windows API.
Helios will now check the integrity of the SSDT and detect if any of the functions point to custom locations and mark them as potential danger areas. Hooking is also used by plenty of legitimate programs such as anti-viruses and firewalls; hence not every hook detected is a sign that the computer contains a rootkit.
Helios will now check the integrity of the SSDT and detect if any of the functions point to custom locations and mark them as potential danger areas. Hooking is also used by plenty of legitimate programs such as anti-viruses and firewalls; hence not every hook detected is a sign that the computer contains a rootkit.
posted by Helios Dev Team at 3:24 PM
0 Comments:
Post a Comment
<< Home