Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Anti-Rootkit Questions - Understanding the tool your using

  • Please log in to reply
2 replies to this topic

#1 Dairy-oh


  • Members
  • 31 posts
  • Local time:12:54 PM

Posted 26 July 2014 - 03:34 PM



I'm using mainly 2 anti-rootkit tools, Antispy 2.2 and PC Hunter 1.33.


If there is a hook, there is also a module listed. Is this module being hooked or is this module doing the hooking?


PC Hunter says:

index      name                               current entry         hook               original entry        module

323        NtUserBuildHwndList        0x8837E8B0        ssdt hook        0x919992DA        C:\Users\Name\Location\File\pc_hunter_free_1.33\PCHunter_free\PCHunter32ah.sys



BC AdBot (Login to Remove)


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • Gender:Male
  • Local time:06:54 PM

Posted 27 July 2014 - 08:27 AM

I suppose this is on WIndows 7?


NtUserBuildHwndList is a Windows kernel function that has index 323 in the System Service Dispatch Table (SSDT).


So from this I gather that PCHunter32ah.sys is the module to which index 323 of the SSDT points to, thus this module is a hook.


Looks like PC Hunter is detecting its own hooks.

Didier Stevens

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019


If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.


Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"

#3 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,739 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:54 PM

Posted 27 July 2014 - 08:39 AM

Expanding on Didier Stevens comments.

Not all rootkits/hidden components are malicious. Legitimate programs can use rootkits for legitimate reasons. Most ARK tools check for rookit-like behavior which is not always indicative of a malware infection. It is normal for a Firewall, some anti-virus and anti-malware software, CD Emulators, virtual machines, sandboxes and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both legitimate programs and rootkits can hook into and alter this table.

When used for malicious reasons, a rootkit takes active measures to obscure its presence (hide itself from view) within the host system through subversion or evasion of standard operating system security tools and APIs used for diagnosis, scanning, and monitoring. Rootkits are able to do this by modifying the behavior of an operating system's core parts through loading code into other processes, the installation or modification of drivers, or kernel modules. Rootkits hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Hooking is one of the techniques used by a rootkit to alter the normal execution path of the operating system. Rootkit hooks are bascially installed modules which intercept the principal system services that all programs and the OS rely on. By using a hook, a rootkit can alter the information that the original OS function would have returned. There are many tables in an OS that can be hooked by a rootkit and those hooks are undetectable unless you know exactly what you're looking for.

API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. Anti-rootkit (ARK) scanners do not differentiate between what is good and what is bad...they only report what is found. Therefore, even on a clean system some hidden components may be detected when performing a scan to check for the presence of rootkits and you should not be alarmed if any hidden entries created by legitimate programs are detected. In most cases further investigation is required after the initial ARK scan by someone trained in rootkit detection or with advanced knowledge of the operating system. Report logs need to be analyzed and detected components identified in order to determined if they are benign, system critical or malevolent before attempted removal. Using an ARK scanner without knowing how to tell the difference between legitimate and malicious entries can be dangerous if a critical component is incorrectly removed.

If you're unsure how to use a particular Anti-rootkit (ARK) tool or interpret the log it generates, then you probably should not be using it. Some ARK tools are intended for advanced users or to be used under the guidance of an expert who can interpret the log results and investigate it for malicious entries before taking any removal action. Incorrectly removing legitimate entries could lead to disastrous problems with your operating system.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users