June 2018
Beginner
510 pages
13h 7m
English
Content preview from Learning Malware Analysis
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
8.3 Identifying Inline Kernel Hooks
Instead of replacing the pointers in the SSDT, which makes it easy to recognize, an attacker can modify the kernel function or function in an existing kernel driver with a jmp instruction to reroute the execution flow to the malicious code. As mentioned earlier in this chapter, you can use the apihooks plugin to detect inline hooking in the kernel space. By specifying the -P argument, you can tell the apihooks plugin to only scan for the hooks in the kernel space. In the following example of a TDL3 rootkit, the apihooks detect the hooks in the kernel functions IofCallDriver and IofCompleteRequest. The hooked API functions are redirected to the 0xb878dfb2 and 0xb878e6bb addresses within a malicious module ...