8.4 Detecting IRP Function Hooks

Instead of hooking the kernel API functions, a rootkit can modify the entries in the major function table (dispatch routine array) to point to a routine in the malicious module. For example, a rookit can inspect the data buffer that is written to a disk or network by overwriting the address corresponding to IRP_MJ_WRITE in a driver's major function table. The following diagram illustrates this concept:

Normally, the IRP handler functions of a driver point within their own module. For instance, the routine associated with IRP_MJ_WRITE of null.sys points to an address in null.sys, however, sometimes a driver ...

Get Learning Malware Analysis now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.