Rootkit Hook Detection

This material will be presented in 2 parts. The first part will explain some interception techniques, the second part will explain how to detect them. There are no files in kernel mode, the author will be considered both for user mode and kernel mode in the x86 system in this article.

The author made a simplified block diagram of calling the WriteFile function in the kernel32 file. for a better understanding. This is just an example to highlight the key points, they chose the WriteFile function, as this makes a good example, and disk I / O is usually intercepted by malware, but most of the material in this graph will apply to a variety of functions.

If you have any questions, please leave a comment. We hope this information will be useful to you. The next part will soon appear and explain how to detect (and possibly delete) the hooks described in this article.

More.

DISCLAIMER: THIS POST IS FOR INFORMATIONAL PURPOSES ONLY AND IS NOT TO BE CONSIDERED LEGAL ADVICE ON ANY SUBJECT MATTER. DIGITAL FORENSICS CORP. IS NOT A LAWFIRM AND DOES NOT PROVIDE LEGAL ADVICE OR SERVICES. By viewing posts, the reader understands there is no attorney-client relationship, the post should not be used as a substitute for legal advice from a licensed professional attorney, and readers are urged to consult their own legal counsel on any specific legal questions concerning a specific situation.