Rootkit Hook Detection
This material will be presented in 2 parts. The first part will explain some interception techniques, the second part will explain how to detect them. There are no files in kernel mode, the author will be considered both for user mode and kernel mode in the x86 system in this article.
The author made a simplified block diagram of calling the WriteFile function in the kernel32 file. for a better understanding. This is just an example to highlight the key points, they chose the WriteFile function, as this makes a good example, and disk I / O is usually intercepted by malware, but most of the material in this graph will apply to a variety of functions.
If you have any questions, please leave a comment. We hope this information will be useful to you. The next part will soon appear and explain how to detect (and possibly delete) the hooks described in this article.