This article includes description of simple unhooker that restores original System Service Table hooked by unknown rootkits, which hide some services and processes.
1. SST: references
3. Memory mapped files
6. How to build
Leader of Network Security Team
1. SST: references
This article is a logical continuation to the article "Driver to Hide Processes and Files". You can find all necessary information about System Service Table (SST) and its hooking in it.
In this article I would like to present how to write your own unhooker that will restore original SST hooked by drivers like Ivan's one.
My goal is to write a simple driver for SST hooking detection and removing purposes.
This means that our driver should not use various
Zw-functions and SST table because I suppose that SST table is corrupted by unknown rootkits.
I do not care about filter drivers and function code splicers for now, but maybe I will come back to them in future.
The simplest way to detect and remove hooks is to compare SST that is placed in memory with the initial SST from ntoskernel.exe file.
So the goal is:
- to find ntoskernel module in memory;
- to find the section of ntoskernel where SST is placed and to calculate relative offset of SST in the section;
- to find this section in the ntoskernel.exe file;
- to calculate real address of SST in the file;
- to read values from the file and to compare them with SST.
But before the implementation I would like to present some additional information.
3. Memory mapped files in kernel mode
"A memory-mapped file is a segment of virtual memory which has been assigned a direct byte-for-byte correlation with some portion of a file or file-like resource". (c) Wiki
Yeah, we want to parse the PE file and memory mapped files are very useful for this task.
And it is easy enough to use mapped files API from the kernel mode, because it is very similar to Win32 API. Instead of
MapViewOfSection functions in kernel mode driver should access
But if we use these functions we will break our own rule not to use SST. Also, it is good for antirootkit to use extremely low level functions in the hope of being invisible to the possible rootkits.
With regard to this we can use undocumented functions of Memory Manager (Mm), of course at our own risk:
This example demonstrates an alternative approach to the usage of mapped files through
The presented approach is pretty good because it doesn’t utilize
Zw* functions and even handles at all, but it has one restriction. If you start this sample from
DriverEntry it will work fine, but if you start it from the
IRP_MJ_DEVICE_CONTROL handler you will see that
MmCreateSection function fails with
The answer is:
Zw* functions do one good thing - they set previous mode to
KernelMode and this allows to utilize kernel mode pointers and handles as parameters for them (for more information see Nt vs. Zw - Clearing Confusion On The Native API article)
So, the presented above function can be called only from
DriverEntry or from the system thread.
4. Algorithm implementation
I designed the following structure to save all
ntoskernel parsing results:
And I implemented the chosen algorithm as follows:
And here is the function that returns real value of SST:
After that it is quite simple to implement main functionality:
This tiny cycle completely removes all SST hooks and brings SST to its initial state.
For testing purposes I developed simple console utility named unhooker.exe. This utility can be started without parameters; in this case it shows information about its abilities:
- “stat” command shows statistics about SST hooking;
- “unhook” command cleans SST;
This sample demonstrates how to use utility to detect and erase hooks:
6. How to build
Build steps are the same as in the “Hide Driver” article. They are:
- Install Windows Driver Developer Kit 2003 - http://www.microsoft.com/whdc/devtools/ddk/default.mspx
- Set global environment variable "BASEDIR" to path of installed DDK. Go here: Computer -> Properties -> Advanced -> Environment variables ->System Variables -> New
And set it like this: BASEDIR -> c:\winddk\3790
(You have to restart your computer after this.)
If you choose Visual Studio 2003, then you can simply open UnhookerMain.sln and build all.
release.zip (58 KB)
src.zip (37 KB)