Introduction

The cybercrime underworld hasn’t given me any exciting malware to reverse and I’m running out of ideas for new posts, so I’m going to do a 2 part article about the techniques used by rootkits to intercept function calls, and how to detect them. The first part will explain some hooking methods, the second part will explain how to detect them. As I haven’t done any kernel mode stuff on this blog, I will be looking at both user mode and kernel mode hooks on a x86 windows system.

Execution Flow

In order to get a better understanding of the attack surface, I’ve made a simplified flow chart of a call to the WriteFile function in kernel32.dll. This is just an example to highlight key points, I chose the WriteFile function as it makes for a nice example, and disk I/O is commonly intercepted by malware, however most of the stuff on this graph will apply to lots of functions.

If you haven’t realized you can click the image to make it bigger, this article probably isn’t for you.

(1)

WriteFile is just a simple wrapper for NtWriteFile.

Can be hooked with inline, IAT or EAT hooks.

Hooking this function will intercept all calls to WriteFile in whichever process the hooks are placed.

All paths used inside kernel32 are generally Dos Paths (C:file.txt). (2)