Unknown SSDT Entries

Discussion in 'malware problems & news' started by Adric, Jul 22, 2011.

Thread Status:
Not open for further replies.
  1. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,027
    I just ran a a rootkit scan and noticed that I have 18 <unknown> entries when I scan the SSDT table which doesn't seem right to me. When I scan the shadow SSDT table no unknowns show up. Is there any way to find out what is doing the hook and if it's ok or not?


    • ROOTREPEAL (c) AD, 2007-2009
      ==================================================
      Scan Start Time: 2011/07/22 16:04
      Program Version: Version 1.3.5.0
      Windows Version: Windows XP SP3
      ==================================================

      SSDT
      -------------------
      #: 041 Function Name: NtCreateKey
      Status: Hooked by "<unknown>" at address 0xba800008

      #: 063 Function Name: NtDeleteKey
      Status: Hooked by "<unknown>" at address 0xba800058

      #: 065 Function Name: NtDeleteValueKey
      Status: Hooked by "<unknown>" at address 0xba8000a8

      #: 068 Function Name: NtDuplicateObject
      Status: Hooked by "<unknown>" at address 0xba8002b0

      #: 071 Function Name: NtEnumerateKey
      Status: Hooked by "<unknown>" at address 0xba800120

      #: 073 Function Name: NtEnumerateValueKey
      Status: Hooked by "<unknown>" at address 0xba800148

      #: 098 Function Name: NtLoadKey
      Status: Hooked by "<unknown>" at address 0xba8001e8

      #: 119 Function Name: NtOpenKey
      Status: Hooked by "<unknown>" at address 0xba800030

      #: 122 Function Name: NtOpenProcess
      Status: Hooked by "<unknown>" at address 0xba800288

      #: 160 Function Name: NtQueryKey
      Status: Hooked by "<unknown>" at address 0xba800170

      #: 161 Function Name: NtQueryMultipleValueKey
      Status: Hooked by "<unknown>" at address 0xba8001c0

      #: 177 Function Name: NtQueryValueKey
      Status: Hooked by "<unknown>" at address 0xba800198

      #: 192 Function Name: NtRenameKey
      Status: Hooked by "<unknown>" at address 0xba8000f8

      #: 204 Function Name: NtRestoreKey
      Status: Hooked by "<unknown>" at address 0xba800260

      #: 207 Function Name: NtSaveKey
      Status: Hooked by "<unknown>" at address 0xba800238

      #: 226 Function Name: NtSetInformationKey
      Status: Hooked by "<unknown>" at address 0xba8000d0

      #: 247 Function Name: NtSetValueKey
      Status: Hooked by "<unknown>" at address 0xba800080

      #: 255 Function Name: NtSystemDebugControl
      Status: Hooked by "<unknown>" at address 0xba8002d8

    Thanks, Al
     
  2. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    Possibly an A/V or another security software?
     
  3. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,027
    Up to now, I've been able to identify the security programs by the module names that do the hooking such as Prevx, etc. I have one other application that I recently installed (Returnil), but I disabled all of its' startup services, so it is not running. Maybe disabling the app and rebooting is not enough to get rid of the hooks. I need to uninstall Returnil and then do the check. I will post back.

    Al
     
  4. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    1,027
    Okay, these entries are caused by Returnil. What I don't understand is why
    the application is not easily identifiable as doing the hooks.

    Al
     
  5. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    It might be a matter of self protection? I know Avira shows up as the same way..
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.