Unknown SSDT Entries

Discussion in 'malware problems & news' started by Adric, Jul 22, 2011.

Thread Status:
Not open for further replies.
  1. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    795
    I just ran a a rootkit scan and noticed that I have 18 <unknown> entries when I scan the SSDT table which doesn't seem right to me. When I scan the shadow SSDT table no unknowns show up. Is there any way to find out what is doing the hook and if it's ok or not?


    • ROOTREPEAL (c) AD, 2007-2009
      ==================================================
      Scan Start Time: 2011/07/22 16:04
      Program Version: Version 1.3.5.0
      Windows Version: Windows XP SP3
      ==================================================

      SSDT
      -------------------
      #: 041 Function Name: NtCreateKey
      Status: Hooked by "<unknown>" at address 0xba800008

      #: 063 Function Name: NtDeleteKey
      Status: Hooked by "<unknown>" at address 0xba800058

      #: 065 Function Name: NtDeleteValueKey
      Status: Hooked by "<unknown>" at address 0xba8000a8

      #: 068 Function Name: NtDuplicateObject
      Status: Hooked by "<unknown>" at address 0xba8002b0

      #: 071 Function Name: NtEnumerateKey
      Status: Hooked by "<unknown>" at address 0xba800120

      #: 073 Function Name: NtEnumerateValueKey
      Status: Hooked by "<unknown>" at address 0xba800148

      #: 098 Function Name: NtLoadKey
      Status: Hooked by "<unknown>" at address 0xba8001e8

      #: 119 Function Name: NtOpenKey
      Status: Hooked by "<unknown>" at address 0xba800030

      #: 122 Function Name: NtOpenProcess
      Status: Hooked by "<unknown>" at address 0xba800288

      #: 160 Function Name: NtQueryKey
      Status: Hooked by "<unknown>" at address 0xba800170

      #: 161 Function Name: NtQueryMultipleValueKey
      Status: Hooked by "<unknown>" at address 0xba8001c0

      #: 177 Function Name: NtQueryValueKey
      Status: Hooked by "<unknown>" at address 0xba800198

      #: 192 Function Name: NtRenameKey
      Status: Hooked by "<unknown>" at address 0xba8000f8

      #: 204 Function Name: NtRestoreKey
      Status: Hooked by "<unknown>" at address 0xba800260

      #: 207 Function Name: NtSaveKey
      Status: Hooked by "<unknown>" at address 0xba800238

      #: 226 Function Name: NtSetInformationKey
      Status: Hooked by "<unknown>" at address 0xba8000d0

      #: 247 Function Name: NtSetValueKey
      Status: Hooked by "<unknown>" at address 0xba800080

      #: 255 Function Name: NtSystemDebugControl
      Status: Hooked by "<unknown>" at address 0xba8002d8

    Thanks, Al
     
  2. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    Possibly an A/V or another security software?
     
  3. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    795
    Up to now, I've been able to identify the security programs by the module names that do the hooking such as Prevx, etc. I have one other application that I recently installed (Returnil), but I disabled all of its' startup services, so it is not running. Maybe disabling the app and rebooting is not enough to get rid of the hooks. I need to uninstall Returnil and then do the check. I will post back.

    Al
     
  4. Adric

    Adric Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    795
    Okay, these entries are caused by Returnil. What I don't understand is why
    the application is not easily identifiable as doing the hooks.

    Al
     
  5. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    It might be a matter of self protection? I know Avira shows up as the same way..
     
Thread Status:
Not open for further replies.