Unknown IDT hooks

Discussion on reverse-engineering and debugging.
Post Reply
User avatar
r3shl4k1sh
Posts: 119
Joined: Tue Feb 05, 2013 10:26 pm
Location: Israel
Contact:

Unknown IDT hooks

Post by r3shl4k1sh » Sun Aug 25, 2013 9:18 am

After checking around five computers (Windows 7 x86 (SP0)) i saw that almost all of them had IDT hooks, i assume that these hooks are part of the OS or an AV software (Mcafee) that was installed on the computers in question.

However i am unable to determine the Module that makes those hooks (all of the hooks are KiUnexpectedInterrupt):

Image

Uploaded with ImageShack.us

I used various tools (Volatility, AntiSpy ...) in order to try to detect the root cause of these hooks.
Any explanation on whether these hooks are normal or something suspicious would be helpful.

Thanks.

User avatar
TETYYSs
Posts: 98
Joined: Fri Jun 28, 2013 6:51 pm

Re: Unknown IDT hooks

Post by TETYYSs » Sun Aug 25, 2013 12:18 pm

I saw this on 4 computers, it's just tool says so.

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Unknown IDT hooks

Post by EP_X0FF » Wed Aug 28, 2013 3:34 pm

Depends on how this tool interpret IDT in a view of term "hooking". This can be mismatch between IDT table it found in binary and IDT it read from memory.
Ring0 - the source of inspiration

Post Reply