Unknown IDT hooks

Discussion on reverse-engineering and debugging.
Post Reply
User avatar
Posts: 119
Joined: Tue Feb 05, 2013 10:26 pm
Location: Israel

Sun Aug 25, 2013 9:18 am

After checking around five computers (Windows 7 x86 (SP0)) i saw that almost all of them had IDT hooks, i assume that these hooks are part of the OS or an AV software (Mcafee) that was installed on the computers in question.

However i am unable to determine the Module that makes those hooks (all of the hooks are KiUnexpectedInterrupt):


Uploaded with ImageShack.us

I used various tools (Volatility, AntiSpy ...) in order to try to detect the root cause of these hooks.
Any explanation on whether these hooks are normal or something suspicious would be helpful.

User avatar
Posts: 98
Joined: Fri Jun 28, 2013 6:51 pm

Sun Aug 25, 2013 12:18 pm

I saw this on 4 computers, it's just tool says so.
User avatar
Global Moderator
Posts: 4905
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation

Wed Aug 28, 2013 3:34 pm

Depends on how this tool interpret IDT in a view of term "hooking". This can be mismatch between IDT table it found in binary and IDT it read from memory.
Ring0 - the source of inspiration
Post Reply