SSDT Hook/Rootkit Detector: Version 1

This is a small application which can detect SSDT hooks. Although functional, I have written a newer version which is also posted on this blog.


I wrote a quick unhook function but its erratic at best and keeps BSOD’ing me… So I’ll update this once I’ve got that working flawlessly.

If it DOES pick something up, make a note of what it is because it may be perfectly legit. For instance various AV’s hook NtOpenProcess to protect its main process. However, if it pics something like NtQueryDirectoryFile chances are you’ve got a rootkit. However, if it doenst pick anything up… thats a good thing.

In the pic I hooked several items, for demonstration purposes.

Driver: 90% inline assembly, 10% C.
GUI: 100% C++.

If you want, you can download it here.

Note: I’m 99.99% sure it wont work on Vista – so its confined to all versions of Windows XP.

[ Blog Post ] Rootkit Detector Version 2


~ by Rhys Mossom on October 16, 2007.

5 Responses to “SSDT Hook/Rootkit Detector: Version 1”

  1. […] around and wrote a peice of code to detect hidden processes…  so I decided to add it to another program I wrote a few months ago, and create a full-fledged […]

  2. Where i could download the source for hidden processes part? 🙂


  3. This program contains a rootkit c:\ssdtenum\libchk_wxp_x86\i386\detect.pdb

  4. Fuckyou (oh how original!): Yes in a sense it does contain a rootkit, however it is benign and is there to do a job. It installs a kernel mode driver (the so called “rootkit”) to detect MALICIOUS ROOTKITS. A rootkit is simply a peice of code which runs as “root”. Now, perhaps next time you should check your facts before you show yourself to be an ignorant idiot.

  5. Anyway, I’m not sure why youre downloading this one.
    Try the

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: