SSDT Hook/Rootkit Detector: Version 1
This is a small application which can detect SSDT hooks. Although functional, I have written a newer version which is also posted on this blog.
I wrote a quick unhook function but its erratic at best and keeps BSOD’ing me… So I’ll update this once I’ve got that working flawlessly.
If it DOES pick something up, make a note of what it is because it may be perfectly legit. For instance various AV’s hook NtOpenProcess to protect its main process. However, if it pics something like NtQueryDirectoryFile chances are you’ve got a rootkit. However, if it doenst pick anything up… thats a good thing.
In the pic I hooked several items, for demonstration purposes.
Driver: 90% inline assembly, 10% C.
GUI: 100% C++.
If you want, you can download it here.
Note: I’m 99.99% sure it wont work on Vista – so its confined to all versions of Windows XP.