If you’ve ever wondered if your computer has a rootkit installed or if programs are doing things they shouldn’t, the RootKit Hook Analyzer might come in handy.
According to their website:
RootKit Hook Analyzer is a security tool which will check if there are any rootkits installed on your computer which hook the kernel system services. Kernel RootKit Hooks are installed modules which intercept the principal system services that all programs and the operating system rely on.
Rootkits often hook kernel services which enable them to do stealthy things like hide files and processes, passively log keystrokes, and examine network traffic. They typically do this by changing pointers in the system call lookup table so that foreign code is executed when a system call is requested. However, not all hooks are bad– most software firewalls and antivirus products utilize system call hooks as well in order to do sensitive low-level tasks.
The Hook Analyzer simply examines the system call lookup table to find system call module addresses pointing outside of the kernel memory area. This indicates that a service has been hooked. It also gives users some details about what foreign module/device driver is responsible for handling the system call. Used properly, this can help identify malicious rootkits.
Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!