But it was very interesting to see some of the anti-rootkit tools not
showing the dispatch table hooks that are usually pretty straightforward to
identify. Also this malware would not allow an external debugger (WinDbg)
to break, which was annoying.
The reason for hooks not being reported was that the memory being read by
the tools was not the actual memory! The dispatch table as "seen" by the
tools appeared not to be hooked—whereas in reality it was hooked. The part
that made it interesting was that the memory was being read at the correct
address with a mov instruction and not using some system API that could be
hooked. We know of some proof-of-concept ways to achieve this, but I had
not seen this behavior before from a threat in the wild.
on a memory forging rootkit
to post comments)