SSDT View (64-bit): a basic but very easy way to look for stealthy malware

SSDT View (64-bit): a basic but very easy way to look for stealthy malware

Security vendor NoVirusThanks has released SSDT View, a 64-bit (only) tool which can show you the contents of your System Service Descriptor Table, perhaps highlighting changes made by rootkits and other stealthy malware.

There are of course plenty of antirootkit tools around which can do something similar, and a whole lot more, but these are generally aimed at Windows experts. SSDT View is safer, and far simpler, which makes the program accessible to a far wider audience.

What’s the SSDT? whenever Windows or one of your applications wants to carry out some action – check the Registry, read or write a file, launch or close a process, and so on – then this will usually result in Windows calling a service in the System Service Descriptor Table. Writing to a file will call the NtWriteFile service to do the actual work, for instance; on our test PC that entry points to memory address 0xFFFF:F800:0356:B210, which is within the module C:\Windows\system32\ntoskrnl.exe – the Windows kernel.

Malware will sometimes try to tamper with the SSDT, though, replacing the memory addresses with pointers to its own modules. If it successfully hooks the NtTerminateProcess function, say, the malware could intercept and block attempts to close it down, and with similar hooks elsewhere it really can obtain a great deal of low-level control over your PC.

To check your system with SSDT View, then, just install and launch the program and immediately you’ll see a list of your SSDT services, the relevant memory address for each one, and the module responsible for handling that call.

If your “Module” references are all pointing at the Windows kernel (ntoskrnl.exe, probably) then everything appears to be normal.

When one or more SSDT memory addresses are pointing elsewhere, though, this may be a sign of trouble. If you don’t recognise the module name as a legitimate program or driver you’ve installed then you may want to Google it for more information. (Just don’t start deleting files named here unless you’re 100% sure what you’re doing, otherwise you could cripple your PC.)

This article originally appeared at softwarecrew.co.uk

Source: Copyright Software Crew

See more about:  antirootkit  |  novirusthanks  |  rootkit  |  ssdt  |  ssdt view
 
 

Readers of this article also read...

Telstra supports International Day Against Homophobia, Biphobia and Transphobia 

Telstra supports International Day Against Homophobia, Biphobia and Transphobia

 
Toshiba's new 2013 laptops unveiled 

Toshiba's new 2013 laptops unveiled

 
New Kira Ultrabook is a stylish, aspirational gem, according to Toshiba 

New Kira Ultrabook is a stylish, aspirational gem, according to Toshiba

 
The PC ain't dead yet, even as PC sales reach record lows 

The PC ain't dead yet, even as PC sales reach record lows

 
Never trust a day one review 

Never trust a day one review

 

Latest Comments

Latest Competitions

Win! Godzilla Prize Packs 

Win! Godzilla Prize Packs

STOMP ALL THE THINGS.
Win! Batman: Assault on Arkham 

Win! Batman: Assault on Arkham

Na na na na na na na WIN STUFF!
 

Latest Poll

What PC component are you planning to upgrade in the next six months










Ads by Google

From our Partners

PC & Tech Authority Downloads