A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #20593  by r3shl4k1sh
 Sun Aug 25, 2013 9:18 am
After checking around five computers (Windows 7 x86 (SP0)) i saw that almost all of them had IDT hooks, i assume that these hooks are part of the OS or an AV software (Mcafee) that was installed on the computers in question.

However i am unable to determine the Module that makes those hooks (all of the hooks are KiUnexpectedInterrupt):

Image

Uploaded with ImageShack.us

I used various tools (Volatility, AntiSpy ...) in order to try to detect the root cause of these hooks.
Any explanation on whether these hooks are normal or something suspicious would be helpful.

Thanks.
 #20623  by EP_X0FF
 Wed Aug 28, 2013 3:34 pm
Depends on how this tool interpret IDT in a view of term "hooking". This can be mismatch between IDT table it found in binary and IDT it read from memory.