In order to be executed by the Windows kernel, Stuxnet has to “hook” certain functions/handlers (aka register itself). As you might know, since a driver is running in kernel space, it has access to core parts of the kernel. Drivers have access to things such as the IDT(Interrupt Descriptor Table), SSDT(System Service Descriptor Table), and other drivers that are currently loaded into the kernel.
SSDT
The SSDT is the table that holds addresses of different system call APIs. The entries of this table points to places where user land can call into the kernel. Below, I have dumped the SSDT, and as we can see, there is no SSDT hooking because all the entries of the table contain addresses that point inside the nt module (hence the nt! before each function name). If any entry of the SSDT was hooked by Stuxnet, we should see something like “mrxnet!” for that entry below:
kd> dds KiServiceTable L128 804fc624 8058391a nt!NtAcceptConnectPort 804fc628 8056b154 nt!NtAccessCheck 804fc62c 80560664 nt!NtAccessCheckAndAuditAlarm 804fc630 805b6323 nt!NtAccessCheckByType 804fc634 8055616d nt!NtAccessCheckByTypeAndAuditAlarm 804fc638 8060df58 nt!NtAccessCheckByTypeResultList 804fc63c 8060fed7 nt!NtAccessCheckByTypeResultListAndAuditAlarm 804fc640 8060ff14 nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle 804fc644 8055469c nt!NtAddAtom 804fc648 8061b93c nt!NtSetBootOptions 804fc64c 8060da54 nt!NtAdjustGroupsToken 804fc650 8055e764 nt!NtAdjustPrivilegesToken 804fc654 8060781d nt!NtAlertResumeThread 804fc658 80562f2c nt!NtAlertThread 804fc65c 8055fb3d nt!NtAllocateLocallyUniqueId 804fc660 8060110e nt!NtAllocateUserPhysicalPages 804fc664 8056085b nt!NtAllocateUuids 804fc668 8057df4b nt!NtAllocateVirtualMemory 804fc66c 8054ec3b nt!NtAreMappedFilesTheSame 804fc670 805b78cf nt!NtAssignProcessToJobObject 804fc674 8050c5fc nt!NtCallbackReturn 804fc678 8061b934 nt!NtCancelDeviceWakeupRequest 804fc67c 805b30bc nt!NtCancelIoFile 804fc680 804e1910 nt!NtCancelTimer 804fc684 8056decb nt!NtClearEvent 804fc688 805725c1 nt!NtClose 804fc68c 8055ff19 nt!NtCloseObjectAuditAlarm 804fc690 80620f33 nt!NtCompactKeys 804fc694 80610955 nt!NtCompareTokens 804fc698 80583d84 nt!NtCompleteConnectPort 804fc69c 8062115f nt!NtCompressKey 804fc6a0 80565287 nt!NtConnectPort 804fc6a4 804d8365 nt!NtContinue 804fc6a8 8062952b nt!NtCreateDebugObject 804fc6ac 8059d59a nt!NtCreateDirectoryObject 804fc6b0 805799e0 nt!NtCreateEvent 804fc6b4 8061be63 nt!NtCreateEventPair 804fc6b8 80578edf nt!NtCreateFile 804fc6bc 80555d7d nt!NtCreateIoCompletion 804fc6c0 805b7237 nt!NtCreateJobObject 804fc6c4 80607c3e nt!NtCreateJobSet 804fc6c8 80563030 nt!NtCreateKey 804fc6cc 80562111 nt!NtCreateMailslotFile 804fc6d0 80582a9f nt!NtCreateMutant 804fc6d4 8056ad3c nt!NtCreateNamedPipeFile 804fc6d8 80596e08 nt!NtCreatePagingFile 804fc6dc 80551dbe nt!NtCreatePort 804fc6e0 8059a61d nt!NtCreateProcess 804fc6e4 80580346 nt!NtCreateProcessEx 804fc6e8 8061c3a2 nt!NtCreateProfile 804fc6ec 805711d5 nt!NtCreateSection 804fc6f0 80553a81 nt!NtCreateSemaphore 804fc6f4 805b676e nt!NtCreateSymbolicLinkObject 804fc6f8 8057f298 nt!NtCreateThread 804fc6fc 80550e73 nt!NtCreateTimer 804fc700 8054e5dc nt!NtCreateToken 804fc704 805a4eca nt!NtCreateWaitablePort 804fc708 8062a616 nt!NtDebugActiveProcess 804fc70c 8062a757 nt!NtDebugContinue 804fc710 80571a83 nt!NtDelayExecution 804fc714 80554473 nt!NtDeleteAtom 804fc718 8061b934 nt!NtCancelDeviceWakeupRequest 804fc71c 805a4df4 nt!NtDeleteFile 804fc720 80563d14 nt!NtDeleteKey 804fc724 805becf1 nt!NtDeleteObjectAuditAlarm 804fc728 80563631 nt!NtDeleteValueKey 804fc72c 805863ad nt!NtDeviceIoControlFile 804fc730 8059668b nt!NtDisplayString 804fc734 80582614 nt!NtDuplicateObject 804fc738 8056b231 nt!NtDuplicateToken 804fc73c 8061b93c nt!NtSetBootOptions 804fc740 8056a5dc nt!NtEnumerateKey 804fc744 8061b92c nt!NtEnumerateSystemEnvironmentValuesEx 804fc748 80564a47 nt!NtEnumerateValueKey 804fc74c 8060002c nt!NtExtendSection 804fc750 805a0a01 nt!NtFilterToken 804fc754 805547de nt!NtFindAtom 804fc758 80563e23 nt!NtFlushBuffersFile 804fc75c 8057c60f nt!NtFlushInstructionCache 804fc760 8056172f nt!NtFlushKey 804fc764 8055137a nt!NtFlushVirtualMemory 804fc768 806019d5 nt!NtFlushWriteBuffer 804fc76c 806014ab nt!NtFreeUserPhysicalPages 804fc770 8057e36e nt!NtFreeVirtualMemory 804fc774 8057c130 nt!NtFsControlFile 804fc778 805a6880 nt!NtGetContextThread 804fc77c 80605081 nt!NtGetDevicePowerState 804fc780 8054c018 nt!NtGetPlugPlayEvent 804fc784 80527855 nt!NtGetWriteWatch 804fc788 8055735f nt!NtImpersonateAnonymousToken 804fc78c 80564477 nt!NtImpersonateClientOfPort 804fc790 8055f8ef nt!NtImpersonateThread 804fc794 805a34ad nt!NtInitializeRegistry 804fc798 80604e8a nt!NtInitiatePowerAction 804fc79c 80607b14 nt!NtIsProcessInJob 804fc7a0 80605073 nt!NtIsSystemResumeAutomatic 804fc7a4 805a31ae nt!NtListenPort 804fc7a8 805a74a9 nt!NtLoadDriver 804fc7ac 8059f701 nt!NtLoadKey 804fc7b0 8059f713 nt!NtLoadKey2 804fc7b4 8055f45e nt!NtLockFile 804fc7b8 805a0434 nt!NtLockProductActivationKeys 804fc7bc 8059cefc nt!NtLockRegistryKey 804fc7c0 805abb4b nt!NtLockVirtualMemory 804fc7c4 805b6da3 nt!NtMakePermanentObject 804fc7c8 805b6cc1 nt!NtMakeTemporaryObject 804fc7cc 80600438 nt!NtMapUserPhysicalPages 804fc7d0 806009d2 nt!NtMapUserPhysicalPagesScatter 804fc7d4 8057648d nt!NtMapViewOfSection 804fc7d8 8061b934 nt!NtCancelDeviceWakeupRequest 804fc7dc 8055fca7 nt!NtNotifyChangeDirectoryFile 804fc7e0 80557b10 nt!NtNotifyChangeKey 804fc7e4 80563aa0 nt!NtNotifyChangeMultipleKeys 804fc7e8 8057dbd7 nt!NtOpenDirectoryObject 804fc7ec 8056735c nt!NtOpenEvent 804fc7f0 8061bf35 nt!NtOpenEventPair 804fc7f4 80576449 nt!NtOpenFile 804fc7f8 805f5a37 nt!NtOpenIoCompletion 804fc7fc 805bcd82 nt!NtOpenJobObject 804fc800 80573055 nt!NtOpenKey 804fc804 80582952 nt!NtOpenMutant 804fc808 80561934 nt!NtOpenObjectAuditAlarm 804fc80c 80566e3a nt!NtOpenProcess 804fc810 8058147f nt!NtOpenProcessToken 804fc814 8057c770 nt!NtOpenProcessTokenEx 804fc818 8057b6b8 nt!NtOpenSection 804fc81c 805ac119 nt!NtOpenSemaphore 804fc820 80579b45 nt!NtOpenSymbolicLinkObject 804fc824 805563f7 nt!NtOpenThread 804fc828 805845b3 nt!NtOpenThreadToken 804fc82c 8057e9e2 nt!NtOpenThreadTokenEx 804fc830 805a5fe6 nt!NtOpenTimer 804fc834 80552aa9 nt!NtPlugPlayControl 804fc838 80556232 nt!NtPowerInformation 804fc83c 805536d9 nt!NtPrivilegeCheck 804fc840 8059c0e1 nt!NtPrivilegeObjectAuditAlarm 804fc844 805b0e95 nt!NtPrivilegedServiceAuditAlarm 804fc848 8057cc95 nt!NtProtectVirtualMemory 804fc84c 8056482d nt!NtPulseEvent 804fc850 8057cbae nt!NtQueryAttributesFile 804fc854 8061b93c nt!NtSetBootOptions 804fc858 8061b93c nt!NtSetBootOptions 804fc85c 804f5b66 nt!NtQueryDebugFilterState 804fc860 8057d1e3 nt!NtQueryDefaultLocale 804fc864 80580a70 nt!NtQueryDefaultUILanguage 804fc868 805841b5 nt!NtQueryDirectoryFile 804fc86c 80566b3b nt!NtQueryDirectoryObject 804fc870 805f5be3 nt!NtQueryEaFile 804fc874 8056d88e nt!NtQueryEvent 804fc878 8055f6d8 nt!NtQueryFullAttributesFile 804fc87c 80553c68 nt!NtQueryInformationAtom 804fc880 80576210 nt!NtQueryInformationFile 804fc884 80584b8c nt!NtQueryInformationJobObject 804fc888 805fdfa2 nt!NtQueryInformationPort 804fc88c 8057a6e8 nt!NtQueryInformationProcess 804fc890 805827e7 nt!NtQueryInformationThread 804fc894 8057eb20 nt!NtQueryInformationToken 804fc898 8056aa98 nt!NtQueryInstallUILanguage 804fc89c 8061c811 nt!NtQueryIntervalProfile 804fc8a0 805f5ada nt!NtQueryIoCompletion 804fc8a4 8055b86b nt!NtQueryKey 804fc8a8 80620abd nt!NtQueryMultipleValueKey 804fc8ac 8061c21f nt!NtQueryMutant 804fc8b0 80578c7b nt!NtQueryObject 804fc8b4 80620c90 nt!NtQueryOpenSubKeys 804fc8b8 80586703 nt!NtQueryPerformanceCounter 804fc8bc 805f6401 nt!NtQueryQuotaInformationFile 804fc8c0 8057d0e1 nt!NtQuerySection 804fc8c4 80555795 nt!NtQuerySecurityObject 804fc8c8 8061b48a nt!NtQuerySemaphore 804fc8cc 8057a874 nt!NtQuerySymbolicLinkObject 804fc8d0 8061b94c nt!NtQuerySystemEnvironmentValue 804fc8d4 8061b924 nt!NtQuerySystemEnvironmentValueEx 804fc8d8 8057a7ba nt!NtQuerySystemInformation 804fc8dc 80558ec1 nt!NtQuerySystemTime 804fc8e0 8055673c nt!NtQueryTimer 804fc8e4 80553b55 nt!NtQueryTimerResolution 804fc8e8 80575d81 nt!NtQueryValueKey 804fc8ec 8057d479 nt!NtQueryVirtualMemory 804fc8f0 8057a580 nt!NtQueryVolumeInformationFile 804fc8f4 80556082 nt!NtQueueApcThread 804fc8f8 804d83ad nt!NtRaiseException 804fc8fc 805bc4e4 nt!NtRaiseHardError 804fc900 8057c24f nt!NtReadFile 804fc904 80550518 nt!NtReadFileScatter 804fc908 80566a22 nt!NtReadRequestData 804fc90c 805849c5 nt!NtReadVirtualMemory 804fc910 80583835 nt!NtRegisterThreadTerminatePort 804fc914 80571ae9 nt!NtReleaseMutant 804fc918 80558f33 nt!NtReleaseSemaphore 804fc91c 8056dc7a nt!NtRemoveIoCompletion 804fc920 8062a6df nt!NtRemoveProcessDebug 804fc924 80620e01 nt!NtRenameKey 804fc928 806211df nt!NtReplaceKey 804fc92c 8056d3aa nt!NtReplyPort 804fc930 80580f92 nt!NtReplyWaitReceivePort 804fc934 80580bb4 nt!NtReplyWaitReceivePortEx 804fc938 805fe063 nt!NtReplyWaitReplyPort 804fc93c 8060500c nt!NtRequestDeviceWakeup 804fc940 805667ce nt!NtRequestPort 804fc944 80583120 nt!NtRequestWaitReplyPort 804fc948 80604e3a nt!NtRequestWakeupLatency 804fc94c 8054b145 nt!NtResetEvent 804fc950 80527d79 nt!NtResetWriteWatch 804fc954 806200e0 nt!NtRestoreKey 804fc958 806077ce nt!NtResumeProcess 804fc95c 8057f394 nt!NtResumeThread 804fc960 8062017a nt!NtSaveKey 804fc964 80620202 nt!NtSaveKeyEx 804fc968 806202c6 nt!NtSaveMergedKeys 804fc96c 8057b7a2 nt!NtSecureConnectPort 804fc970 8061b93c nt!NtSetBootOptions 804fc974 8061b93c nt!NtSetBootOptions 804fc978 80607f6a nt!NtSetContextThread 804fc97c 8062bd1b nt!NtSetDebugFilterState 804fc980 8059a92c nt!NtSetDefaultHardErrorPort 804fc984 8059d382 nt!NtSetDefaultLocale 804fc988 8059d358 nt!NtSetDefaultUILanguage 804fc98c 805f60eb nt!NtSetEaFile 804fc990 8056de41 nt!NtSetEvent 804fc994 8056dc23 nt!NtSetEventBoostPriority 804fc998 8061c1c3 nt!NtSetHighEventPair 804fc99c 8061c103 nt!NtSetHighWaitLowEventPair 804fc9a0 8062a0d0 nt!NtSetInformationDebugObject 804fc9a4 8058181d nt!NtSetInformationFile 804fc9a8 805b7482 nt!NtSetInformationJobObject 804fc9ac 8062069d nt!NtSetInformationKey 804fc9b0 805819c2 nt!NtSetInformationObject 804fc9b4 8057f45a nt!NtSetInformationProcess 804fc9b8 8058372d nt!NtSetInformationThread 804fc9bc 8054e1f9 nt!NtSetInformationToken 804fc9c0 8061c390 nt!NtSetIntervalProfile 804fc9c4 8056df13 nt!NtSetIoCompletion 804fc9c8 80606a63 nt!NtSetLdtEntries 804fc9cc 8061c167 nt!NtSetLowEventPair 804fc9d0 8061c09f nt!NtSetLowWaitHighEventPair 804fc9d4 805f63e7 nt!NtSetQuotaInformationFile 804fc9d8 80556354 nt!NtSetSecurityObject 804fc9dc 8061bbcb nt!NtSetSystemEnvironmentValue 804fc9e0 8061b924 nt!NtQuerySystemEnvironmentValueEx 804fc9e4 8056613e nt!NtSetSystemInformation 804fc9e8 8063874b nt!NtSetSystemPowerState 804fc9ec 805a4a3b nt!NtSetSystemTime 804fc9f0 805b6e63 nt!NtSetThreadExecutionState 804fc9f4 804e19bd nt!NtSetTimer 804fc9f8 805b2c51 nt!NtSetTimerResolution 804fc9fc 8059f55b nt!NtSetUuidSeed 804fca00 80563215 nt!NtSetValueKey 804fca04 805f68db nt!NtSetVolumeInformationFile 804fca08 8061ae18 nt!NtShutdownSystem 804fca0c 80528d95 nt!NtSignalAndWaitForSingleObject 804fca10 8061c5cb nt!NtStartProfile 804fca14 8061c76f nt!NtStopProfile 804fca18 8060777f nt!NtSuspendProcess 804fca1c 805abf08 nt!NtSuspendThread 804fca20 8061c89a nt!NtSystemDebugControl 804fca24 80607ee0 nt!NtTerminateJobObject 804fca28 8056c6dc nt!NtTerminateProcess 804fca2c 8056ce2e nt!NtTerminateThread 804fca30 8057f43d nt!NtTestAlert 804fca34 8052eeaa nt!NtTraceEvent 804fca38 8061b944 nt!NtTranslateFilePath 804fca3c 805f8709 nt!NtUnloadDriver 804fca40 80620379 nt!NtUnloadKey 804fca44 806204f0 nt!NtUnloadKeyEx 804fca48 8055f32c nt!NtUnlockFile 804fca4c 805b383d nt!NtUnlockVirtualMemory 804fca50 8056b931 nt!NtUnmapViewOfSection 804fca54 805b10b4 nt!NtVdmControl 804fca58 80629de3 nt!NtWaitForDebugEvent 804fca5c 80571f9d nt!NtWaitForMultipleObjects 804fca60 805718fb nt!NtWaitForSingleObject 804fca64 8061c043 nt!NtWaitHighEventPair 804fca68 8061bfe7 nt!NtWaitLowEventPair 804fca6c 8057d80a nt!NtWriteFile 804fca70 80550378 nt!NtWriteFileGather 804fca74 805647fc nt!NtWriteRequestData 804fca78 8057f7e6 nt!NtWriteVirtualMemory 804fca7c 804dfe07 nt!NtYieldExecution 804fca80 80588779 nt!NtCreateKeyedEvent 804fca84 80580654 nt!NtOpenKeyedEvent 804fca88 8061cc87 nt!NtReleaseKeyedEvent 804fca8c 8061cf0e nt!NtWaitForKeyedEvent 804fca90 80605e85 nt!NtQueryPortInformationProcess 804fca94 0000011c 804fca98 2c2c2018 804fca9c 44402c40 804fcaa0 1818080c 804fcaa4 0c040408 804fcaa8 08081810 804fcaac 0808040c 804fcab0 080c0404 804fcab4 2004040c 804fcab8 140c1008 804fcabc 0c102c0c 804fcac0 10201c0c
IDT
The IDT is the Interrupt Descriptor Table. Whenever the system gets an interrupt, this table is referenced to find the correct interrupt handler. For example, in the old days of Windows, the CPU would switch to kernel mode for a system call with the assembly instruction “Int 0x2E”, which is why you see “nt!KiSystemService” at entry 2E in the table. Modern Windows uses the SYSENTER instruction, which is faster. Stuxnet could have modified the IDT to point to its own code, in which case we might have seen an entry below beginning with “mrxnet!”. But since we don’t see that, it means that Stuxnet has not hooked this table either.
kd> !idt -a Dumping IDT: 00: 804d59b2 nt!KiTrap00 01: 804d5b06 nt!KiTrap01 02: Task Selector = 0x0058 03: 804d5e2e nt!KiTrap03 04: 804d5f96 nt!KiTrap04 05: 804d60de nt!KiTrap05 06: 804d6242 nt!KiTrap06 07: 804d681e nt!KiTrap07 08: Task Selector = 0x0050 09: 804d6c41 nt!KiTrap09 0a: 804d6d49 nt!KiTrap0A 0b: 804d6e75 nt!KiTrap0B 0c: 804d7042 nt!KiTrap0C 0d: 804d7310 nt!KiTrap0D 0e: 804d79a4 nt!KiTrap0E 0f: 804d7d50 nt!KiTrap0F 10: 804d7e58 nt!KiTrap10 11: 804d7f78 nt!KiTrap11 12: Task Selector = 0x00A0 13: 804d80c8 nt!KiTrap13 14: 804d7d50 nt!KiTrap0F 15: 804d7d50 nt!KiTrap0F 16: 804d7d50 nt!KiTrap0F 17: 804d7d50 nt!KiTrap0F 18: 804d7d50 nt!KiTrap0F 19: 804d7d50 nt!KiTrap0F 1a: 804d7d50 nt!KiTrap0F 1b: 804d7d50 nt!KiTrap0F 1c: 804d7d50 nt!KiTrap0F 1d: 804d7d50 nt!KiTrap0F 1e: 804d7d50 nt!KiTrap0F 1f: 804d7d50 nt!KiTrap0F 20: 00000000 21: 00000000 22: 00000000 23: 00000000 24: 00000000 25: 00000000 26: 00000000 27: 00000000 28: 00000000 29: 00000000 2a: 804d525e nt!KiGetTickCount 2b: 804d5354 nt!KiCallbackReturn 2c: 804d54c4 nt!KiSetLowWaitHighThread 2d: 804d5d1e nt!KiDebugService 2e: 804d4dcd nt!KiSystemService 2f: 804d7d50 nt!KiTrap0F 30: 806ba6e4 hal!HalpClockInterrupt 31: 8196946c i8042prt!I8042KeyboardInterruptService (KINTERRUPT 81969430) 32: 804d44c4 nt!KiUnexpectedInterrupt2 33: 804d44ce nt!KiUnexpectedInterrupt3 34: 804d44d8 nt!KiUnexpectedInterrupt4 35: 804d44e2 nt!KiUnexpectedInterrupt5 36: 804d44ec nt!KiUnexpectedInterrupt6 37: 804d44f6 nt!KiUnexpectedInterrupt7 38: 806b5160 hal!HalpProfileInterrupt 39: 81b9b6dc ACPI!ACPIInterruptServiceRoutine (KINTERRUPT 81b9b6a0) portcls!CInterruptSync::Release+0x10 (KINTERRUPT 81a0d5a8) 3a: 81b91dd4 VBoxGuest+0xB60 (KINTERRUPT 81b91d98) 3b: 8196531c USBPORT!USBPORT_InterruptService (KINTERRUPT 819652e0) 3c: 81968044 i8042prt!I8042MouseInterruptService (KINTERRUPT 81968008) 3d: 804d4532 nt!KiUnexpectedInterrupt13 3e: 81b99044 atapi!IdePortInterrupt (KINTERRUPT 81b99008) 3f: 81b992cc atapi!IdePortInterrupt (KINTERRUPT 81b99290) 40: 804d4550 nt!KiUnexpectedInterrupt16 41: 804d455a nt!KiUnexpectedInterrupt17 42: 804d4564 nt!KiUnexpectedInterrupt18 43: 804d456e nt!KiUnexpectedInterrupt19 44: 804d4578 nt!KiUnexpectedInterrupt20 45: 804d4582 nt!KiUnexpectedInterrupt21 46: 804d458c nt!KiUnexpectedInterrupt22 47: 804d4596 nt!KiUnexpectedInterrupt23 48: 804d45a0 nt!KiUnexpectedInterrupt24 49: 804d45aa nt!KiUnexpectedInterrupt25 4a: 804d45b4 nt!KiUnexpectedInterrupt26 4b: 804d45be nt!KiUnexpectedInterrupt27 4c: 804d45c8 nt!KiUnexpectedInterrupt28 4d: 804d45d2 nt!KiUnexpectedInterrupt29 4e: 804d45dc nt!KiUnexpectedInterrupt30 4f: 804d45e6 nt!KiUnexpectedInterrupt31 50: 804d45f0 nt!KiUnexpectedInterrupt32 51: 804d45fa nt!KiUnexpectedInterrupt33 52: 804d4604 nt!KiUnexpectedInterrupt34 53: 804d460e nt!KiUnexpectedInterrupt35 54: 804d4618 nt!KiUnexpectedInterrupt36 55: 804d4622 nt!KiUnexpectedInterrupt37 56: 804d462c nt!KiUnexpectedInterrupt38 57: 804d4636 nt!KiUnexpectedInterrupt39 58: 804d4640 nt!KiUnexpectedInterrupt40 59: 804d464a nt!KiUnexpectedInterrupt41 5a: 804d4654 nt!KiUnexpectedInterrupt42 5b: 804d465e nt!KiUnexpectedInterrupt43 5c: 804d4668 nt!KiUnexpectedInterrupt44 5d: 804d4672 nt!KiUnexpectedInterrupt45 5e: 804d467c nt!KiUnexpectedInterrupt46 5f: 804d4686 nt!KiUnexpectedInterrupt47 60: 804d4690 nt!KiUnexpectedInterrupt48 61: 804d469a nt!KiUnexpectedInterrupt49 62: 804d46a4 nt!KiUnexpectedInterrupt50 63: 804d46ae nt!KiUnexpectedInterrupt51 64: 804d46b8 nt!KiUnexpectedInterrupt52 65: 804d46c2 nt!KiUnexpectedInterrupt53 66: 804d46cc nt!KiUnexpectedInterrupt54 67: 804d46d6 nt!KiUnexpectedInterrupt55 68: 804d46e0 nt!KiUnexpectedInterrupt56 69: 804d46ea nt!KiUnexpectedInterrupt57 6a: 804d46f4 nt!KiUnexpectedInterrupt58 6b: 804d46fe nt!KiUnexpectedInterrupt59 6c: 804d4708 nt!KiUnexpectedInterrupt60 6d: 804d4712 nt!KiUnexpectedInterrupt61 6e: 804d471c nt!KiUnexpectedInterrupt62 6f: 804d4726 nt!KiUnexpectedInterrupt63 70: 804d4730 nt!KiUnexpectedInterrupt64 71: 804d473a nt!KiUnexpectedInterrupt65 72: 804d4744 nt!KiUnexpectedInterrupt66 73: 804d474e nt!KiUnexpectedInterrupt67 74: 804d4758 nt!KiUnexpectedInterrupt68 75: 804d4762 nt!KiUnexpectedInterrupt69 76: 804d476c nt!KiUnexpectedInterrupt70 77: 804d4776 nt!KiUnexpectedInterrupt71 78: 804d4780 nt!KiUnexpectedInterrupt72 79: 804d478a nt!KiUnexpectedInterrupt73 7a: 804d4794 nt!KiUnexpectedInterrupt74 7b: 804d479e nt!KiUnexpectedInterrupt75 7c: 804d47a8 nt!KiUnexpectedInterrupt76 7d: 804d47b2 nt!KiUnexpectedInterrupt77 7e: 804d47bc nt!KiUnexpectedInterrupt78 7f: 804d47c6 nt!KiUnexpectedInterrupt79 80: 804d47d0 nt!KiUnexpectedInterrupt80 81: 804d47da nt!KiUnexpectedInterrupt81 82: 804d47e4 nt!KiUnexpectedInterrupt82 83: 804d47ee nt!KiUnexpectedInterrupt83 84: 804d47f8 nt!KiUnexpectedInterrupt84 85: 804d4802 nt!KiUnexpectedInterrupt85 86: 804d480c nt!KiUnexpectedInterrupt86 87: 804d4816 nt!KiUnexpectedInterrupt87 88: 804d4820 nt!KiUnexpectedInterrupt88 89: 804d482a nt!KiUnexpectedInterrupt89 8a: 804d4834 nt!KiUnexpectedInterrupt90 8b: 804d483e nt!KiUnexpectedInterrupt91 8c: 804d4848 nt!KiUnexpectedInterrupt92 8d: 804d4852 nt!KiUnexpectedInterrupt93 8e: 804d485c nt!KiUnexpectedInterrupt94 8f: 804d4866 nt!KiUnexpectedInterrupt95 90: 804d4870 nt!KiUnexpectedInterrupt96 91: 804d487a nt!KiUnexpectedInterrupt97 92: 804d4884 nt!KiUnexpectedInterrupt98 93: 804d488e nt!KiUnexpectedInterrupt99 94: 804d4898 nt!KiUnexpectedInterrupt100 95: 804d48a2 nt!KiUnexpectedInterrupt101 96: 804d48ac nt!KiUnexpectedInterrupt102 97: 804d48b6 nt!KiUnexpectedInterrupt103 98: 804d48c0 nt!KiUnexpectedInterrupt104 99: 804d48ca nt!KiUnexpectedInterrupt105 9a: 804d48d4 nt!KiUnexpectedInterrupt106 9b: 804d48de nt!KiUnexpectedInterrupt107 9c: 804d48e8 nt!KiUnexpectedInterrupt108 9d: 804d48f2 nt!KiUnexpectedInterrupt109 9e: 804d48fc nt!KiUnexpectedInterrupt110 9f: 804d4906 nt!KiUnexpectedInterrupt111 a0: 804d4910 nt!KiUnexpectedInterrupt112 a1: 804d491a nt!KiUnexpectedInterrupt113 a2: 804d4924 nt!KiUnexpectedInterrupt114 a3: 804d492e nt!KiUnexpectedInterrupt115 a4: 804d4938 nt!KiUnexpectedInterrupt116 a5: 804d4942 nt!KiUnexpectedInterrupt117 a6: 804d494c nt!KiUnexpectedInterrupt118 a7: 804d4956 nt!KiUnexpectedInterrupt119 a8: 804d4960 nt!KiUnexpectedInterrupt120 a9: 804d496a nt!KiUnexpectedInterrupt121 aa: 804d4974 nt!KiUnexpectedInterrupt122 ab: 804d497e nt!KiUnexpectedInterrupt123 ac: 804d4988 nt!KiUnexpectedInterrupt124 ad: 804d4992 nt!KiUnexpectedInterrupt125 ae: 804d499c nt!KiUnexpectedInterrupt126 af: 804d49a6 nt!KiUnexpectedInterrupt127 b0: 804d49b0 nt!KiUnexpectedInterrupt128 b1: 804d49ba nt!KiUnexpectedInterrupt129 b2: 804d49c4 nt!KiUnexpectedInterrupt130 b3: 804d49ce nt!KiUnexpectedInterrupt131 b4: 804d49d8 nt!KiUnexpectedInterrupt132 b5: 804d49e2 nt!KiUnexpectedInterrupt133 b6: 804d49ec nt!KiUnexpectedInterrupt134 b7: 804d49f6 nt!KiUnexpectedInterrupt135 b8: 804d4a00 nt!KiUnexpectedInterrupt136 b9: 804d4a0a nt!KiUnexpectedInterrupt137 ba: 804d4a14 nt!KiUnexpectedInterrupt138 bb: 804d4a1e nt!KiUnexpectedInterrupt139 bc: 804d4a28 nt!KiUnexpectedInterrupt140 bd: 804d4a32 nt!KiUnexpectedInterrupt141 be: 804d4a3c nt!KiUnexpectedInterrupt142 bf: 804d4a46 nt!KiUnexpectedInterrupt143 c0: 804d4a50 nt!KiUnexpectedInterrupt144 c1: 804d4a5a nt!KiUnexpectedInterrupt145 c2: 804d4a64 nt!KiUnexpectedInterrupt146 c3: 804d4a6e nt!KiUnexpectedInterrupt147 c4: 804d4a78 nt!KiUnexpectedInterrupt148 c5: 804d4a82 nt!KiUnexpectedInterrupt149 c6: 804d4a8c nt!KiUnexpectedInterrupt150 c7: 804d4a96 nt!KiUnexpectedInterrupt151 c8: 804d4aa0 nt!KiUnexpectedInterrupt152 c9: 804d4aaa nt!KiUnexpectedInterrupt153 ca: 804d4ab4 nt!KiUnexpectedInterrupt154 cb: 804d4abe nt!KiUnexpectedInterrupt155 cc: 804d4ac8 nt!KiUnexpectedInterrupt156 cd: 804d4ad2 nt!KiUnexpectedInterrupt157 ce: 804d4adc nt!KiUnexpectedInterrupt158 cf: 804d4ae6 nt!KiUnexpectedInterrupt159 d0: 804d4af0 nt!KiUnexpectedInterrupt160 d1: 804d4afa nt!KiUnexpectedInterrupt161 d2: 804d4b04 nt!KiUnexpectedInterrupt162 d3: 804d4b0e nt!KiUnexpectedInterrupt163 d4: 804d4b18 nt!KiUnexpectedInterrupt164 d5: 804d4b22 nt!KiUnexpectedInterrupt165 d6: 804d4b2c nt!KiUnexpectedInterrupt166 d7: 804d4b36 nt!KiUnexpectedInterrupt167 d8: 804d4b40 nt!KiUnexpectedInterrupt168 d9: 804d4b4a nt!KiUnexpectedInterrupt169 da: 804d4b54 nt!KiUnexpectedInterrupt170 db: 804d4b5e nt!KiUnexpectedInterrupt171 dc: 804d4b68 nt!KiUnexpectedInterrupt172 dd: 804d4b72 nt!KiUnexpectedInterrupt173 de: 804d4b7c nt!KiUnexpectedInterrupt174 df: 804d4b86 nt!KiUnexpectedInterrupt175 e0: 804d4b90 nt!KiUnexpectedInterrupt176 e1: 804d4b9a nt!KiUnexpectedInterrupt177 e2: 804d4ba4 nt!KiUnexpectedInterrupt178 e3: 804d4bae nt!KiUnexpectedInterrupt179 e4: 804d4bb8 nt!KiUnexpectedInterrupt180 e5: 804d4bc2 nt!KiUnexpectedInterrupt181 e6: 804d4bcc nt!KiUnexpectedInterrupt182 e7: 804d4bd6 nt!KiUnexpectedInterrupt183 e8: 804d4be0 nt!KiUnexpectedInterrupt184 e9: 804d4bea nt!KiUnexpectedInterrupt185 ea: 804d4bf4 nt!KiUnexpectedInterrupt186 eb: 804d4bfe nt!KiUnexpectedInterrupt187 ec: 804d4c08 nt!KiUnexpectedInterrupt188 ed: 804d4c12 nt!KiUnexpectedInterrupt189 ee: 804d4c19 nt!KiUnexpectedInterrupt190 ef: 804d4c20 nt!KiUnexpectedInterrupt191 f0: 804d4c27 nt!KiUnexpectedInterrupt192 f1: 804d4c2e nt!KiUnexpectedInterrupt193 f2: 804d4c35 nt!KiUnexpectedInterrupt194 f3: 804d4c3c nt!KiUnexpectedInterrupt195 f4: 804d4c43 nt!KiUnexpectedInterrupt196 f5: 804d4c4a nt!KiUnexpectedInterrupt197 f6: 804d4c51 nt!KiUnexpectedInterrupt198 f7: 804d4c58 nt!KiUnexpectedInterrupt199 f8: 804d4c5f nt!KiUnexpectedInterrupt200 f9: 804d4c66 nt!KiUnexpectedInterrupt201 fa: 804d4c6d nt!KiUnexpectedInterrupt202 fb: 804d4c74 nt!KiUnexpectedInterrupt203 fc: 804d4c7b nt!KiUnexpectedInterrupt204 fd: 804d4c82 nt!KiUnexpectedInterrupt205 fe: 804d4c89 nt!KiUnexpectedInterrupt206 ff: 804d4c90 nt!KiUnexpectedInterrupt207
Driver IRP handler Functions Tables:
Userland communicates with kernel device drivers through IRPs(I/O Request Packets). There are different kinds of IRPs that can be passed from userland to a driver. Some of these types of IRPs can be found here (http://msdn.microsoft.com/en-us/library/ff548603%28v=VS.85%29.aspx), and in Greg Hoglund’s Rootkits book(page 96). Rootkits can hook the IRP handler function tables of other drivers to get their own code to run upon certain IRP events. I found that Stuxnet actually does hook the IRP Function Table. In the below screenshot, we can see 2 code blocks. In the first code block, all 27 entries of the IRP function handler table are overwritten to point to a function that does nothing (hence I named it doNothing). The following block of code does the interesting stuff. It actually hooks 2 entries in the IRP function handler table (IRP_MJ_DEVICE_CONTROL and IRP_MJ_FILE_SYSTEM_CONTROL) and redirects those entries to 2 different functions.
After further thought, I realized why Stuxnet probably doesn’t hook SSDT or IDT. Never versions of Windows have a technology called “Patchguard” built into the kernel. Patch guard prevents exactly what I mentioned above: hooking IDT and SSDT (http://en.wikipedia.org/wiki/Kernel_Patch_Protection). Since Stuxnet was meant to run on all the newest versions of Windows, the authors had to abide by Patchguard rules. Obviously, Patchguard does not block IRP function handler hooking, which is a completely legitimate driver behavior, which is why Stuxnet is able to infect newer versions of windows.
By: Neil Sikka