In order to be executed by the Windows kernel, Stuxnet has
to "hook" certain functions/handlers (aka register itself). As you
might know, since a driver is running in kernel space, it has access to core
parts of the kernel. Drivers have access to things such as the IDT(Interrupt
Descriptor Table), SSDT(System Service Descriptor Table), and other drivers
that are currently loaded into the kernel.
SSDT
The SSDT is the table that holds addresses of different
system call APIs. The entries of this table points to places where user land
can call into the kernel. Below, I have dumped the SSDT, and as we can see, there
is no SSDT hooking because all the entries of the table contain addresses that
point inside the nt module (hence the nt! before each function name). If any
entry of the SSDT was hooked by Stuxnet, we should see something like
"mrxnet!" for that entry below:
kd> dds KiServiceTable L128
804fc624
8058391a nt!NtAcceptConnectPort
804fc628
8056b154 nt!NtAccessCheck
804fc62c
80560664 nt!NtAccessCheckAndAuditAlarm
804fc630
805b6323 nt!NtAccessCheckByType
804fc634
8055616d nt!NtAccessCheckByTypeAndAuditAlarm
804fc638
8060df58 nt!NtAccessCheckByTypeResultList
804fc63c
8060fed7 nt!NtAccessCheckByTypeResultListAndAuditAlarm
804fc640
8060ff14 nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle
804fc644
8055469c nt!NtAddAtom
804fc648
8061b93c nt!NtSetBootOptions
804fc64c
8060da54 nt!NtAdjustGroupsToken
804fc650
8055e764 nt!NtAdjustPrivilegesToken
804fc654
8060781d nt!NtAlertResumeThread
804fc658
80562f2c nt!NtAlertThread
804fc65c
8055fb3d nt!NtAllocateLocallyUniqueId
804fc660
8060110e nt!NtAllocateUserPhysicalPages
804fc664
8056085b nt!NtAllocateUuids
804fc668
8057df4b nt!NtAllocateVirtualMemory
804fc66c
8054ec3b nt!NtAreMappedFilesTheSame
804fc670
805b78cf nt!NtAssignProcessToJobObject
804fc674
8050c5fc nt!NtCallbackReturn
804fc678
8061b934 nt!NtCancelDeviceWakeupRequest
804fc67c
805b30bc nt!NtCancelIoFile
804fc680
804e1910 nt!NtCancelTimer
804fc684
8056decb nt!NtClearEvent
804fc688
805725c1 nt!NtClose
804fc68c
8055ff19 nt!NtCloseObjectAuditAlarm
804fc690
80620f33 nt!NtCompactKeys
804fc694
80610955 nt!NtCompareTokens
804fc698
80583d84 nt!NtCompleteConnectPort
804fc69c
8062115f nt!NtCompressKey
804fc6a0
80565287 nt!NtConnectPort
804fc6a4
804d8365 nt!NtContinue
804fc6a8
8062952b nt!NtCreateDebugObject
804fc6ac
8059d59a nt!NtCreateDirectoryObject
804fc6b0
805799e0 nt!NtCreateEvent
804fc6b4
8061be63 nt!NtCreateEventPair
804fc6b8
80578edf nt!NtCreateFile
804fc6bc
80555d7d nt!NtCreateIoCompletion
804fc6c0
805b7237 nt!NtCreateJobObject
804fc6c4
80607c3e nt!NtCreateJobSet
804fc6c8
80563030 nt!NtCreateKey
804fc6cc
80562111 nt!NtCreateMailslotFile
804fc6d0
80582a9f nt!NtCreateMutant
804fc6d4
8056ad3c nt!NtCreateNamedPipeFile
804fc6d8
80596e08 nt!NtCreatePagingFile
804fc6dc 80551dbe
nt!NtCreatePort
804fc6e0
8059a61d nt!NtCreateProcess
804fc6e4
80580346 nt!NtCreateProcessEx
804fc6e8
8061c3a2 nt!NtCreateProfile
804fc6ec
805711d5 nt!NtCreateSection
804fc6f0
80553a81 nt!NtCreateSemaphore
804fc6f4
805b676e nt!NtCreateSymbolicLinkObject
804fc6f8
8057f298 nt!NtCreateThread
804fc6fc
80550e73 nt!NtCreateTimer
804fc700
8054e5dc nt!NtCreateToken
804fc704
805a4eca nt!NtCreateWaitablePort
804fc708
8062a616 nt!NtDebugActiveProcess
804fc70c
8062a757 nt!NtDebugContinue
804fc710 80571a83
nt!NtDelayExecution
804fc714
80554473 nt!NtDeleteAtom
804fc718
8061b934 nt!NtCancelDeviceWakeupRequest
804fc71c
805a4df4 nt!NtDeleteFile
804fc720
80563d14 nt!NtDeleteKey
804fc724
805becf1 nt!NtDeleteObjectAuditAlarm
804fc728
80563631 nt!NtDeleteValueKey
804fc72c
805863ad nt!NtDeviceIoControlFile
804fc730
8059668b nt!NtDisplayString
804fc734
80582614 nt!NtDuplicateObject
804fc738
8056b231 nt!NtDuplicateToken
804fc73c
8061b93c nt!NtSetBootOptions
804fc740
8056a5dc nt!NtEnumerateKey
804fc744 8061b92c
nt!NtEnumerateSystemEnvironmentValuesEx
804fc748
80564a47 nt!NtEnumerateValueKey
804fc74c
8060002c nt!NtExtendSection
804fc750
805a0a01 nt!NtFilterToken
804fc754
805547de nt!NtFindAtom
804fc758
80563e23 nt!NtFlushBuffersFile
804fc75c
8057c60f nt!NtFlushInstructionCache
804fc760
8056172f nt!NtFlushKey
804fc764
8055137a nt!NtFlushVirtualMemory
804fc768
806019d5 nt!NtFlushWriteBuffer
804fc76c
806014ab nt!NtFreeUserPhysicalPages
804fc770
8057e36e nt!NtFreeVirtualMemory
804fc774
8057c130 nt!NtFsControlFile
804fc778
805a6880 nt!NtGetContextThread
804fc77c
80605081 nt!NtGetDevicePowerState
804fc780
8054c018 nt!NtGetPlugPlayEvent
804fc784
80527855 nt!NtGetWriteWatch
804fc788
8055735f nt!NtImpersonateAnonymousToken
804fc78c
80564477 nt!NtImpersonateClientOfPort
804fc790
8055f8ef nt!NtImpersonateThread
804fc794
805a34ad nt!NtInitializeRegistry
804fc798
80604e8a nt!NtInitiatePowerAction
804fc79c
80607b14 nt!NtIsProcessInJob
804fc7a0
80605073 nt!NtIsSystemResumeAutomatic
804fc7a4
805a31ae nt!NtListenPort
804fc7a8
805a74a9 nt!NtLoadDriver
804fc7ac
8059f701 nt!NtLoadKey
804fc7b0
8059f713 nt!NtLoadKey2
804fc7b4
8055f45e nt!NtLockFile
804fc7b8
805a0434 nt!NtLockProductActivationKeys
804fc7bc
8059cefc nt!NtLockRegistryKey
804fc7c0 805abb4b
nt!NtLockVirtualMemory
804fc7c4
805b6da3 nt!NtMakePermanentObject
804fc7c8
805b6cc1 nt!NtMakeTemporaryObject
804fc7cc
80600438 nt!NtMapUserPhysicalPages
804fc7d0
806009d2 nt!NtMapUserPhysicalPagesScatter
804fc7d4
8057648d nt!NtMapViewOfSection
804fc7d8
8061b934 nt!NtCancelDeviceWakeupRequest
804fc7dc
8055fca7 nt!NtNotifyChangeDirectoryFile
804fc7e0
80557b10 nt!NtNotifyChangeKey
804fc7e4
80563aa0 nt!NtNotifyChangeMultipleKeys
804fc7e8
8057dbd7 nt!NtOpenDirectoryObject
804fc7ec
8056735c nt!NtOpenEvent
804fc7f0
8061bf35 nt!NtOpenEventPair
804fc7f4
80576449 nt!NtOpenFile
804fc7f8
805f5a37 nt!NtOpenIoCompletion
804fc7fc
805bcd82 nt!NtOpenJobObject
804fc800
80573055 nt!NtOpenKey
804fc804
80582952 nt!NtOpenMutant
804fc808
80561934 nt!NtOpenObjectAuditAlarm
804fc80c
80566e3a nt!NtOpenProcess
804fc810
8058147f nt!NtOpenProcessToken
804fc814
8057c770 nt!NtOpenProcessTokenEx
804fc818
8057b6b8 nt!NtOpenSection
804fc81c
805ac119 nt!NtOpenSemaphore
804fc820
80579b45 nt!NtOpenSymbolicLinkObject
804fc824
805563f7 nt!NtOpenThread
804fc828
805845b3 nt!NtOpenThreadToken
804fc82c
8057e9e2 nt!NtOpenThreadTokenEx
804fc830
805a5fe6 nt!NtOpenTimer
804fc834
80552aa9 nt!NtPlugPlayControl
804fc838
80556232 nt!NtPowerInformation
804fc83c
805536d9 nt!NtPrivilegeCheck
804fc840
8059c0e1 nt!NtPrivilegeObjectAuditAlarm
804fc844
805b0e95 nt!NtPrivilegedServiceAuditAlarm
804fc848
8057cc95 nt!NtProtectVirtualMemory
804fc84c
8056482d nt!NtPulseEvent
804fc850
8057cbae nt!NtQueryAttributesFile
804fc854
8061b93c nt!NtSetBootOptions
804fc858
8061b93c nt!NtSetBootOptions
804fc85c
804f5b66 nt!NtQueryDebugFilterState
804fc860
8057d1e3 nt!NtQueryDefaultLocale
804fc864
80580a70 nt!NtQueryDefaultUILanguage
804fc868
805841b5 nt!NtQueryDirectoryFile
804fc86c 80566b3b
nt!NtQueryDirectoryObject
804fc870
805f5be3 nt!NtQueryEaFile
804fc874
8056d88e nt!NtQueryEvent
804fc878
8055f6d8 nt!NtQueryFullAttributesFile
804fc87c
80553c68 nt!NtQueryInformationAtom
804fc880
80576210 nt!NtQueryInformationFile
804fc884
80584b8c nt!NtQueryInformationJobObject
804fc888
805fdfa2 nt!NtQueryInformationPort
804fc88c
8057a6e8 nt!NtQueryInformationProcess
804fc890
805827e7 nt!NtQueryInformationThread
804fc894
8057eb20 nt!NtQueryInformationToken
804fc898
8056aa98 nt!NtQueryInstallUILanguage
804fc89c
8061c811 nt!NtQueryIntervalProfile
804fc8a0
805f5ada nt!NtQueryIoCompletion
804fc8a4
8055b86b nt!NtQueryKey
804fc8a8
80620abd nt!NtQueryMultipleValueKey
804fc8ac
8061c21f nt!NtQueryMutant
804fc8b0
80578c7b nt!NtQueryObject
804fc8b4 80620c90
nt!NtQueryOpenSubKeys
804fc8b8
80586703 nt!NtQueryPerformanceCounter
804fc8bc
805f6401 nt!NtQueryQuotaInformationFile
804fc8c0
8057d0e1 nt!NtQuerySection
804fc8c4
80555795 nt!NtQuerySecurityObject
804fc8c8
8061b48a nt!NtQuerySemaphore
804fc8cc
8057a874 nt!NtQuerySymbolicLinkObject
804fc8d0
8061b94c nt!NtQuerySystemEnvironmentValue
804fc8d4
8061b924 nt!NtQuerySystemEnvironmentValueEx
804fc8d8
8057a7ba nt!NtQuerySystemInformation
804fc8dc
80558ec1 nt!NtQuerySystemTime
804fc8e0
8055673c nt!NtQueryTimer
804fc8e4
80553b55 nt!NtQueryTimerResolution
804fc8e8
80575d81 nt!NtQueryValueKey
804fc8ec
8057d479 nt!NtQueryVirtualMemory
804fc8f0
8057a580 nt!NtQueryVolumeInformationFile
804fc8f4
80556082 nt!NtQueueApcThread
804fc8f8
804d83ad nt!NtRaiseException
804fc8fc
805bc4e4 nt!NtRaiseHardError
804fc900
8057c24f nt!NtReadFile
804fc904
80550518 nt!NtReadFileScatter
804fc908
80566a22 nt!NtReadRequestData
804fc90c
805849c5 nt!NtReadVirtualMemory
804fc910
80583835 nt!NtRegisterThreadTerminatePort
804fc914
80571ae9 nt!NtReleaseMutant
804fc918
80558f33 nt!NtReleaseSemaphore
804fc91c
8056dc7a nt!NtRemoveIoCompletion
804fc920
8062a6df nt!NtRemoveProcessDebug
804fc924
80620e01 nt!NtRenameKey
804fc928
806211df nt!NtReplaceKey
804fc92c
8056d3aa nt!NtReplyPort
804fc930
80580f92 nt!NtReplyWaitReceivePort
804fc934
80580bb4 nt!NtReplyWaitReceivePortEx
804fc938
805fe063 nt!NtReplyWaitReplyPort
804fc93c
8060500c nt!NtRequestDeviceWakeup
804fc940
805667ce nt!NtRequestPort
804fc944
80583120 nt!NtRequestWaitReplyPort
804fc948
80604e3a nt!NtRequestWakeupLatency
804fc94c
8054b145 nt!NtResetEvent
804fc950
80527d79 nt!NtResetWriteWatch
804fc954
806200e0 nt!NtRestoreKey
804fc958
806077ce nt!NtResumeProcess
804fc95c
8057f394 nt!NtResumeThread
804fc960
8062017a nt!NtSaveKey
804fc964
80620202 nt!NtSaveKeyEx
804fc968
806202c6 nt!NtSaveMergedKeys
804fc96c
8057b7a2 nt!NtSecureConnectPort
804fc970
8061b93c nt!NtSetBootOptions
804fc974
8061b93c nt!NtSetBootOptions
804fc978
80607f6a nt!NtSetContextThread
804fc97c
8062bd1b nt!NtSetDebugFilterState
804fc980
8059a92c nt!NtSetDefaultHardErrorPort
804fc984
8059d382 nt!NtSetDefaultLocale
804fc988
8059d358 nt!NtSetDefaultUILanguage
804fc98c
805f60eb nt!NtSetEaFile
804fc990
8056de41 nt!NtSetEvent
804fc994 8056dc23 nt!NtSetEventBoostPriority
804fc998
8061c1c3 nt!NtSetHighEventPair
804fc99c
8061c103 nt!NtSetHighWaitLowEventPair
804fc9a0
8062a0d0 nt!NtSetInformationDebugObject
804fc9a4
8058181d nt!NtSetInformationFile
804fc9a8
805b7482 nt!NtSetInformationJobObject
804fc9ac
8062069d nt!NtSetInformationKey
804fc9b0
805819c2 nt!NtSetInformationObject
804fc9b4
8057f45a nt!NtSetInformationProcess
804fc9b8
8058372d nt!NtSetInformationThread
804fc9bc
8054e1f9 nt!NtSetInformationToken
804fc9c0
8061c390 nt!NtSetIntervalProfile
804fc9c4
8056df13 nt!NtSetIoCompletion
804fc9c8
80606a63 nt!NtSetLdtEntries
804fc9cc
8061c167 nt!NtSetLowEventPair
804fc9d0
8061c09f nt!NtSetLowWaitHighEventPair
804fc9d4
805f63e7 nt!NtSetQuotaInformationFile
804fc9d8
80556354 nt!NtSetSecurityObject
804fc9dc
8061bbcb nt!NtSetSystemEnvironmentValue
804fc9e0
8061b924 nt!NtQuerySystemEnvironmentValueEx
804fc9e4
8056613e nt!NtSetSystemInformation
804fc9e8
8063874b nt!NtSetSystemPowerState
804fc9ec
805a4a3b nt!NtSetSystemTime
804fc9f0
805b6e63 nt!NtSetThreadExecutionState
804fc9f4
804e19bd nt!NtSetTimer
804fc9f8
805b2c51 nt!NtSetTimerResolution
804fc9fc
8059f55b nt!NtSetUuidSeed
804fca00
80563215 nt!NtSetValueKey
804fca04
805f68db nt!NtSetVolumeInformationFile
804fca08 8061ae18
nt!NtShutdownSystem
804fca0c
80528d95 nt!NtSignalAndWaitForSingleObject
804fca10
8061c5cb nt!NtStartProfile
804fca14
8061c76f nt!NtStopProfile
804fca18
8060777f nt!NtSuspendProcess
804fca1c
805abf08 nt!NtSuspendThread
804fca20
8061c89a nt!NtSystemDebugControl
804fca24
80607ee0 nt!NtTerminateJobObject
804fca28
8056c6dc nt!NtTerminateProcess
804fca2c
8056ce2e nt!NtTerminateThread
804fca30
8057f43d nt!NtTestAlert
804fca34
8052eeaa nt!NtTraceEvent
804fca38
8061b944 nt!NtTranslateFilePath
804fca3c
805f8709 nt!NtUnloadDriver
804fca40
80620379 nt!NtUnloadKey
804fca44
806204f0 nt!NtUnloadKeyEx
804fca48
8055f32c nt!NtUnlockFile
804fca4c
805b383d nt!NtUnlockVirtualMemory
804fca50
8056b931 nt!NtUnmapViewOfSection
804fca54
805b10b4 nt!NtVdmControl
804fca58
80629de3 nt!NtWaitForDebugEvent
804fca5c
80571f9d nt!NtWaitForMultipleObjects
804fca60
805718fb nt!NtWaitForSingleObject
804fca64
8061c043 nt!NtWaitHighEventPair
804fca68
8061bfe7 nt!NtWaitLowEventPair
804fca6c
8057d80a nt!NtWriteFile
804fca70
80550378 nt!NtWriteFileGather
804fca74
805647fc nt!NtWriteRequestData
804fca78
8057f7e6 nt!NtWriteVirtualMemory
804fca7c
804dfe07 nt!NtYieldExecution
804fca80
80588779 nt!NtCreateKeyedEvent
804fca84
80580654 nt!NtOpenKeyedEvent
804fca88
8061cc87 nt!NtReleaseKeyedEvent
804fca8c
8061cf0e nt!NtWaitForKeyedEvent
804fca90
80605e85 nt!NtQueryPortInformationProcess
804fca94
0000011c
804fca98
2c2c2018
804fca9c
44402c40
804fcaa0
1818080c
804fcaa4
0c040408
804fcaa8
08081810
804fcaac
0808040c
804fcab0
080c0404
804fcab4
2004040c
804fcab8
140c1008
804fcabc
0c102c0c
804fcac0 10201c0c
IDT
The IDT is the
Interrupt Descriptor Table. Whenever the system gets an interrupt, this table
is referenced to find the correct interrupt handler. For example, in the old
days of Windows, the CPU would switch to kernel mode for a system call with the
assembly instruction "Int 0x2E", which is why you see "nt!KiSystemService"
at entry 2E in the table. Modern Windows uses the SYSENTER instruction, which
is faster. Stuxnet could have modified the IDT to point to its own code, in
which case we might have seen an entry below beginning with "mrxnet!".
But since we don’t see that, it means that Stuxnet has not hooked this table
either.
kd> !idt -a
Dumping IDT:
00: 804d59b2
nt!KiTrap00
01: 804d5b06
nt!KiTrap01
02: Task Selector =
0x0058
03: 804d5e2e
nt!KiTrap03
04: 804d5f96
nt!KiTrap04
05: 804d60de
nt!KiTrap05
06: 804d6242
nt!KiTrap06
07: 804d681e
nt!KiTrap07
08: Task Selector =
0x0050
09: 804d6c41
nt!KiTrap09
0a: 804d6d49
nt!KiTrap0A
0b: 804d6e75
nt!KiTrap0B
0c: 804d7042
nt!KiTrap0C
0d: 804d7310
nt!KiTrap0D
0e: 804d79a4
nt!KiTrap0E
0f: 804d7d50 nt!KiTrap0F
10: 804d7e58
nt!KiTrap10
11: 804d7f78
nt!KiTrap11
12: Task Selector =
0x00A0
13: 804d80c8
nt!KiTrap13
14: 804d7d50
nt!KiTrap0F
15: 804d7d50
nt!KiTrap0F
16: 804d7d50
nt!KiTrap0F
17: 804d7d50
nt!KiTrap0F
18: 804d7d50
nt!KiTrap0F
19: 804d7d50 nt!KiTrap0F
1a: 804d7d50
nt!KiTrap0F
1b: 804d7d50
nt!KiTrap0F
1c: 804d7d50
nt!KiTrap0F
1d: 804d7d50
nt!KiTrap0F
1e: 804d7d50
nt!KiTrap0F
1f: 804d7d50
nt!KiTrap0F
20: 00000000
21: 00000000
22: 00000000
23: 00000000
24: 00000000
25: 00000000
26: 00000000
27: 00000000
28: 00000000
29: 00000000
2a: 804d525e
nt!KiGetTickCount
2b: 804d5354
nt!KiCallbackReturn
2c: 804d54c4
nt!KiSetLowWaitHighThread
2d: 804d5d1e
nt!KiDebugService
2e: 804d4dcd
nt!KiSystemService
2f: 804d7d50
nt!KiTrap0F
30: 806ba6e4
hal!HalpClockInterrupt
31: 8196946c
i8042prt!I8042KeyboardInterruptService (KINTERRUPT 81969430)
32: 804d44c4
nt!KiUnexpectedInterrupt2
33: 804d44ce
nt!KiUnexpectedInterrupt3
34: 804d44d8
nt!KiUnexpectedInterrupt4
35: 804d44e2
nt!KiUnexpectedInterrupt5
36: 804d44ec nt!KiUnexpectedInterrupt6
37: 804d44f6
nt!KiUnexpectedInterrupt7
38: 806b5160
hal!HalpProfileInterrupt
39: 81b9b6dc
ACPI!ACPIInterruptServiceRoutine (KINTERRUPT 81b9b6a0)
portcls!CInterruptSync::Release+0x10
(KINTERRUPT 81a0d5a8)
3a: 81b91dd4 VBoxGuest+0xB60
(KINTERRUPT 81b91d98)
3b: 8196531c
USBPORT!USBPORT_InterruptService (KINTERRUPT 819652e0)
3c: 81968044
i8042prt!I8042MouseInterruptService (KINTERRUPT 81968008)
3d: 804d4532
nt!KiUnexpectedInterrupt13
3e: 81b99044
atapi!IdePortInterrupt (KINTERRUPT 81b99008)
3f: 81b992cc
atapi!IdePortInterrupt (KINTERRUPT 81b99290)
40: 804d4550
nt!KiUnexpectedInterrupt16
41: 804d455a
nt!KiUnexpectedInterrupt17
42: 804d4564
nt!KiUnexpectedInterrupt18
43: 804d456e
nt!KiUnexpectedInterrupt19
44: 804d4578 nt!KiUnexpectedInterrupt20
45: 804d4582
nt!KiUnexpectedInterrupt21
46: 804d458c
nt!KiUnexpectedInterrupt22
47: 804d4596
nt!KiUnexpectedInterrupt23
48: 804d45a0
nt!KiUnexpectedInterrupt24
49: 804d45aa
nt!KiUnexpectedInterrupt25
4a: 804d45b4
nt!KiUnexpectedInterrupt26
4b: 804d45be
nt!KiUnexpectedInterrupt27
4c: 804d45c8
nt!KiUnexpectedInterrupt28
4d: 804d45d2
nt!KiUnexpectedInterrupt29
4e: 804d45dc
nt!KiUnexpectedInterrupt30
4f: 804d45e6
nt!KiUnexpectedInterrupt31
50: 804d45f0
nt!KiUnexpectedInterrupt32
51: 804d45fa nt!KiUnexpectedInterrupt33
52: 804d4604
nt!KiUnexpectedInterrupt34
53: 804d460e
nt!KiUnexpectedInterrupt35
54: 804d4618
nt!KiUnexpectedInterrupt36
55: 804d4622
nt!KiUnexpectedInterrupt37
56: 804d462c
nt!KiUnexpectedInterrupt38
57: 804d4636
nt!KiUnexpectedInterrupt39
58: 804d4640
nt!KiUnexpectedInterrupt40
59: 804d464a
nt!KiUnexpectedInterrupt41
5a: 804d4654
nt!KiUnexpectedInterrupt42
5b: 804d465e
nt!KiUnexpectedInterrupt43
5c: 804d4668
nt!KiUnexpectedInterrupt44
5d: 804d4672
nt!KiUnexpectedInterrupt45
5e: 804d467c
nt!KiUnexpectedInterrupt46
5f: 804d4686
nt!KiUnexpectedInterrupt47
60: 804d4690
nt!KiUnexpectedInterrupt48
61: 804d469a
nt!KiUnexpectedInterrupt49
62: 804d46a4
nt!KiUnexpectedInterrupt50
63: 804d46ae
nt!KiUnexpectedInterrupt51
64: 804d46b8 nt!KiUnexpectedInterrupt52
65: 804d46c2
nt!KiUnexpectedInterrupt53
66: 804d46cc
nt!KiUnexpectedInterrupt54
67: 804d46d6
nt!KiUnexpectedInterrupt55
68: 804d46e0
nt!KiUnexpectedInterrupt56
69: 804d46ea
nt!KiUnexpectedInterrupt57
6a: 804d46f4
nt!KiUnexpectedInterrupt58
6b: 804d46fe
nt!KiUnexpectedInterrupt59
6c: 804d4708
nt!KiUnexpectedInterrupt60
6d: 804d4712
nt!KiUnexpectedInterrupt61
6e: 804d471c
nt!KiUnexpectedInterrupt62
6f: 804d4726
nt!KiUnexpectedInterrupt63
70: 804d4730
nt!KiUnexpectedInterrupt64
71: 804d473a nt!KiUnexpectedInterrupt65
72: 804d4744
nt!KiUnexpectedInterrupt66
73: 804d474e
nt!KiUnexpectedInterrupt67
74: 804d4758
nt!KiUnexpectedInterrupt68
75: 804d4762
nt!KiUnexpectedInterrupt69
76: 804d476c
nt!KiUnexpectedInterrupt70
77: 804d4776
nt!KiUnexpectedInterrupt71
78: 804d4780
nt!KiUnexpectedInterrupt72
79: 804d478a
nt!KiUnexpectedInterrupt73
7a: 804d4794
nt!KiUnexpectedInterrupt74
7b: 804d479e
nt!KiUnexpectedInterrupt75
7c: 804d47a8
nt!KiUnexpectedInterrupt76
7d: 804d47b2
nt!KiUnexpectedInterrupt77
7e: 804d47bc
nt!KiUnexpectedInterrupt78
7f: 804d47c6
nt!KiUnexpectedInterrupt79
80: 804d47d0
nt!KiUnexpectedInterrupt80
81: 804d47da
nt!KiUnexpectedInterrupt81
82: 804d47e4
nt!KiUnexpectedInterrupt82
83: 804d47ee
nt!KiUnexpectedInterrupt83
84: 804d47f8 nt!KiUnexpectedInterrupt84
85: 804d4802
nt!KiUnexpectedInterrupt85
86: 804d480c
nt!KiUnexpectedInterrupt86
87: 804d4816
nt!KiUnexpectedInterrupt87
88: 804d4820
nt!KiUnexpectedInterrupt88
89: 804d482a
nt!KiUnexpectedInterrupt89
8a: 804d4834
nt!KiUnexpectedInterrupt90
8b: 804d483e
nt!KiUnexpectedInterrupt91
8c: 804d4848
nt!KiUnexpectedInterrupt92
8d: 804d4852
nt!KiUnexpectedInterrupt93
8e: 804d485c
nt!KiUnexpectedInterrupt94
8f: 804d4866
nt!KiUnexpectedInterrupt95
90: 804d4870
nt!KiUnexpectedInterrupt96
91: 804d487a nt!KiUnexpectedInterrupt97
92: 804d4884
nt!KiUnexpectedInterrupt98
93: 804d488e
nt!KiUnexpectedInterrupt99
94: 804d4898
nt!KiUnexpectedInterrupt100
95: 804d48a2
nt!KiUnexpectedInterrupt101
96: 804d48ac
nt!KiUnexpectedInterrupt102
97: 804d48b6
nt!KiUnexpectedInterrupt103
98: 804d48c0
nt!KiUnexpectedInterrupt104
99: 804d48ca
nt!KiUnexpectedInterrupt105
9a: 804d48d4
nt!KiUnexpectedInterrupt106
9b: 804d48de
nt!KiUnexpectedInterrupt107
9c: 804d48e8
nt!KiUnexpectedInterrupt108
9d: 804d48f2
nt!KiUnexpectedInterrupt109
9e: 804d48fc
nt!KiUnexpectedInterrupt110
9f: 804d4906
nt!KiUnexpectedInterrupt111
a0: 804d4910
nt!KiUnexpectedInterrupt112
a1: 804d491a
nt!KiUnexpectedInterrupt113
a2: 804d4924
nt!KiUnexpectedInterrupt114
a3: 804d492e
nt!KiUnexpectedInterrupt115
a4: 804d4938
nt!KiUnexpectedInterrupt116
a5: 804d4942
nt!KiUnexpectedInterrupt117
a6: 804d494c
nt!KiUnexpectedInterrupt118
a7: 804d4956
nt!KiUnexpectedInterrupt119
a8: 804d4960
nt!KiUnexpectedInterrupt120
a9: 804d496a
nt!KiUnexpectedInterrupt121
aa: 804d4974 nt!KiUnexpectedInterrupt122
ab: 804d497e
nt!KiUnexpectedInterrupt123
ac: 804d4988
nt!KiUnexpectedInterrupt124
ad: 804d4992
nt!KiUnexpectedInterrupt125
ae: 804d499c
nt!KiUnexpectedInterrupt126
af: 804d49a6
nt!KiUnexpectedInterrupt127
b0: 804d49b0
nt!KiUnexpectedInterrupt128
b1: 804d49ba
nt!KiUnexpectedInterrupt129
b2: 804d49c4
nt!KiUnexpectedInterrupt130
b3: 804d49ce
nt!KiUnexpectedInterrupt131
b4: 804d49d8
nt!KiUnexpectedInterrupt132
b5: 804d49e2
nt!KiUnexpectedInterrupt133
b6: 804d49ec
nt!KiUnexpectedInterrupt134
b7: 804d49f6
nt!KiUnexpectedInterrupt135
b8: 804d4a00
nt!KiUnexpectedInterrupt136
b9: 804d4a0a
nt!KiUnexpectedInterrupt137
ba: 804d4a14
nt!KiUnexpectedInterrupt138
bb: 804d4a1e
nt!KiUnexpectedInterrupt139
bc: 804d4a28
nt!KiUnexpectedInterrupt140
bd: 804d4a32
nt!KiUnexpectedInterrupt141
be: 804d4a3c
nt!KiUnexpectedInterrupt142
bf: 804d4a46
nt!KiUnexpectedInterrupt143
c0: 804d4a50
nt!KiUnexpectedInterrupt144
c1: 804d4a5a
nt!KiUnexpectedInterrupt145
c2: 804d4a64
nt!KiUnexpectedInterrupt146
c3: 804d4a6e nt!KiUnexpectedInterrupt147
c4: 804d4a78
nt!KiUnexpectedInterrupt148
c5: 804d4a82
nt!KiUnexpectedInterrupt149
c6: 804d4a8c
nt!KiUnexpectedInterrupt150
c7: 804d4a96
nt!KiUnexpectedInterrupt151
c8: 804d4aa0
nt!KiUnexpectedInterrupt152
c9: 804d4aaa
nt!KiUnexpectedInterrupt153
ca: 804d4ab4
nt!KiUnexpectedInterrupt154
cb: 804d4abe
nt!KiUnexpectedInterrupt155
cc: 804d4ac8
nt!KiUnexpectedInterrupt156
cd: 804d4ad2
nt!KiUnexpectedInterrupt157
ce: 804d4adc
nt!KiUnexpectedInterrupt158
cf: 804d4ae6
nt!KiUnexpectedInterrupt159
d0: 804d4af0
nt!KiUnexpectedInterrupt160
d1: 804d4afa
nt!KiUnexpectedInterrupt161
d2: 804d4b04
nt!KiUnexpectedInterrupt162
d3: 804d4b0e
nt!KiUnexpectedInterrupt163
d4: 804d4b18
nt!KiUnexpectedInterrupt164
d5: 804d4b22
nt!KiUnexpectedInterrupt165
d6: 804d4b2c
nt!KiUnexpectedInterrupt166
d7: 804d4b36
nt!KiUnexpectedInterrupt167
d8: 804d4b40
nt!KiUnexpectedInterrupt168
d9: 804d4b4a
nt!KiUnexpectedInterrupt169
da: 804d4b54
nt!KiUnexpectedInterrupt170
db: 804d4b5e
nt!KiUnexpectedInterrupt171
dc: 804d4b68 nt!KiUnexpectedInterrupt172
dd: 804d4b72
nt!KiUnexpectedInterrupt173
de: 804d4b7c
nt!KiUnexpectedInterrupt174
df: 804d4b86
nt!KiUnexpectedInterrupt175
e0: 804d4b90
nt!KiUnexpectedInterrupt176
e1: 804d4b9a
nt!KiUnexpectedInterrupt177
e2: 804d4ba4
nt!KiUnexpectedInterrupt178
e3: 804d4bae
nt!KiUnexpectedInterrupt179
e4: 804d4bb8
nt!KiUnexpectedInterrupt180
e5: 804d4bc2
nt!KiUnexpectedInterrupt181
e6: 804d4bcc
nt!KiUnexpectedInterrupt182
e7: 804d4bd6
nt!KiUnexpectedInterrupt183
e8: 804d4be0
nt!KiUnexpectedInterrupt184
e9: 804d4bea
nt!KiUnexpectedInterrupt185
ea: 804d4bf4
nt!KiUnexpectedInterrupt186
eb: 804d4bfe
nt!KiUnexpectedInterrupt187
ec: 804d4c08
nt!KiUnexpectedInterrupt188
ed: 804d4c12
nt!KiUnexpectedInterrupt189
ee: 804d4c19
nt!KiUnexpectedInterrupt190
ef: 804d4c20
nt!KiUnexpectedInterrupt191
f0: 804d4c27
nt!KiUnexpectedInterrupt192
f1: 804d4c2e
nt!KiUnexpectedInterrupt193
f2: 804d4c35
nt!KiUnexpectedInterrupt194
f3: 804d4c3c
nt!KiUnexpectedInterrupt195
f4: 804d4c43
nt!KiUnexpectedInterrupt196
f5: 804d4c4a nt!KiUnexpectedInterrupt197
f6: 804d4c51
nt!KiUnexpectedInterrupt198
f7: 804d4c58
nt!KiUnexpectedInterrupt199
f8: 804d4c5f
nt!KiUnexpectedInterrupt200
f9: 804d4c66
nt!KiUnexpectedInterrupt201
fa: 804d4c6d
nt!KiUnexpectedInterrupt202
fb: 804d4c74
nt!KiUnexpectedInterrupt203
fc: 804d4c7b
nt!KiUnexpectedInterrupt204
fd: 804d4c82
nt!KiUnexpectedInterrupt205
fe: 804d4c89
nt!KiUnexpectedInterrupt206
ff: 804d4c90
nt!KiUnexpectedInterrupt207
Driver IRP handler Functions
Tables:
Userland communicates
with kernel device drivers through IRPs(I/O Request Packets). There are
different kinds of IRPs that can be passed from userland to a driver. Some of
these types of IRPs can be found here (http://msdn.microsoft.com/en-us/library/ff548603%28v=VS.85%29.aspx),
and in Greg Hoglund's Rootkits book(page 96). Rootkits can hook the IRP handler
function tables of other drivers to get their own code to run upon certain IRP
events. I found that Stuxnet actually does hook the IRP Function Table. In the
below screenshot, we can see 2 code blocks. In the first code block, all 27
entries of the IRP function handler table are overwritten to point to a
function that does nothing (hence I named it doNothing). The following block of
code does the interesting stuff. It actually hooks 2 entries in the IRP
function handler table (IRP_MJ_DEVICE_CONTROL and IRP_MJ_FILE_SYSTEM_CONTROL)
and redirects those entries to 2 different functions.
After further thought, I realized why Stuxnet probably doesn’t hook SSDT or IDT. Never versions of Windows have a technology called "Patchguard" built into the kernel. Patch guard prevents exactly what I mentioned above: hooking IDT and SSDT (http://en.wikipedia.org/wiki/Kernel_Patch_Protection). Since Stuxnet was meant to run on all the newest versions of Windows, the authors had to abide by Patchguard rules. Obviously, Patchguard does not block IRP function handler hooking, which is a completely legitimate driver behavior, which is why Stuxnet is able to infect newer versions of windows.
