The Interrupt Descriptor Table (IDT) stores the addresses of functions known as ISR (Interrupt Service Routines or Interrupt handlers). These functions handle interrupts and processor exceptions. Like hooking an SSDT, an attacker may hook the entries in the IDT to redirect control to the malicious code. To display the IDT entries, you can use the idt Volatility plugin. An example of a malware which hooked an IDT is the Uroburos (Turla) rootkit. This rootkit hooked the interrupt handler located at the 0xc3 (INT C3) index. On a clean system, the interrupt handler at 0xC3 points to an address that resides in the memory of ntoskrnl.exe. The following output shows the entry from the clean system:
$ python vol.py -f win7.vmem --profile=Win7SP1x86 idt
Volatility Foundation Volatility Framework 2.6
CPU Index Selector Value Module Section
------ ------ ---------- ---------- --------- ------------
0 0 0x8 0x82890200 ntoskrnl.exe .text
0 1 0x8 0x82890390 ntoskrnl.exe .text
0 2 0x58 0x00000000 NOT USED
0 3 0x8 0x82890800 ntoskrnl.exe .text
[REMOVED]
0 C1 0x8 0x8282f3f4 hal.dll _PAGELK
0 C2 0x8 0x8288eea4 ntoskrnl.exe .text
0 C3 0x8 0x8288eeae ntoskrnl.exe .text
The following output displays the hooked entry. You can see that the 0xC3 entry in the IDT is pointing to an address in the UNKNOWN module. In other words, the hooked entry resides outside the range of the ntoskrnl.exe module:
$ python vol.py -f turla1.vmem --profile=Win7SP1x86 idt
Volatility Foundation Volatility Framework 2.6
CPU Index Selector Value Module Section
------ ------ ---------- ---------- --------- ------------
0 0 0x8 0x82890200 ntoskrnl.exe .text
0 1 0x8 0x82890390 ntoskrnl.exe .text
0 2 0x58 0x00000000 NOT USED
0 3 0x8 0x82890800 ntoskrnl.exe .text
[REMOVED]
0 C1 0x8 0x8282f3f4 hal.dll _PAGELK
0 C2 0x8 0x8288eea4 ntoskrnl.exe .text
0 C3 0x8 0x85b422b0 UNKNOWN