And scan for deep hooks, choose "Show/Hide Low Risk Codes", you can see the result, with target jmp is 805bd89e, which is inside ntoskrnl, i.e same module with scanned module.
Anyway, I think there're still many ways to bypass my scan engine, but i'll try to harden it as much as possible.
Uhm, it's weird. In my design, I also put a condition for mismatch image between loaded image and on-disk image. You can test with a rootkit MD5: bb69b94d3698f6530e1bd71b675e28ce (a variant of Rustock.NDV, picture shown below).
The test for unmatch image: The rootkit stops beep.sys service, replace the original \systemroot\system32\drivers\beep.sys with a fake Beep.sys driver and restart the Beep service. After finishing all tasks, it restores the original Beep.sys and delete the fake one.
The test result:
In the box, you can see that I also check for this case.
cvcvxk, could you please describe step-by-step how you tested? If it didnt detect the mismatch between images then I might have a bug somewhere. I need to reproduce the bug and fix it ;) Thanks in advance.
Ah, thanks achillis, but I've understood it already, but if he redirects ntoskrnl.exe to cmd.exe, it must be "Mismatch image" too. Is there anything special here?
I just made an example like redirecting ntoskrnl.exe to cmd.exe
in fact i just use memory dump of the ntoskrnl.exe(i hooked) to xxx.exe
and redirect ntoskrnl.exe to xxx.exe
then the image in memory and on disk are the same.