A forum for reverse engineering, OS internals and malware analysis 

 #10472  by stifani
 Mon Dec 19, 2011 9:03 pm
hello,

hi everyone here. i just want to ask if it is possible that rkunhookerle gives the message "possible rootkit activity detected", even if there is no rootkit activity in the system?

i mean.
if rku finds some hooks (not related to malware) that are necessary for some compatibility (example of shimeng.dll), does it show that message anyway ?

for example
Code: Select all
RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0006ECEE, Type: Inline - RelativeJump 0x80545CEE-->80545CF5 [ntkrnlpa.exe]
[500]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F41218-->5CF97774 [shimeng.dll]
[500]explorer.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77A51188-->5CF97774 [shimeng.dll]
[500]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77E410B4-->5CF97774 [shimeng.dll]
[500]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->5CF97774 [shimeng.dll]
[500]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9D15A4-->5CF97774 [shimeng.dll]
[500]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E39133C-->5CF97774 [shimeng.dll]
[500]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77181248-->5CF97774 [shimeng.dll]
[500]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A3109C-->5CF97774 [shimeng.dll]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)
do i have to worry about this? :)
tnx
 #10487  by stifani
 Tue Dec 20, 2011 11:52 pm
ok. tnx. that's really reassuring :D

but why there is this hook, anyway:
Code: Select all
ntkrnlpa.exe+0x0006ECEE, Type: Inline - RelativeJump 0x80545CEE-->80545CF5 [ntkrnlpa.exe]
i know hooks on shimeng.dll, are related for some compatibility, but what about that hooks? is it somehow also connected to this shimeng.dll compatibility ?

and another question:
is there an easy way (i mean "on eye detect") to discover which hooks are good and which are not?
can you please give me some hints about?

tnx
 #10488  by kmd
 Wed Dec 21, 2011 1:13 am
Vrtule wrote:
nullptr wrote:Any sort of hooks or modifications etc will be flagged. RkU doesn't keep any sort of whitelist, it just reports what it finds.
Except its own hooks.
no it's not true
you need to press and hold left SHIFT button and then press Scan button in rku - then it will show own hook
 #10490  by rkhunter
 Wed Dec 21, 2011 3:52 am
stifani wrote:ok. tnx. that's really reassuring :D

but why there is this hook, anyway:
Code: Select all
ntkrnlpa.exe+0x0006ECEE, Type: Inline - RelativeJump 0x80545CEE-->80545CF5 [ntkrnlpa.exe]
i know hooks on shimeng.dll, are related for some compatibility, but what about that hooks? is it somehow also connected to this shimeng.dll compatibility ?
Seems this is false detection. In any case you can take other anti-rootkit and recheck this.
stifani wrote: is there an easy way (i mean "on eye detect") to discover which hooks are good and which are not?
can you please give me some hints about?
Generally, target address (80545CF5 [ntkrnlpa.exe] in this case) does not lead in the source module (ntkrnlpa.exe in this case).