Blackbox.sys - Chrome hooks ?

#6650 by Radovan
Thu Jun 02, 2011 8:49 pm

Hello

I did a scan with RKU and i see some strange result

first i see that NtSystemDebugControl is hooked by Blackbox.sys - I try to find the driver but it does not exist

and also I see hooks in Chrome.exe, It could be chrome sandbox but I want to be sure:

Code: Select all

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #4
==============================================
ntkrnlpa.exe+0x0002D510, Type: Inline - RelativeJump 0x80504510-->805044CD [ntkrnlpa.exe]
ntkrnlpa.exe+0x0006ECAE, Type: Inline - RelativeJump 0x80545CAE-->80545CB5 [ntkrnlpa.exe]
[368]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->5CB77774 [shimeng.dll]
[368]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->5CB77774 [shimeng.dll]
[368]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->5CB77774 [shimeng.dll]
[368]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->5CB77774 [shimeng.dll]
[368]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->5CB77774 [shimeng.dll]
[368]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->5CB77774 [shimeng.dll]
[368]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->5CB77774 [shimeng.dll]
[368]explorer.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A51178-->5CB77774 [shimeng.dll]
[368]explorer.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77A81188-->5CB77774 [shimeng.dll]
[3292]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->5CB77774 [shimeng.dll]
[3292]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->5CB77774 [shimeng.dll]
[3292]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->5CB77774 [shimeng.dll]
[3292]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->5CB77774 [shimeng.dll]
[3292]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->5CB77774 [shimeng.dll]
[3292]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->5CB77774 [shimeng.dll]
[3292]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->5CB77774 [shimeng.dll]
[3292]explorer.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A51178-->5CB77774 [shimeng.dll]
[3292]explorer.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77A81188-->5CB77774 [shimeng.dll]
[2992]devenv.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - DirectJump 0x7C801AF5-->5F08001E [unknown_code_page]
[2992]devenv.exe-->user32.dll-->DispatchMessageW, Type: Inline - DirectJump 0x7E418A01-->5F20001E [unknown_code_page]
[2992]devenv.exe-->user32.dll-->DispatchMessageA, Type: Inline - DirectJump 0x7E4196B8-->5F0B001E [unknown_code_page]
[2992]devenv.exe-->user32.dll-->MessageBeep, Type: Inline - DirectJump 0x7E431F7B-->5F0E001E [unknown_code_page]
[2992]devenv.exe-->gdi32.dll-->TextOutW, Type: Inline - DirectJump 0x77F17EAC-->5F14001E [unknown_code_page]
[2992]devenv.exe-->gdi32.dll-->ExtTextOutW, Type: Inline - DirectJump 0x77F18086-->5F1A001E [unknown_code_page]
[2992]devenv.exe-->gdi32.dll-->TextOutA, Type: Inline - DirectJump 0x77F1BA4F-->5F11001E [unknown_code_page]
[2992]devenv.exe-->gdi32.dll-->ExtTextOutA, Type: Inline - DirectJump 0x77F1D3FA-->5F17001E [unknown_code_page]
[7064]chrome.exe-->kernel32.dll-->CreateNamedPipeW, Type: IAT modification 0x004711D0-->002C0010 [unknown_code_page]
[7064]chrome.exe-->ntdll.dll-->NtCreateFile, Type: Code Mismatch 0x7C90D0AE + 6 [28 00 16 00]
[7064]chrome.exe-->ntdll.dll-->NtCreateFile, Type: Code Mismatch 0x7C90D0AE + 11 [E2]
[7064]chrome.exe-->ntdll.dll-->NtMapViewOfSection, Type: Code Mismatch 0x7C90D51E + 6 [28]
[7064]chrome.exe-->ntdll.dll-->NtMapViewOfSection, Type: Code Mismatch 0x7C90D51E + 8 [16 00]
[7064]chrome.exe-->ntdll.dll-->NtMapViewOfSection, Type: Code Mismatch 0x7C90D51E + 11 [E2]
[7064]chrome.exe-->ntdll.dll-->NtOpenFile, Type: Code Mismatch 0x7C90D59E + 6 [68 00 16 00]
[7064]chrome.exe-->ntdll.dll-->NtOpenFile, Type: Code Mismatch 0x7C90D59E + 11 [E2]
[7064]chrome.exe-->ntdll.dll-->NtOpenProcess, Type: Code Mismatch 0x7C90D5FE + 6 [A8 01 16 00]
[7064]chrome.exe-->ntdll.dll-->NtOpenProcess, Type: Code Mismatch 0x7C90D5FE + 11 [E2]
[7064]chrome.exe-->ntdll.dll-->NtOpenProcessToken, Type: Inline - RelativeCall 0x7C90D614-->7B90EC1A [unknown_code_page]
[7064]chrome.exe-->ntdll.dll-->NtOpenProcessToken, Type: Code Mismatch 0x7C90D60E + 11 [E2]
[7064]chrome.exe-->ntdll.dll-->NtOpenProcessTokenEx, Type: Code Mismatch 0x7C90D61E + 6 [A8 02 16 00]
[7064]chrome.exe-->ntdll.dll-->NtOpenProcessTokenEx, Type: Code Mismatch 0x7C90D61E + 11 [E2]
[7064]chrome.exe-->ntdll.dll-->NtOpenThread, Type: Code Mismatch 0x7C90D65E + 6 [68 01 16 00]
[7064]chrome.exe-->ntdll.dll-->NtOpenThread, Type: Code Mismatch 0x7C90D65E + 11 [E2]
[7064]chrome.exe-->ntdll.dll-->NtOpenThreadToken, Type: Code Mismatch 0x7C90D66E + 6 [68 02 16 00]
[7064]chrome.exe-->ntdll.dll-->NtOpenThreadToken, Type: Code Mismatch 0x7C90D66E + 11 [E2]
[7064]chrome.exe-->ntdll.dll-->NtOpenThreadTokenEx, Type: Inline - RelativeCall 0x7C90D684-->7B90EC8B [unknown_code_page]
[7064]chrome.exe-->ntdll.dll-->NtOpenThreadTokenEx, Type: Code Mismatch 0x7C90D67E + 11 [E2]
[7064]chrome.exe-->ntdll.dll-->NtQueryAttributesFile, Type: Code Mismatch 0x7C90D70E + 6 [A8 00 16 00]
[7064]chrome.exe-->ntdll.dll-->NtQueryAttributesFile, Type: Code Mismatch 0x7C90D70E + 11 [E2]
[7064]chrome.exe-->ntdll.dll-->NtQueryFullAttributesFile, Type: Inline - RelativeCall 0x7C90D7B4-->7B90EDB9 [unknown_code_page]
[7064]chrome.exe-->ntdll.dll-->NtQueryFullAttributesFile, Type: Code Mismatch 0x7C90D7AE + 11 [E2]
[7064]chrome.exe-->ntdll.dll-->NtSetInformationFile, Type: Code Mismatch 0x7C90DC5E + 6 [28 01 16 00]
[7064]chrome.exe-->ntdll.dll-->NtSetInformationFile, Type: Code Mismatch 0x7C90DC5E + 11 [E2]
[7064]chrome.exe-->ntdll.dll-->NtSetInformationThread, Type: Code Mismatch 0x7C90DCAE + 6 [28 02 16 00]
[7064]chrome.exe-->ntdll.dll-->NtSetInformationThread, Type: Code Mismatch 0x7C90DCAE + 11 [E2]
[7064]chrome.exe-->ntdll.dll-->NtUnmapViewOfSection, Type: Code Mismatch 0x7C90DF0E + 6 [68]
[7064]chrome.exe-->ntdll.dll-->NtUnmapViewOfSection, Type: Code Mismatch 0x7C90DF0E + 8 [16 00]
[7064]chrome.exe-->ntdll.dll-->NtUnmapViewOfSection, Type: Code Mismatch 0x7C90DF0E + 11 [E2]
[7064]chrome.exe-->kernel32.dll+0x000027D0, Type: Code Mismatch 0x7C8027D0 + 10192 [10 00 AC 83]

Username

Radovan

Posts

7

Joined

Tue Jul 13, 2010 3:18 pm

Re: Blackbox.sys - Chrome hooks ?

#6657 by nullptr
Fri Jun 03, 2011 3:44 am

Is the name of RkU that you're running Blackbox.exe? Everything in your report seems normal.

Code: Select all

[c2J8owwO.SYS] = RkU own hooks

ntkrnlpa.exe-->KeDelayExecutionThread, Type: Inline - RelativeJump 0x804F95E6-->F424753B [c2J8owwO.SYS]
ntkrnlpa.exe-->ExAllocatePool, Type: Inline - RelativeJump 0x805335EA-->F42474DC [c2J8owwO.SYS]
ntkrnlpa.exe+0x0006AB0A, Type: Inline - RelativeJump 0x80541B0A-->80541B11 [ntkrnlpa.exe]
ntkrnlpa.exe-->ExAllocatePoolWithTag, Type: Inline - RelativeJump 0x80544F80-->F424750C [c2J8owwO.SYS]
ntkrnlpa.exe-->NtSystemDebugControl, Type: Inline - RelativeJump 0x8060EC2C-->F4247702 [c2J8owwO.SYS]
Process object-->OpenProcedure, Type: Kernel Object [c2J8owwO.SYS]
Thread object-->OpenProcedure, Type: Kernel Object [c2J8owwO.SYS]
Section object-->OpenProcedure, Type: Kernel Object [c2J8owwO.SYS]

// Typical Chrome hooks
chrome.exe-->kernel32.dll-->CreateNamedPipeW, Type: IAT modification 0x004661D8-->002C0010 [unknown_code_page]
chrome.exe-->ntdll.dll-->NtCreateFile, Type: Code Mismatch 0x7C90D0AE + 6 [28 00 16 00]
chrome.exe-->ntdll.dll-->NtCreateFile, Type: Code Mismatch 0x7C90D0AE + 11 [E2]
chrome.exe-->ntdll.dll-->NtMapViewOfSection, Type: Code Mismatch 0x7C90D51E + 6 [28]
chrome.exe-->ntdll.dll-->NtMapViewOfSection, Type: Code Mismatch 0x7C90D51E + 8 [16 00]
chrome.exe-->ntdll.dll-->NtMapViewOfSection, Type: Code Mismatch 0x7C90D51E + 11 [E2]
chrome.exe-->ntdll.dll-->NtOpenFile, Type: Code Mismatch 0x7C90D59E + 6 [68 00 16 00]
chrome.exe-->ntdll.dll-->NtOpenFile, Type: Code Mismatch 0x7C90D59E + 11 [E2]
chrome.exe-->ntdll.dll-->NtOpenProcess, Type: Code Mismatch 0x7C90D5FE + 6 [A8 01 16 00]
chrome.exe-->ntdll.dll-->NtOpenProcess, Type: Code Mismatch 0x7C90D5FE + 11 [E2]
chrome.exe-->ntdll.dll-->NtOpenProcessToken, Type: Inline - RelativeCall 0x7C90D614-->7B90EC1A [unknown_code_page]
chrome.exe-->ntdll.dll-->NtOpenProcessToken, Type: Code Mismatch 0x7C90D60E + 11 [E2]
chrome.exe-->ntdll.dll-->NtOpenProcessTokenEx, Type: Code Mismatch 0x7C90D61E + 6 [A8 02 16 00]
chrome.exe-->ntdll.dll-->NtOpenProcessTokenEx, Type: Code Mismatch 0x7C90D61E + 11 [E2]
chrome.exe-->ntdll.dll-->NtOpenThread, Type: Code Mismatch 0x7C90D65E + 6 [68 01 16 00]
chrome.exe-->ntdll.dll-->NtOpenThread, Type: Code Mismatch 0x7C90D65E + 11 [E2]
chrome.exe-->ntdll.dll-->NtOpenThreadToken, Type: Code Mismatch 0x7C90D66E + 6 [68 02 16 00]
chrome.exe-->ntdll.dll-->NtOpenThreadToken, Type: Code Mismatch 0x7C90D66E + 11 [E2]
chrome.exe-->ntdll.dll-->NtOpenThreadTokenEx, Type: Inline - RelativeCall 0x7C90D684-->7B90EC8B [unknown_code_page]
chrome.exe-->ntdll.dll-->NtOpenThreadTokenEx, Type: Code Mismatch 0x7C90D67E + 11 [E2]
chrome.exe-->ntdll.dll-->NtQueryAttributesFile, Type: Code Mismatch 0x7C90D70E + 6 [A8 00 16 00]
chrome.exe-->ntdll.dll-->NtQueryAttributesFile, Type: Code Mismatch 0x7C90D70E + 11 [E2]
chrome.exe-->ntdll.dll-->NtQueryFullAttributesFile, Type: Inline - RelativeCall 0x7C90D7B4-->7B90EDB9 [unknown_code_page]
chrome.exe-->ntdll.dll-->NtQueryFullAttributesFile, Type: Code Mismatch 0x7C90D7AE + 11 [E2]
chrome.exe-->ntdll.dll-->NtSetInformationFile, Type: Code Mismatch 0x7C90DC5E + 6 [28 01 16 00]
chrome.exe-->ntdll.dll-->NtSetInformationFile, Type: Code Mismatch 0x7C90DC5E + 11 [E2]
chrome.exe-->ntdll.dll-->NtSetInformationThread, Type: Code Mismatch 0x7C90DCAE + 6 [28 02 16 00]
chrome.exe-->ntdll.dll-->NtSetInformationThread, Type: Code Mismatch 0x7C90DCAE + 11 [E2]
chrome.exe-->ntdll.dll-->NtUnmapViewOfSection, Type: Code Mismatch 0x7C90DF0E + 6 [68]
chrome.exe-->ntdll.dll-->NtUnmapViewOfSection, Type: Code Mismatch 0x7C90DF0E + 8 [16 00]
chrome.exe-->ntdll.dll-->NtUnmapViewOfSection, Type: Code Mismatch 0x7C90DF0E + 11 [E2]
chrome.exe-->kernel32.dll+0x000027D0, Type: Code Mismatch 0x7C8027D0 + 10192 [10 00 AC 83]

// RkU self hooks
c2J8owwO.exe-->ntdll.dll-->CsrClientCallServer, Type: Inline - RelativeJump 0x7C912241-->00447E98 [c2J8owwO.exe]
c2J8owwO.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00447E54 [c2J8owwO.exe]

Username

nullptr

Posts

209

Joined

Sun Mar 14, 2010 6:35 am

Re: Blackbox.sys - Chrome hooks ?

#6658 by EP_X0FF
Fri Jun 03, 2011 3:54 am

@Radovan

regarding browser hooks.

This is Chrome hooks it installs in running browser copy by overwriting original code with the following (example for NtQueryAttributesFile).

Code: Select all

7C90D70E:    mov eax, 0000008Bh //ServiceIndex NtQueryAttributesFile
7C90D713:    mov edx, 001600A8h //call gate address
7C90D718:    jmp edx
7C90D71A:    retn 0008h

there specially allocated callgates region at address 00160000h.
For what reasons this was made - this is question to Google developers.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact