EP_X0FF wrote:in console type nohooks, press enter (this will disable self-protection that maybe causing this bug)Thanks, here is some information.
after this type start, press enter
1st run crashed:
I tried 'nohooks' but it didn't work. I tried 'rawmode0' (without specifying 'nohooks')and that worked. I saved the output of Code Hooks and Stealth Code. I then went to the report tab and ran the scan for everything. The file scan crashed after many hours (rku_error_log_1108232303).
2nd run successful:
I tried 'nohooks' again but it didn't work. So I again opened using 'rawmode0' and went to the report tab and ran the scan for everything except file scan.
3rd run BSOD:
After waking my computer from hibernate I tried again just running RkU normally and this time it worked. So I went to the report tab and ran the scan for everything. This caused a BSOD, but I'm not sure at what point in the scan process. I have a kernel dump and I ran windbg (WinDbg BlackBox - BSOD PAGE_FAULT_IN_NONPAGED_AREA).
4th run successful:
After reboot I again was able to start RkU normally and I ran the scan for everything except file scan.
I also ran a scan from a VM just for comparison. Notice in the VM report that network path isn't correct:
Code: Select all
I have attached all log files. I have a few questions.\\\\\are-host\Shared Folders\Installs\R-Kit\vlc-1.1.7-win32.exe (UG North, RKULE, SR2 Overlord)
should be:
\\vmware-host\Shared Folders\Installs\R-Kit\vlc-1.1.7-win32.exe (UG North, RKULE, SR2 Overlord)
I have lots of SbieDll.dll entries and I was wondering if it would be possible to hide these in future versions (if it's the valid SbieDll.dll which is signed by Sandboxie).
In the 2nd run logfile there are lots of 'Ldr suspicious modification' entries related to vlc-1.1.7-win32.exe (what I renamed the RkU program as to mask it). Should the RkU program be detecting itself as 'Ldr suspicious modification'? I did not notice this in the 1st or 4th scan.
In the 4th run I see in Code Hooks some stuff related to sandboxie's driver although it says unknown code page. I also see some stuff I can't explain, here:
Code: Select all
Generally I see a lot of unknown_code_page stuff and I am wondering how to trace it. Like in the 2nd run I see a lot of this related to a valid svchost process:Device object-->ParseProcedure, Type: Kernel Object [unknown_code_page]
File object-->ParseProcedure, Type: Kernel Object [unknown_code_page]
Key object-->ParseProcedure, Type: Kernel Object [unknown_code_page]
LpcPort object-->OpenProcedure, Type: Kernel Object [unknown_code_page]
Section object-->OpenProcedure, Type: Kernel Object [unknown_code_page]
Code: Select all
[1160]svchost.exe-->wininet.dll-->advapi32.dll-->AllocateAndInitializeSid, Type: IAT modification 0x70411230-->00000000 [unknown_code_page]
[1160]svchost.exe-->wininet.dll-->advapi32.dll-->CheckTokenMembership, Type: IAT modification 0x70411234-->00000000 [unknown_code_page]
Thanks
Attachments
Log files from my computer
(135.69 KiB) Downloaded 37 times
(135.69 KiB) Downloaded 37 times