[EP_X0FF]

Hello,

Because Rootkit Unhooker uses some self-protection against user mode malware and GUI attacks, sorry but this is nearly impossible :(

Regards.

[EP_X0FF]

Update.
2 April 2010.

MD5 for exe
0b74739e7a71dc44e8c6ffe6804133a4

SHA1 for exe
48065c9197cd18ba6d6315bdd16bc0bd4c207b8f

[kmd]

xpsp3 working good thanks for an update :)

[EP_X0FF]

Update with fix to Pandex Rootkit anti-RkU specific code.
11 April 2010.



It is highly recommended use this version instead of all previous.

MD5 for exe
74fc5f6228f9901d382876e98ad7008a

SHA1 for exe
543d22699fccd080ccc7070d7032daefb1f35b7d

[PAUK]

Oops! NOT load... previous version worked well.
Win 7 Ultimate x86

[EP_X0FF]

Thanks for testing. This rebuild should solve issue.

MD5 for exe
2f26f3cbafacfa5a3d9c0ad7c21ac8c4

SHA1 for exe
2a812a68469249ffe7887272cda4e87ecd308b10

[PAUK]

Yes! :) Started and works, thanks!

[EP_X0FF]

Update.
14 April 2010

MD5 for exe
39119f7fe25c806395edd1983b6f47df

SHA1 for exe
4a113b4d48433c38d80ade4a972c301db317aceb

All previous locals are incompatible with this version.

In attach Russian local.dll (MD5 4d214cf3430cc02815f9ba8d25c5fc4a) and translatable resources project
(local_dll.dll MD5 50138f5bc833fd075f4899ddee888fc0,
Res1.res MD5 ae7d62113d78c116e73ff00603f4f310)

[Krestig]

Seems that kernel pool overflow/corruption is in normandy.sys.
It happened after clicking on Stealth Code Tab.
WinXP SP3 Rus, kernel crash info:
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000050, Attempt to free a non-allocated paged pool address
Arg2: e12f2000, Starting address
Arg3: 000002f2, Start offset in pages from beginning of paged pool
Arg4: 0a000000, Size in bytes of paged pool

Debugging Details:
------------------

PEB is paged out (Peb.Ldr = 7ffdf00c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffdf00c). Type ".hh dbgerr001" for details

BUGCHECK_STR: 0xc2_50

DEFAULT_BUCKET_ID: CODE_CORRUPTION

PROCESS_NAME: RKUnhookerLE.EX

LAST_CONTROL_TRANSFER: from 80548c2d to 804f9f43

STACK_TEXT:
eb785ae0 80548c2d 000000c2 00000050 e12f2000 nt!KeBugCheckEx+0x1b
eb785b20 8054b49a 00000012 8052e788 00000000 nt!MiFreePoolPages+0x8b
eb785b60 8054b95f e12f2000 00000000 eb785bd8 nt!ExFreePoolWithTag+0x1ba
eb785b70 eb731a8b e12f2000 85adc008 86df3cf0 nt!ExFreePool+0xf
WARNING: Stack unwind information not available. Following frames may be wrong.
eb785bd8 eb732a0a 022e0000 864c56e8 86df3cf0 Normandy+0x3a8b
eb785c40 804ef19f 85ad8278 85adc008 806e6410 Normandy+0x4a0a
eb785c50 8057f982 85adc078 864c56e8 85adc008 nt!IopfCallDriver+0x31
eb785c64 805807f7 85ad8278 85adc008 864c56e8 nt!IopSynchronousServiceTail+0x70
eb785d00 80579274 00000084 00000000 00000000 nt!IopXxxControlFile+0x5c5
eb785d34 8054163c 00000084 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
eb785d34 7c90e514 00000084 00000000 00000000 nt!KiFastCallEntry+0xfc
022cf838 00000000 00000000 00000000 00000000 0x7c90e514


STACK_COMMAND: kb

CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
804fa87a-804fa87e 5 bytes - nt!KeDelayExecutionThread
[ 8b ff 55 8b ec:e9 05 3d 23 6b ]
80504498-8050449b 4 bytes - nt!KiServiceTable+2c (+0x9c1e)
[ 16 bb 5e 80:da 0b 93 ee ]
805044e8-805044eb 4 bytes - nt!KiServiceTable+7c (+0x50)
[ 96 45 5a 80:b8 01 93 ee ]
80504500-80504503 4 bytes - nt!KiServiceTable+94 (+0x18)
[ 84 90 57 80:40 08 93 ee ]
80504510-80504513 4 bytes - nt!KiServiceTable+a4 (+0x10)
[ c8 37 62 80:5a 13 93 ee ]
80504524-80504527 4 bytes - nt!KiServiceTable+b8 (+0x14)
[ b2 50 5a 80:9a 00 93 ee ]
80504534-80504537 4 bytes - nt!KiServiceTable+c8 (+0x10)
[ 8e b3 5a 80:6a 20 93 ee ]
8050453c-80504543 8 bytes - nt!KiServiceTable+d0 (+0x08)
[ a6 39 5c 80 d2 0f 5d 80:02 23 93 ee 60 fc 92 ee ]
80504568-8050456b 4 bytes - nt!KiServiceTable+fc (+0x2c)
[ 64 3c 62 80:c4 0f 93 ee ]
80504570-80504573 4 bytes - nt!KiServiceTable+104 (+0x08)
[ 34 3e 62 80:74 11 93 ee ]
8050457c-8050457f 4 bytes - nt!KiServiceTable+110 (+0x0c)
[ b4 df 5b 80:92 fa 92 ee ]
805045f0-805045f3 4 bytes - nt!KiServiceTable+184 (+0x74)
[ 3a 41 58 80:ec 1c 93 ee ]
80504610-80504613 4 bytes - nt!KiServiceTable+1a4 (+0x20)
[ 80 c5 5b 80:3c 04 93 ee ]
8050463c-8050463f 4 bytes - nt!KiServiceTable+1d0 (+0x2c)
[ 82 a1 57 80:1c 0a 93 ee ]
80504654-80504657 4 bytes - nt!KiServiceTable+1e8 (+0x18)
[ fa b3 5c 80:c2 f7 92 ee ]
80504660-80504663 4 bytes - nt!KiServiceTable+1f4 (+0x0c)
[ b2 a3 5a 80:cc 06 93 ee ]
8050466c-8050466f 4 bytes - nt!KiServiceTable+200 (+0x0c)
[ 86 b6 5c 80:3a f9 92 ee ]
8050476c-8050476f 4 bytes - nt!KiServiceTable+300 (+0x100)
[ ea 31 62 80:20 17 93 ee ]
8050478c-8050478f 4 bytes - nt!KiServiceTable+320 (+0x20)
[ 3c 2d 5a 80:48 26 93 ee ]
805047b4-805047b7 4 bytes - nt!KiServiceTable+348 (+0x28)
[ 2a 3d 5a 80:88 1a 93 ee ]
80504820-80504823 4 bytes - nt!KiServiceTable+3b4 (+0x6c)
[ da 05 5c 80:c0 0d 93 ee ]
8050482c-8050482f 4 bytes - nt!KiServiceTable+3c0 (+0x0c)
[ ec f3 60 80:9a 1e 93 ee ]
80504848-8050484b 4 bytes - nt!KiServiceTable+3dc (+0x1c)
[ 3a 1d 62 80:20 15 93 ee ]
80504850-80504853 4 bytes - nt!KiServiceTable+3e4 (+0x08)
[ 76 26 61 80:d6 03 93 ee ]
80504868-8050486b 4 bytes - nt!KiServiceTable+3fc (+0x18)
[ 92 77 61 80:c0 05 93 ee ]
80504870-80504877 8 bytes - nt!KiServiceTable+404 (+0x08)
[ 82 29 5d 80 7c 2b 5d 80:64 ff 92 ee 32 fe 92 ee ]
80537014-80537018 5 bytes - nt!ExAllocatePool (+0x327a4)
[ 8b ff 55 8b ec:e9 0c 75 1f 6b ]
8054b968-8054b96c 5 bytes - nt!ExAllocatePoolWithTag
[ 8b ff 55 8b ec:e9 e8 2b 1e 6b ]
123 errors : !nt (804fa87a-8054b96c)

MODULE_NAME: Normandy

IMAGE_NAME: Normandy.SYS

DEBUG_FLR_IMAGE_TIMESTAMP: 4bc3deca

FOLLOWUP_NAME: MachineOwner

MEMORY_CORRUPTOR: PATCH_Normandy

FAILURE_BUCKET_ID: MEMORY_CORRUPTION_PATCH_Normandy

BUCKET_ID: MEMORY_CORRUPTION_PATCH_Normandy

Followup: MachineOwner
---------

[gjf]

Dear EP_X0FF, could you be so kind to include a small changelog on each new version?