[solved] RKU LE 3.8.388.590 SR2 bug?

#1030 by YGV
Fri May 07, 2010 5:32 pm

>Hooks
==============================================
Device object-->ParseProcedure, Type: Kernel Object [unknown_code_page]
File object-->ParseProcedure, Type: Kernel Object [unknown_code_page]
Key object-->ParseProcedure, Type: Kernel Object [unknown_code_page]
LpcPort object-->OpenProcedure, Type: Kernel Object [unknown_code_page]
ntkrnlpa.exe+0x0006ECAE, Type: Inline - RelativeJump 0x80545CAE-->80545CB5 [ntkrnlpa.exe]
ntkrnlpa.exe-->NtRequestPort, Type: Inline - RelativeJump 0x805A2A10-->BA75ECA0 [unknown_code_page]
ntkrnlpa.exe-->NtRequestWaitReplyPort, Type: Inline - RelativeJump 0x805A2D3C-->BA75ED40 [unknown_code_page]
ntkrnlpa.exe-->NtTraceEvent, Type: Inline - RelativeJump 0x80535114-->BA75EC00 [unknown_code_page]
[1976]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DC1218-->00000000 [shimeng.dll]
[1976]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[1976]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[1976]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[1976]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E36133C-->00000000 [shimeng.dll]
[1976]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x40C114B0-->00000000 [shimeng.dll]
[1976]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AA109C-->00000000 [shimeng.dll]

WinXP SP3
Tom & Jerry snooping around or a bug? :? :|

Username

YGV

Posts

3

Joined

Fri May 07, 2010 4:52 pm

Re: RKU LE 3.8.388.590 SR2 bug?

#1031 by EP_X0FF
Fri May 07, 2010 5:35 pm

Hello,

this is not a bug. Few false positives in kernel mode and usual shimeng.dll caused fp in user mode.
What about Device/File/Key/LpcPort objects - please tell what do you have from security software installed.

Regards.

(topic moved from General Discussion to Tools/Software).

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: RKU LE 3.8.388.590 SR2 bug?

#1032 by YGV
Fri May 07, 2010 5:44 pm

Sandboxie 3.45.10 only.

Thank you for quick answer :)

Username

YGV

Posts

3

Joined

Fri May 07, 2010 4:52 pm

Re: RKU LE 3.8.388.590 SR2 bug?

#1033 by EP_X0FF
Fri May 07, 2010 5:46 pm

This is Sandboxie object type hooks

NtRequestPort
NtRequestWaitReplyPort
NtTraceEvent

also belongs to Sandboxie :)

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: RKU LE 3.8.388.590 SR2 bug?

#1034 by YGV
Fri May 07, 2010 5:53 pm

Ok it's tzuk and not Tom & Jerry You say?

well then I can take some more beer and relax.

Thank you :D

Username

YGV

Posts

3

Joined

Fri May 07, 2010 4:52 pm

Re: [solved] RKU LE 3.8.388.590 SR2 bug?

#1065 by sae
Wed May 12, 2010 6:32 pm

RkU3.8.388.590.exe
XPSP3+VmWare

Attachments

bug.rar

passw: nomalware
(2.41 KiB) Downloaded 37 times

Username

sae

Posts

1

Joined

Mon Mar 22, 2010 12:03 pm

Re: [solved] RKU LE 3.8.388.590 SR2 bug?

#1069 by EP_X0FF
Thu May 13, 2010 1:07 am

Cannot reproduce.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact