A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #1264  by __Genius__
 Thu Jun 10, 2010 11:43 am
Hi,
Basically I'm using Rootkit-Unhooker as my first Anti-Rootkit software, also beside Rku, Icesword & Gmer are great tools .
recently I was curious about terminating rku,
seems, there's no specific method for terminating RKU process ... ( regardless of that, it's possible but it's difficult :) ) . (Process Monitoring & such a like softwares could not termiate it ... )
I tried many tools with no success (Personally, I didn't try any programmatic solution till now) but I'm curious about this way ... .
It's interesting to note about other Anti-Rootkits (Kernel detective, Gmer, IceSword & many others) didn't use any self-protection mechanism & this is like a joke in case of a software in the field of system protection ...,These softwares could be terminated as simple as task manager could do this !
I want to get information about this technique (the technique that EP used in his software (RKU)) ... .
Any help & useful information would be appreciated .

thanks .
 #1265  by EP_X0FF
 Thu Jun 10, 2010 1:16 pm
Hello,

previously RkU used splicing of several API functions. It was hard to support with each new version of NT kernel and it was completely unsafe.

Currently SR2 uses most stable known method - Kernel Objects Hooking + several additional methods.
Go to RkU -> Code Hooks tab, hold left SHIFT at keyboard and press Scan button in RkU, it will list you all it's own hooks.

There are still some ways to terminate it, but for common malware it is enough.
 #1274  by Alex
 Sun Jun 13, 2010 4:03 pm
XueTr also implements some self defense techniques based on hooking many services - Killing XueTr from User Mode (oXueTb Poc). It is exactly as EP_X0FF said, RkU's and XueTr self defenses methods are enough for common malware. In both cases the weakest point of these tools is win32 subsystem (their GUIs), which allows to destroy/terminate their GUIs and/or processes.

Alex
 #8484  by erick
 Thu Sep 08, 2011 7:07 pm
Hi, can someone please let me know what is the latest version of Rootkit Unhooker available, and where I can download it from?

Also, in regards to anti-termination technique, how does Rootkit Unhooker overcome against self termination injected code (ExitProcess) by the ZeroAccess/Max++ Rootkit? This rootkit allocates memory via ZwAllocateVirtualMemory and does a memcpy of self termination code which basically trashes the process stack and calls ExitProcess from within the target process. The injected code is running in the context of the target process and is scheduled to run by queuing kernel mode APC thread.

Regards,
Eric K.
 #8488  by EP_X0FF
 Fri Sep 09, 2011 12:24 am
erick wrote:Hi, can someone please let me know what is the latest version of Rootkit Unhooker available, and where I can download it from?
http://www.kernelmode.info/forum/viewto ... ?f=11&t=10
Also, in regards to anti-termination technique, how does Rootkit Unhooker overcome against self termination injected code (ExitProcess) by the ZeroAccess/Max++ Rootkit?
Public version nohow. Private has different self-protection and this rootkit can't terminate it.
If you have specific question or want to discuss ZAccess kill feature - create new thread in appreciate sub forum.
 #8514  by lorddoskias
 Sat Sep 10, 2011 6:55 pm
Hi,
As a result of your discussion I downloaded RKU and listed it's hooks and something got my attention: the Process/Thread Object -> OpenProcedure . So I'm guessing this means it tinkers with ETHREAD/EPROCESS objects? If so - what exactly the does the OpenProcedure field (I'm assuming it is a field?) does? I tried looking up on several web sites which have description of the relative structures but I wasn't able to find such a field? Commons sense suggests it changes some function pointers - I'm just curious.
 #8515  by Vrtule
 Sat Sep 10, 2011 9:21 pm
OpenProcedure is a function that is called when the new handle to the process is created. The function has right to block the creation, or (in newer versions of Windows) to silently change new handle access rights.

Address of this routine is not present in EPROCESS/ETHREAD structure. There might exist one such routine for every type of executive objects (process, threads, files, registry keys...). The address is stored in OBJECT_TYPE_INITIALIZER structure which is a part of OBJECT_TYPE structure. Every OBJECT_TYPE structure describes characteristics of one certain type of objects. Actually, this structure is executive object on its own – of type ObjectType.
 #8593  by erick
 Fri Sep 16, 2011 3:38 pm
EP_X0FF wrote:Public version nohow. Private has different self-protection and this rootkit can't terminate it.
Thanks for your reply "EP_X0FF". Is it possible to license your anti-rootkit technology? Specifically looking at RootkitUnhooker, RootRepeal capabilities to overcome malicious rootkits such as TDSS/TDL3/TDL4, Bootkit/Sinowal/MBR-rootkit, ZeroAccess/Max++ rootkit. Please let me know, or if I need to contact you off-list about this.

Regards,
Eric K.