A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #4350  by EP_X0FF
 Sat Jan 08, 2011 11:29 am
@Implayer

This bug was caused by updated version of ntkrnlpa. Some required addresses unexpectable moved from the lower value to much more greater (in comparison to Windows 2003 SP2). Stuff that was using this in version posted above simple do not work.

Once this will be fixed updated version will be posted.

@liangtong
Well I know what is causing this BSOD. It is need to be stable reproduced here from my side, so I can trace it in debugger.
 #4353  by liangtong
 Sat Jan 08, 2011 12:20 pm
1: kd> !pool 9b135fe0
*9b135fd8 size: 28 previous size: c8 (Allocated) *VadS

1: kd> !object 9b135fe0
Object: 9b135fe0 Type: (86c39710) Process
ObjectHeader: 9b135fc8 (new version)
HandleCount: 0 PointerCount: 0
1: kd> dt _KPROCESS -b 9b135fe0
nt!_KPROCESS
+0x000 Header : _DISPATCHER_HEADER
+0x000 Type : 0x63 'c'
+0x001 TimerControlFlags : 0x39 '9'
+0x001 Absolute : 0y1
+0x001 Coalescable : 0y0
+0x001 KeepShifting : 0y0
+0x001 EncodedTolerableDelay : 0y00111 (0x7)
+0x001 Abandoned : 0x39 '9'
+0x001 Signalling : 0x39 '9'
+0x002 ThreadControlFlags : 0x92 ''
+0x002 CpuThrottled : 0y0
+0x002 CycleProfiling : 0y1
+0x002 CounterProfiling : 0y0
+0x002 Reserved : 0y10010 (0x12)
+0x002 Hand : 0x92 ''
+0x002 Size : 0x92 ''
+0x003 TimerMiscFlags : 0x89 ''
+0x003 Index : 0y1
+0x003 Processor : 0y00100 (0x4)
+0x003 Inserted : 0y0
+0x003 Expired : 0y1
+0x003 DebugActive : 0x89 ''
+0x003 ActiveDR7 : 0y1
+0x003 Instrumented : 0y0
+0x003 Reserved2 : 0y0010
+0x003 UmsScheduled : 0y0
+0x003 UmsPrimary : 0y1
+0x003 DpcActive : 0x89 ''
+0x000 Lock : 0n-1986905757
+0x004 SignalState : 0n-2032108432
+0x008 WaitListHead : _LIST_ENTRY [ 0x8a1566c0 - 0x4690 ]
+0x000 Flink : 0x8a1566c0
+0x004 Blink : 0x00004690
+0x010 ProfileListHead : _LIST_ENTRY [ 0x469f - 0x84000007 ]
+0x000 Flink : 0x0000469f
+0x004 Blink : 0x84000007
+0x018 DirectoryTableBase : 0
+0x01c LdtDescriptor : _KGDTENTRY
+0x000 LimitLow : 0
+0x002 BaseLow : 0
+0x004 HighWord : <unnamed-tag>
+0x000 Bytes : <unnamed-tag>
+0x000 BaseMid : ??
+0x001 Flags1 : ??
+0x002 Flags2 : ??
+0x003 BaseHi : ??
+0x000 Bits : <unnamed-tag>
+0x000 BaseMid : ??
+0x000 Type : ??
+0x000 Dpl : ??
+0x000 Pres : ??
+0x000 LimitHi : ??
+0x000 Sys : ??
+0x000 Reserved_0 : ??
+0x000 Default_Big : ??
+0x000 Granularity : ??
+0x000 BaseHi : ??
 #4360  by EP_X0FF
 Sat Jan 08, 2011 3:19 pm
Hello,

do you have any security software installed?

Regards.
 #4367  by m_univ
 Sat Jan 08, 2011 4:53 pm
With OA disabled RKU is starting. I send report from RKU, it says !POSSIBLE ROOTKIT ACTIVITY DETECTED! Could u please look at that?
Regards.
Attachments
(298.97 KiB) Downloaded 34 times
 #4368  by EP_X0FF
 Sat Jan 08, 2011 5:00 pm
With these commercial rootkits installed any antirootkit log is quite useless.
 #4742  by EP_X0FF
 Wed Jan 26, 2011 12:15 pm
version 3.8 LE build 389/592 Service Release 2
build date 28.01.2011

for changelog see help file version history

Installer file hashes

MD5 for RkU3.8.389.592.exe
e367b0c9d8be3cea698cef9bdaf0ec24

SHA-512 for RkU3.8.389.592.exe
4d970543c442e512f85014df7c72ea36fddb8e4f4685f2ec45bf16a75a1abb313
ea07aca92e0448032651774fc3109fcd847064b91b1dc7657db8002d16b921c

Standalone exe

MD5
ea6335d82e3067c7f70ca0c6d06a2d0e

SHA-512
818d8b725216a9ab5121c5c555057016b99b47bf3ab9d73b294605090dccc159
581f64d4a9137f83c116edf22f9091099d8045ed3bc6399329304c1035e6d502

Important:
Use random name for RKU installation directory for counteracting
sophisticated malware.

:WARNING:
To avoid possible problems do not start RKU together with other antirootkits.

There is only unofficial support of this tool available.
This means it may take a long time to me to response on your bugreport/question (if I even).

Language dll wasn't changed.

This update speedups ILHA, fixes some minor bugs related to compatibility with 3rd party software and improves Windows 2003 support.
Last edited by EP_X0FF on Sat Feb 26, 2011 7:41 am, edited 3 times in total. Reason: attach removed, because it's out-dated
 #4757  by STRELiTZIA
 Thu Jan 27, 2011 10:35 am
Hi EP,
Thanks for update...
Exception code : 0xC0000005
Instruction address : 0x00440095
Attempt to read at address : 0x06240CD8
RkU Crashes: (Win XP SP3 + Win 7)
1- Drivers list tab.
2- Speed double click and more (Scan button)

Flash movie attached.

Regards.
Attachments
(263.06 KiB) Downloaded 42 times
  • 1
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16