RkUnhooker 3.8 SR2 public beta test - Page 15

Topic locked

Re: RkUnhooker 3.8 SR2 public beta test

#5013 by EP_X0FF
Fri Feb 11, 2011 1:54 pm

Flopik wrote:By the way if you want to remove false positive for ImageRes.dll hidden that appear in Win7, you can add a check for
(IAT) IMAGE_DATA_DIRECTORY.VirtualAddress and HeadNt.OptionalHeader32.AddressOfEntryPoint , they will be zero , a quick look at the PE header is interesting to detect loaded ressource DLLs

Sure, which ImageRes.dll issue you are referring? Normally it shouldn't list non executable images at all.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: RkUnhooker 3.8 SR2 public beta test

#5018 by Flopik
Fri Feb 11, 2011 9:01 pm

Hidden image imageres.dll , some other users here have the issue, the VAD flag is Image

Username

Flopik

Posts

47

Joined

Wed Sep 08, 2010 5:39 pm

Re: RkUnhooker 3.8 SR2 public beta test

#5133 by cornflake
Tue Feb 22, 2011 3:41 am

Hi thanks very much for your continuing work on RkU. I've downloaded the RkU standalone version from your January 26, 2011 post and verified the sha512 hash. It will not run on one of my Vista SP2 x86 computers. It does not appear to crash (I initially mistook another Rootkit program crash for RkU in my original post -- sorry about that!) but instead loads and then immediately terminates. I did rename the file to random letters and numbers but it still terminates. It says Initializing@ and then nothing happens. I can see in process explorer it terminates.

I have Avira, Sandboxie and Secunia PSI installed on this computer. I disabled Avira's Guard and Secunia's service but this doesn't help. I cannot disable Sandboxie at present.

Is this a known issue?

Thanks

Username

cornflake

Posts

3

Joined

Mon Feb 21, 2011 11:24 pm

Re: RkUnhooker 3.8 SR2 public beta test

#5144 by EP_X0FF
Wed Feb 23, 2011 10:36 am

Hi,

Is this a known issue?

No, I just tested with Windows XP SP3 + Avira Personal 9.0.13/10 + Secunia PSI + Sandboxie, everything work as expected.

What is your Avira version?

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: RkUnhooker 3.8 SR2 public beta test

#5148 by cornflake
Wed Feb 23, 2011 11:31 pm

EP_X0FF wrote:What is your Avira version?

It is Avira free AV product version 10.0.0.611. Attached is a screen capture with its detailed version information.
Also I have Sandboxie 3.52, Secunia PSI 2.0.0.1003. The other programs that have signed drivers on my computer are VMWare Workstation 7.1.3 build-324285, LatencyMon 200.31002, Paragon Drive Backup Pro 10. I have run RkU on other Vista SP2 x86 computers without a problem. Please let me know if there's anything I can do to help you track down the issue.

Attachments

Capture.PNG (28.84 KiB) Viewed 449 times

Username

cornflake

Posts

3

Joined

Mon Feb 21, 2011 11:24 pm

Re: RkUnhooker 3.8 SR2 public beta test

#5152 by EP_X0FF
Thu Feb 24, 2011 6:20 am

I've installed Avira Personal 10.0.611 on Vista SP2 and still found no problem.

Try running rku from console.
Create shortcut for rku.exe and add the following string to the path -console

e.g. c:\dir\rku.exe -console

in console type nohooks, press enter (this will disable self-protection that maybe causing this bug)
after this type start, press enter

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: RkUnhooker 3.8 SR2 public beta test

#5154 by gjf
Thu Feb 24, 2011 8:59 am

Actually I have to state that some hooks made by antivirus products really makes it impossible to work with subj.

If you try RkU with installed and (of course!) shutted down KIS 11.0.2.556 the whole system will hang so it would be necessary to perform cold reboot.

VirusInfo / Defendium / SafeZone Helpers Crew

Username

gjf

Posts

198

Joined

Mon Mar 15, 2010 10:23 am

Location

Where I lay my head is home

Contact

Re: RkUnhooker 3.8 SR2 public beta test

#5155 by EP_X0FF
Thu Feb 24, 2011 10:09 am

gjf wrote:If you try RkU with installed and (of course!) shutted down KIS 11.0.2.556 the whole system will hang so it would be necessary to perform cold reboot.

Works fine here. Default settings.
Anything specific to check in KIS?

RkU Version: 3.8.389.592, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>SSDT State
==============================================
ntoskrnl.exe-->NtAdjustPrivilegesToken, Type: Address change 0x8058D0A1-->F8F4F5FA [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtClose, Type: Address change 0x805678DD-->F8F4FEFE [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtConnectPort, Type: Address change 0x805879EB-->F8F50D32 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreateEvent, Type: Address change 0x8056D57A-->F8F5127C [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreateFile, Type: Address change 0x8056CDC0-->F8F501DA [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreateKey, Type: Address change 0x8057065D-->F8F4E46A [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreateMutant, Type: Address change 0x80578037-->F8F51162 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreateNamedPipeFile, Type: Address change 0x80583F3F-->F8F4F1E8 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreatePort, Type: Address change 0x805975B1-->F8F51036 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreateSection, Type: Address change 0x805652B3-->F8F4F390 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreateSemaphore, Type: Address change 0x8057243B-->F8F5139C [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreateThread, Type: Address change 0x8058E63F-->F8F4FB86 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreateWaitablePort, Type: Address change 0x805DB124-->F8F510CC [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtDebugActiveProcess, Type: Address change 0x8065B1CD-->F8F52A84 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtDeleteKey, Type: Address change 0x805952BE-->F8F4EA74 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtDeleteValueKey, Type: Address change 0x80592D50-->F8F4EE28 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtDeviceIoControlFile, Type: Address change 0x8058EFAD-->F8F5065C [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtDuplicateObject, Type: Address change 0x805715E0-->F8F53C90 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtEnumerateKey, Type: Address change 0x80570D64-->F8F4EF74 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtEnumerateValueKey, Type: Address change 0x8059066B-->F8F4F00C [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtFsControlFile, Type: Address change 0x8057AAB5-->F8F5046A [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtLoadDriver, Type: Address change 0x805A3AF1-->F8F52B76 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtLoadKey, Type: Address change 0x805AED5D-->F8F4E446 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtLoadKey2, Type: Address change 0x805AEB9A-->F8F4E458 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtMapViewOfSection, Type: Address change 0x80573B61-->F8F532DE [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtNotifyChangeKey, Type: Address change 0x8058A68D-->F8F4F138 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtOpenEvent, Type: Address change 0x8057DCDD-->F8F51312 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtOpenFile, Type: Address change 0x8056CD5B-->F8F4FF80 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtOpenKey, Type: Address change 0x80568D59-->F8F4E62A [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtOpenMutant, Type: Address change 0x805780E5-->F8F511F2 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtOpenProcess, Type: Address change 0x805717C7-->F8F4F836 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtOpenSection, Type: Address change 0x80570FD7-->F8F53078 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtOpenSemaphore, Type: Address change 0x8059EFC5-->F8F51432 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtOpenThread, Type: Address change 0x8058A1BD-->F8F4F728 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtQueryKey, Type: Address change 0x80570A6D-->F8F4F0A4 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtQueryMultipleValueKey, Type: Address change 0x8064E320-->F8F4ECDC [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtQuerySection, Type: Address change 0x8057D4CC-->F8F53618 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtQueryValueKey, Type: Address change 0x8056A1F1-->F8F4E906 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtQueueApcThread, Type: Address change 0x8059108B-->F8F52F0A [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtRenameKey, Type: Address change 0x8064E79E-->F8F4EB96 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtReplaceKey, Type: Address change 0x8064F0FA-->F8F4DE80 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtReplyPort, Type: Address change 0x8057CCDA-->F8F51796 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtReplyWaitReceivePort, Type: Address change 0x8056B82E-->F8F5165C [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtRequestWaitReplyPort, Type: Address change 0x80576CE6-->F8F5281E [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtRestoreKey, Type: Address change 0x8064EC91-->F8F4E1F8 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtResumeThread, Type: Address change 0x8058ECB2-->F8F53B32 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSaveKey, Type: Address change 0x8064ED92-->F8F4DE18 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSecureConnectPort, Type: Address change 0x8058F4DE-->F8F50A78 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSetContextThread, Type: Address change 0x8062DCDF-->F8F4FDA2 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSetInformationToken, Type: Address change 0x805A86F0-->F8F520BE [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSetSecurityObject, Type: Address change 0x8059B19B-->F8F52D14 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSetSystemInformation, Type: Address change 0x805A7BDD-->F8F53768 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSetValueKey, Type: Address change 0x80572889-->F8F4E780 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSuspendProcess, Type: Address change 0x8062F8C1-->F8F5385A [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSuspendThread, Type: Address change 0x805E045E-->F8F53994 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSystemDebugControl, Type: Address change 0x80649CE3-->F8F529A8 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtTerminateProcess, Type: Address change 0x805822E0-->F8F4F9D2 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtTerminateThread, Type: Address change 0x8057B885-->F8F4F932 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtUnmapViewOfSection, Type: Address change 0x805736E6-->F8F534BC [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtWriteVirtualMemory, Type: Address change 0x8057E420-->F8F4FABC [C:\WINDOWS\system32\DRIVERS\klif.sys]
==============================================
>Shadow
==============================================
win32k.sys-->NtGdiBitBlt, Type: Address change 0xBF809FDF-->F8F6004C [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtGdiMaskBlt, Type: Address change 0xBF838560-->F8F60122 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtGdiPlgBlt, Type: Address change 0xBF9438F8-->F8F60192 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtGdiStretchBlt, Type: Address change 0xBF873983-->F8F600B6 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserAttachThreadInput, Type: Address change 0xBF8F4FC9-->F8F6071A [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserBuildHwndList, Type: Address change 0xBF835F21-->F8F601FA [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserFindWindowEx, Type: Address change 0xBF8B1369-->F8F5FE70 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserGetAsyncKeyState, Type: Address change 0xBF84928E-->F8F5FC7E [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserGetKeyboardState, Type: Address change 0xBF852720-->F8F5FF7E [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserGetKeyState, Type: Address change 0xBF820E6C-->F8F5FCCA [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserMessageCall, Type: Address change 0xBF80EE6B-->F8F5FDC2 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserPostMessage, Type: Address change 0xBF8089B4-->F8F5FD16 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserPostThreadMessage, Type: Address change 0xBF8B3D3D-->F8F5FD6A [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserRegisterRawInputDevices, Type: Address change 0xBF915BA7-->F8F5FF06 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserSendInput, Type: Address change 0xBF8C31E7-->F8F5FE22 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserSetParent, Type: Address change 0xBF879695-->F8F605CC [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserSetWindowsHookEx, Type: Address change 0xBF8527E0-->F8F5FBC4 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserSetWinEventHook, Type: Address change 0xBF8ED991-->F8F5FC1C [C:\WINDOWS\system32\DRIVERS\klif.sys]
==============================================
>Hooks
==============================================
fastfat.sys-->ntoskrnl.exe-->IoCreateDevice, Type: IAT modification 0xF546790C-->F9270EB0 [kl1.sys]
ntoskrnl.exe-->FsRtlCheckLockForReadAccess, Type: Inline - RelativeJump 0x80512919-->F8F41FEC [klif.sys]
ntoskrnl.exe-->IoCreateDevice, Type: EAT modification 0x806837F4-->F9270EB0 [kl1.sys]
ntoskrnl.exe-->IoIsOperationSynchronous, Type: Inline - RelativeJump 0x804E875A-->F8F423C8 [klif.sys]
tcpip.sys-->ntoskrnl.exe-->IoCreateDevice, Type: IAT modification 0xF8ED6408-->F9270EB0 [kl1.sys]
wanarp.sys-->ntoskrnl.exe-->IoCreateDevice, Type: IAT modification 0xF9B6FC08-->F9270EB0 [kl1.sys]

!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: RkUnhooker 3.8 SR2 public beta test

#5156 by gjf
Thu Feb 24, 2011 10:41 am

Attached is my config file. You can import it, update KIS (I see your bases are outdated - it's OK, but what about patches? The actual version is 11.0.2.556 a.b.c.d), reboot and check if RkU will work.

Attachments

kis.zip

(479.06 KiB) Downloaded 26 times

VirusInfo / Defendium / SafeZone Helpers Crew

Username

gjf

Posts

198

Joined

Mon Mar 15, 2010 10:23 am

Location

Where I lay my head is home

Contact

Re: RkUnhooker 3.8 SR2 public beta test

#5157 by EP_X0FF
Thu Feb 24, 2011 1:13 pm

No changes, they works.
Described above deadlock can be caused by 3rd party software or hardware problem.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Topic locked

Options
155 posts
Page 15 of 16
Jump to page #

Previous
1
…
12
13
14
15
16
Next

Page 15 of 16
155 posts

Jump to page #

1
…
12
13
14
15
16