[r3shl4k1sh]

I have run a GMER scan and it came with a large output (as usual), i would like to know what are the steps you will take in analyzing such output.
My question isn't strictly to GMER but to almost any ARK tool i encounter they are able to find Hooks (inline, ITA ...) but without knowing the module name of where it points i am in dark.

For example here is a bit from the output of GMER scan:

Code: Select all

.text           C:\Program Files\WinZip\WZQKPICK.EXE[2144] ntdll.dll!LdrLoadDll                                                    7C9163A3 5 Bytes  JMP 00BB0004 
.text           C:\Program Files\WinZip\WZQKPICK.EXE[2144] ntdll.dll!LdrGetProcedureAddress                                        7C917E88 5 Bytes  JMP 00E80004 
.text           C:\Program Files\WinZip\WZQKPICK.EXE[2144] kernel32.dll!VirtualProtectEx                                           7C801A61 5 Bytes  JMP 00F00004 
.text           C:\Program Files\WinZip\WZQKPICK.EXE[2144] kernel32.dll!VirtualProtect                                             7C801AD4 5 Bytes  JMP 00EE0004 
.text           C:\Program Files\WinZip\WZQKPICK.EXE[2144] kernel32.dll!LoadLibraryA                                               7C801D7B 5 Bytes  JMP 00DF0004 
.text           C:\Program Files\WinZip\WZQKPICK.EXE[2144] kernel32.dll!GetStartupInfoA                                            7C801EF2 5 Bytes  JMP 00DB0004 
.text           C:\Program Files\WinZip\WZQKPICK.EXE[2144] kernel32.dll!ReadProcessMemory                                          7C8021D0 5 Bytes  JMP 00F60004 
.text           C:\Program Files\WinZip\WZQKPICK.EXE[2144] kernel32.dll!CreateProcessW                                             7C802336 5 Bytes  JMP 00E40004 
.text           C:\Program Files\WinZip\WZQKPICK.EXE[2144] kernel32.dll!CreateProcessA                                             7C80236B 5 Bytes  JMP 00F20004 
.text           C:\Program Files\WinZip\WZQKPICK.EXE[2144] kernel32.dll!GetProcAddress                                             7C80AE30 5 Bytes  JMP 00DD0004 
.text           C:\Program Files\WinZip\WZQKPICK.EXE[2144] kernel32.dll!LoadLibraryW                                               7C80AEDB 5 Bytes  JMP 00E10004 
.text           C:\Program Files\WinZip\WZQKPICK.EXE[2144] kernel32.dll!CreateRemoteThread                                         7C8104BC 5 Bytes  JMP 00F80004 
.text           C:\Program Files\WinZip\WZQKPICK.EXE[2144] kernel32.dll!CreatePipe                                                 7C81D827 5 Bytes  JMP 00D90004 
.text           C:\Program Files\WinZip\WZQKPICK.EXE[2144] kernel32.dll!OpenProcess                                                7C8309D1 5 Bytes  JMP 00F40004 
.text           C:\Program Files\WinZip\WZQKPICK.EXE[2144] kernel32.dll!PeekNamedPipe                                              7C860817 5 Bytes  JMP 00D70004 
.text           C:\Program Files\WinZip\WZQKPICK.EXE[2144] kernel32.dll!WinExec                                                    7C8623AD 5 Bytes  JMP 00EC0004 
.text           C:\Program Files\WinZip\WZQKPICK.EXE[2144] kernel32.dll!LoadModule                                                 7C8624BE 5 Bytes  JMP 00E60004 
.text           C:\Program Files\WinZip\WZQKPICK.EXE[2144] WS2_32.dll!select                                                       71AB30A8 5 Bytes  JMP 01070004 
.text           C:\Program Files\WinZip\WZQKPICK.EXE[2144] WS2_32.dll!socket                                                       71AB4211 5 Bytes  JMP 01030004 
.text           C:\Program Files\WinZip\WZQKPICK.EXE[2144] WS2_32.dll!bind                                                         71AB4480 5 Bytes  JMP 010B0004 
.text           C:\Program Files\WinZip\WZQKPICK.EXE[2144] WS2_32.dll!send                                                         71AB4C27 5 Bytes  JMP 01050004 
.text           C:\Program Files\WinZip\WZQKPICK.EXE[2144] WS2_32.dll!recv                                                         71AB676F 5 Bytes  JMP 01090004 

This isn't just on the WZQKPICK.EXE process but on a 3 more processes and from my experience ARK tools are generating output like that regularly.

My question is how should i proceed now in order to come to a conclusion? maybe it is a malware that cause the Hooks or maybe that is just the HIPS and DLP programs that caused those hooks. What do you do?

[EP_X0FF]

How to get WinZip behave like above? Do you use any kind of security tools, like HIPS etc?

[r3shl4k1sh]

How to get WinZip behave like above? Do you use any kind of security tools, like HIPS etc?

Yes i do have Mcafee AV and DLP products installed on my computer, but how can i know that it is relate to them (or any other legit software) and not by a malicious software?

[EP_X0FF]

Dump memory region this hook points to and look inside. Most likely it will be callgate to McAfee/DLP products dll. I installed WinZip to VM and it is free from hooks, so this behavior is external caused.