A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #5541  by sergey ulasen
 Fri Mar 18, 2011 12:06 pm
Meriadoc wrote:No to both.
Ok.
Meriadoc wrote:So far this happened x2 after interrupting half way through file system scan.
Did you interrupt scanning in Low-Level Disk Access Tool or scanning in the main window ? Sorry, it was not very clear for me. Could you please give me more details ?
 #5544  by Meriadoc
 Fri Mar 18, 2011 3:59 pm
sergey ulasen wrote:Did you interrupt scanning in Low-Level Disk Access Tool or scanning in the main window ? Sorry, it was not very clear for me. Could you please give me more details ?
Scanning in the main window. Seems to be intermittent but only after using vba ark and so far only happening when interrupting - but I will see what happens after more tries.

I also notice after using the ark explorer gets really sluggish but all symptoms are gone after re-boot.
 #5551  by sergey ulasen
 Fri Mar 18, 2011 7:10 pm
STRELiTZIA wrote:Hi,
Vba32 Dedicated Desktop option, BSoD when I resize VMWare screen...

Flash movie attached.
STRELiTZIA, thanks for your interest!

This bug is connected with Vba32 Defender mode. It's a default mode on the dedicated desktop.
Vba32 Defender blocks driver's loading and process's launching. When you resize VMWare's screen antirootkit blocks video driver and it causes BSOD.

I think we was in a hurry when this mode was being set up on default... :?
 #5590  by sergey ulasen
 Tue Mar 22, 2011 12:38 pm
STRELiTZIA wrote:2- It crashes after test machine infection (Trojan.Win32.VBKrypt).
Sorry for delay...

This sample hijacks functions NtTerminateThread and NtTerminateProcess in ntdll.dll. In addition, the malware doesn't clean stack (it uses c3 opcode instead of c2 opcode). It's a reason of fail. We don't want to realize now something like a workaround because we are going to develop good-quality solution in one of the next version.

Thanks!
 #6048  by sergey ulasen
 Tue Apr 26, 2011 11:09 am
Hiya!

Vba32 AntiRootkit 3.12.5.3 beta build 222:

Download link: http://anti-virus.by/en/beta.shtml
Change list:

+ Listing filesystem minifilters
+ Operations on filesystem minifilters ( Unload, Unregister )


FileSystem Minifilters window (and table in the report) has been added. User can find there information about filesystem drivers-minifilters. Also there are available two operations: Unload and Unregister. These operations are used to unload minifilter from memory. But Unregister is less safety and can cause to BSOD.

+ Listing kernel devices ( Kernel Device Stack )

Kernel Device Stack window (and table in the report) has been added. The window displays kernel device stacks. Because of this user can analyze what kind of stack malware uses.
devices.png
devices.png (59.48 KiB) Viewed 686 times
There are no any operations with objects in Kernel Device Stack yet. It's planned on the future.

+ View/delete for FsRtlRegisterFileSystemFilterCallbacks notificators

It can be helpful.

+ Detection of DriverInit, DriverStartIo, DriverUnload hooks

It can be useful to detect some versions of TDL.

+ Detection and restoration of hooks in Object Functions ( ObjectType hooks )
+ Object type hijack detection for drivers and devices


Not very widespread type of hooking (in view of complexity) but looks like malware and some sort of security software use them.

+ Operation with opened handles ( CloseHandle )

Very useful function! It's available from the Process Manager window inside the Handles tab.

+ Terminating status in the time of Process Manager closing

Closing of the Process Manager window looks more clearly now.

* Fixed nonworking checkboxes in html-report ( in FireFox )

Sorry for FF users because we haven't supported you for 1.5 monthes. But now it's fixed.

* Focus from "YES" button was moved to "NO" button in the dedicated desktop request message

As I wrote early the antirootkit had some problems in the dedicated desktop mode. We have removed this mode by default. In the future, of course, the problem will be solved more radical way.

* Fixed GUI crash on infected with Trojan.Win32.VBKrypt machines
* Overall work robustness of antirootkit was improved


We have spent most of our developing time to increase stability of the application. We have fixed most known bugs that lead to BSODs or hangs.
Special thanks to STRELiTZIA for bug with Trojan.Win32.VBKrypt.

* Help in Russian was improved

Remind you our e-mail: arkit@anti-virus.by.

And thanks to everybody who sent us feature requests, errors and dumps. Your attention is very important to us!
 #6093  by STRELiTZIA
 Fri Apr 29, 2011 7:55 pm
Hi,
Speed tests: Windows Xp SP3 (Updated)
1- BSoD:
(INVALID_KERNEL_HANDLE)
Process Manager... Select, Explorer.exe --> Handles -->> KEY : \REGISTRY\MACHINE --> Close handle.

2- System Hang:
2-1- performs registry attack:
Code: Select all
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\VIDEO]
"MaxObjectNumber"=dword:99999999
2-2- Try to launch Vba32arkit.exe

Edit:
3- System restarts:
Try to launch Vba32arkit.exe when Shadow Defender in Shadow Mode.

Regards.
 #6161  by sergey ulasen
 Mon May 02, 2011 5:04 pm
To STRELiTZIA:

Sorry for delay. We are having a big holiday (4 days :roll: ) here now.

All your cases are reproduced.

I'll be able to answer in details some days later.

Thanks!
 #6209  by sergey ulasen
 Thu May 05, 2011 5:35 pm
STRELiTZIA wrote:Hi,
Speed tests: Windows Xp SP3 (Updated)
1- BSoD:
(INVALID_KERNEL_HANDLE)
Process Manager... Select, Explorer.exe --> Handles -->> KEY : \REGISTRY\MACHINE --> Close handle.
This problem was fixed. Update will be in public with next beta version.

Thanks.

Other issues are being analyzed.
 #6312  by sergey ulasen
 Fri May 13, 2011 2:37 pm
Hi,
STRELiTZIA wrote:2- System Hang:
2-1- performs registry attack:
Code: Select all
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\VIDEO]
"MaxObjectNumber"=dword:99999999
2-2- Try to launch Vba32arkit.exe.
It seems that this key/value has nothing to do with antirootkit's work.

But in theory it can be used by malware to block the antirootkit. Therefore it should be included to self-protection.

If you have more facts about this key/value, could you please share them with me.

Thanks!