Internals of file integrity checking

All off-topic discussion goes here.
User avatar
Brock
Posts: 204
Joined: Wed Apr 28, 2010 3:13 am
Location: Valparaiso, Florida USA
Contact:

Re: Internals of file integrity checking

Post by Brock » Wed May 18, 2016 10:01 pm

@evelyette,

Have you tried running something like Rohitab's API Monitor on SFC.exe and SysInspector.exe? You might try doing this in order to track down dynamic API calls.

http://www.rohitab.com/apimonitor


Best Regards,
Brock
Accept nothing less than STATUS_SUCCESS

evelyette
Posts: 38
Joined: Thu Feb 21, 2013 5:51 pm

Re: Internals of file integrity checking

Post by evelyette » Sun May 22, 2016 9:25 am

Brock wrote:@evelyette,

Have you tried running something like Rohitab's API Monitor on SFC.exe and SysInspector.exe? You might try doing this in order to track down dynamic API calls.

http://www.rohitab.com/apimonitor


Best Regards,
Brock
Yeah, I'm using it constantly, it's a great application; however it doesn't help me much in this case.
Vrtule wrote:Hello,

If I read your last post correctly, IE, when run under ESET's protected mode, is unable to load a custom DLL. Or does this happen only in case WinDbg is attached to the process? It seems to me that the problem lies within ESET's DLL (it may be a bug or feature, who knows). It would be best to reverse the relevant part of the DLL (the NtMapViewOfSection hook routine).
I think it's indeed a problem with NtMapViewOfSection - I've enabled the loader snaps and I'm getting the following:
06f4:0bd0 @ 38498578 - LdrpSearchPath - ENTER: DLL name: titan.dll DLL path: C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
06f4:0bd0 @ 38498578 - LdrpResolveFileName - ENTER: DLL name: C:\Windows\system32\titan.dll
06f4:0bd0 @ 38498578 - LdrpResolveFileName - RETURN: Status: 0x00000000
06f4:0bd0 @ 38498578 - LdrpResolveDllName - ENTER: DLL name: C:\Windows\system32\titan.dll
06f4:0bd0 @ 38498578 - LdrpResolveDllName - RETURN: Status: 0x00000000
06f4:0bd0 @ 38498578 - LdrpSearchPath - RETURN: Status: 0x00000000
06f4:0bd0 @ 38498578 - LdrpMapViewOfSection - ENTER: DLL name: C:\Windows\system32\titan.dll
ModLoad: 000007fe`f62e0000 000007fe`f642b000 C:\Windows\system32\titan.dll
06f4:0bd0 @ 38498578 - LdrpMapViewOfSection - RETURN: Status: 0xc0000022
06f4:0bd0 @ 38498578 - LdrpFindOrMapDll - RETURN: Status: 0xc0000022
06f4:0bd0 @ 38498578 - LdrpLoadDll - RETURN: Status: 0xc0000022
06f4:0bd0 @ 38498578 - LdrLoadDll - RETURN: Status: 0xc0000022
Notice that the LdrpMapViewOfSection returns 0xc0000022, which seems to be an access denied error. But the process has access to the DLL, it shouldn't be any problems there.

Post Reply