Page 2 of 2

Re: Internals of file integrity checking

Posted: Wed May 18, 2016 10:01 pm
by Brock
@evelyette,

Have you tried running something like Rohitab's API Monitor on SFC.exe and SysInspector.exe? You might try doing this in order to track down dynamic API calls.

http://www.rohitab.com/apimonitor


Best Regards,
Brock

Re: Internals of file integrity checking

Posted: Sun May 22, 2016 9:25 am
by evelyette
Brock wrote:@evelyette,

Have you tried running something like Rohitab's API Monitor on SFC.exe and SysInspector.exe? You might try doing this in order to track down dynamic API calls.

http://www.rohitab.com/apimonitor


Best Regards,
Brock
Yeah, I'm using it constantly, it's a great application; however it doesn't help me much in this case.
Vrtule wrote:Hello,

If I read your last post correctly, IE, when run under ESET's protected mode, is unable to load a custom DLL. Or does this happen only in case WinDbg is attached to the process? It seems to me that the problem lies within ESET's DLL (it may be a bug or feature, who knows). It would be best to reverse the relevant part of the DLL (the NtMapViewOfSection hook routine).
I think it's indeed a problem with NtMapViewOfSection - I've enabled the loader snaps and I'm getting the following:
06f4:0bd0 @ 38498578 - LdrpSearchPath - ENTER: DLL name: titan.dll DLL path: C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
06f4:0bd0 @ 38498578 - LdrpResolveFileName - ENTER: DLL name: C:\Windows\system32\titan.dll
06f4:0bd0 @ 38498578 - LdrpResolveFileName - RETURN: Status: 0x00000000
06f4:0bd0 @ 38498578 - LdrpResolveDllName - ENTER: DLL name: C:\Windows\system32\titan.dll
06f4:0bd0 @ 38498578 - LdrpResolveDllName - RETURN: Status: 0x00000000
06f4:0bd0 @ 38498578 - LdrpSearchPath - RETURN: Status: 0x00000000
06f4:0bd0 @ 38498578 - LdrpMapViewOfSection - ENTER: DLL name: C:\Windows\system32\titan.dll
ModLoad: 000007fe`f62e0000 000007fe`f642b000 C:\Windows\system32\titan.dll
06f4:0bd0 @ 38498578 - LdrpMapViewOfSection - RETURN: Status: 0xc0000022
06f4:0bd0 @ 38498578 - LdrpFindOrMapDll - RETURN: Status: 0xc0000022
06f4:0bd0 @ 38498578 - LdrpLoadDll - RETURN: Status: 0xc0000022
06f4:0bd0 @ 38498578 - LdrLoadDll - RETURN: Status: 0xc0000022
Notice that the LdrpMapViewOfSection returns 0xc0000022, which seems to be an access denied error. But the process has access to the DLL, it shouldn't be any problems there.