KernelMode.info

A forum for reverse engineering, OS internals and malware analysis
https://www.kernelmode.info/forum/

RkUnhooker 3.8 SR2 public beta test

https://www.kernelmode.info/forum/viewtopic.php?f=11&t=20

Page 1 of 16

RkUnhooker 3.8 SR2 public beta test

PostPosted:Sun Mar 14, 2010 6:13 am
by EP_X0FF
Hello everyone,

here is beta version of next RkU LE public build. It will be cumulative update (SR2) containing all previously applied bugfixes,
improvements and additions. However it is still public LE version so does not expect something extraordinary from it :)
Important note: since SR2 Windows 2000 support is fully dropped.

This is not release. Some features maybe altered or unavailable in release version.
You use this tool at your own risk.

changelog:
added: unlinked dll's detection
added: little fix for drivers scan
added: callgates detector, GDT/LDT modifications (thanks to Dreg)
added: Exclude .NET modules option to reduce f/p at stealth code page
updated: internal service executable
updated: report generator has been rewritten (ported from VX version)
improved: stealth code detection (thanks Alex)
fixed: multiple bugs in multiprocessors environment
fixed: incompatibilities with some 3rd party software
fixed: some application and driver bugs
fixed: vulnerability reported by Fyyre
important: since this version Windows 2000 support is fully dropped

Re: RkUnhooker 3.8 SR2 public beta test

PostPosted:Mon Mar 15, 2010 1:09 am
by yanxizhen
:lol:
nice work!!!!

Re: RkUnhooker 3.8 SR2 public beta test

PostPosted:Mon Mar 15, 2010 4:17 am
by kmd
thanks :)

Re: RkUnhooker 3.8 SR2 public beta test

PostPosted:Mon Mar 15, 2010 5:19 pm
by Twister
Another false-positive actuation on "Stealth code" tab:
i have two imageres.dll in my Explorer.exe, one of them RkU show as hidden.

Also i have deadlock when press File->QuickReport->Save Info from current page (not for first time, you know ;) )

PS. Win7

Re: RkUnhooker 3.8 SR2 public beta test

PostPosted:Mon Mar 15, 2010 5:23 pm
by EP_X0FF
Thanks for bug report. Perhaps related to new self-protection. Need more debugging :)

Deadlock confirmed and reproduced. Will be fixed in next update.

Re: RkUnhooker 3.8 SR2 public beta test

PostPosted:Wed Mar 17, 2010 5:11 am
by liangtong
Exception occured when scanning user mode hooks on Win7.
Exception code : 0xC0000005
Instruction address : 0x0042EF3E
Attempt to read at address : 0x0000003C

And viewing process properties may cause deadlock.

Re: RkUnhooker 3.8 SR2 public beta test

PostPosted:Wed Mar 17, 2010 6:26 am
by EP_X0FF
Thank you.

Can you please reproduce this deadlock also on Vista if you have it? :)
And another deadlock, mentioned by Twister? I'm testing fix for this right now.

Re: RkUnhooker 3.8 SR2 public beta test

PostPosted:Wed Mar 17, 2010 8:18 am
by liangtong
Hi EP,
I've no Vista environment to test the build. :oops:

I just ran it on my VM(XP) and it got a BSOD when scanning stealth code(minidump is included in the attachment).

Re: RkUnhooker 3.8 SR2 public beta test

PostPosted:Wed Mar 17, 2010 1:44 pm
by EP_X0FF
Thanks for report.

This is caused by callgates detector. More debug required :)

Re: RkUnhooker 3.8 SR2 public beta test

PostPosted:Wed Mar 17, 2010 3:44 pm
by Twister
Deadlock on win7 doesn't present anymore. :)
All times are UTC
Page 1 of 16
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/