A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #5477  by sergey ulasen
 Tue Mar 15, 2011 5:01 pm
Hello folks!

I'm glad to offer you a new version of Vba32 AntiRootkit beta. Current build is 168.

Download link: http://anti-virus.by/en/beta.shtml

+ Process List window replaced with Process Manager. Significantly increased informative content

+ Listing anomalies for each process

+ Operations on processes ( Terminate, Terminate and Delete, Suspend / Resume, Dump )

+ Listing modules, including hidden

+ Operations on modules ( Unmap, Dump )

+ Listing threads, including hidden and anomaly

+ Operations on threads, including system threads ( Terminate, Suspend / Resume )

+ Listing handles

We've added possibility of full-fledged working with process list:

- process termination;
- process suspend and resume;
- process dump.

Process list can be displayed in treelike and list-oriented formats. You can receive there a great number of various helpful information: PID, EPROCESS address, PEB address, etc. All headers in the table are optional and you can choose only necessary settings.

Vba32 AntiRootkit detects hidden and anomaly processes too.
manage_process.PNG (83.92 KiB) Viewed 1110 times
Thread list:

- thread termination;
- thread suspend and resume.

All headers in the list are optional.

Hidden and anomaly threads are detected.
threads.PNG (30.65 KiB) Viewed 1110 times
Module list:

- unmap in process;
- module dump.

Hidden and anomaly modules are detected.
modules.PNG (56.42 KiB) Viewed 1110 times
Process Manager provides information about handles and interpretation of detected anomalies.

+ Listing unloaded kernel modules

These modules have Unloaded modules state.

+ Detection and restoration of hooks in IAT ( for kernel modules )

Frequently used method of hijacking.

+ View/delete for Lego, SeFileSystem, LastChanceShutdown, Shutdown, BugCheckReason, FsRegistrationChange notificators

It can be helpful.

+ Network Tool window ( parsing of host and lmhost files, persistent routes, LSP providers )

+ Dedicated antirootkit desktop

Very useful feature in the light of desktop blockers.

Attention: the feature is used with Vba32 Defender that blocks process and drivers loading.

+ Full safe-mode support

+ Detection of revoked certificates

Appearance of Stuxnet has revealed us that we can't unconditionally trust to digital signatures. But it works only in updated Windows or with Internet connection.

+ Increased the number of checked autorun items ( Print Provider, Control Panel objects, Known DLLs, URLSearch IE, Toolbar IE, IE Extensions, etc. )

+ Support of Windows 7 SP1

It's crucial issue.

* Search of hidden drivers was improved, added detection of numerous anomalies

* Increased low-level scanning speed

We have increased low-level speed about twice.

* Fixed BSOD on highly fragmented NTFS folumes

* "Don't display items digitally signed" option replaced with "Don't display trusted items"

* HTML-report was improved

* Internal caching of scanning files was improved

It has increased speed too.

* Help in Russian was improved

Known problems:

- Process Manager sometimes is hung. Don't scare :) It's happened not often. We are solving the problem;

- launching the antirootkit from dedicated desktop can lead to system deadlock on computers with some NVIDIA video card. It's happened not often too;

- audio sometimes is lost. It's connected with Vba32 Defender mode. We are going to solve this problem in the future.

You can send your suggestions, wishes, dumps and other helpful information to arkit@anti-virus.by.

And invite you to partcipate in beta testing.
 #5480  by Eric_71
 Tue Mar 15, 2011 6:44 pm

very nice BSOD ( tested twice, same result )

Windows XP Home Edition ( 5.1.2600 3.0 ) AMD Athlon™ 64

sorry I don't give a dump on this computer
Code: Select all
STOP: 0x0000008E (0xC0000005, 0xF7B44492, 0xAC1F3AC8, 0x00000000)
NTIDrvr.sys - Address base at F7B44492 F7B44000, DateStamp 41c8888a
NTIDrvr.sys -> NTI CD-ROM Filter Driver
 #5529  by Meriadoc
 Thu Mar 17, 2011 3:49 pm
Hi Sergey, if I interrupt a scan I loose my sound. I get a status message of,
Windows cannot load the device driver for this hardware because a previous instance of the device driver is still in memory. (Code 38)
for Microsoft Kernel Wave Audio Mixer Device that normally doesn't show in dm

also I noticed that some windows from programs don't show until after some time, example start process explorer straight after interrupting vba ark, pe window wont show, end process and start pe again and works ok.

So far this happened x2 after interrupting half way through file system scan.

windows xpsp3
 #5531  by STRELiTZIA
 Thu Mar 17, 2011 5:19 pm
Very fast tests... :arrow:
1- It refuses to run and displays an error message when I change the path after first launch.
2- It crashes after test machine infection (Trojan.Win32.VBKrypt).

Flash movie and malware attached.

archive password: malware
(24.5 KiB) Downloaded 33 times
(301.92 KiB) Downloaded 30 times
 #5532  by Meriadoc
 Thu Mar 17, 2011 5:46 pm
sergey ulasen wrote:Meriadoc, did you use dedicated desktop or Vba32 Defender ?
No to both.
 #5540  by sergey ulasen
 Fri Mar 18, 2011 11:51 am
STRELiTZIA wrote:1- It refuses to run and displays an error message when I change the path after first launch.
The antirootkit's driver after loading checks calling application integrity. It can help to avoid malware's using of the driver. The driver uses low-level-disk-access. File/directory renaming, when tunneling occures, can be a reason of mismatch between file system cache and disk content. It causes to observed result. It's not a bug.

That's cool, that you drew our attention to this effect ;)
STRELiTZIA wrote:2- It crashes after test machine infection (Trojan.Win32.VBKrypt).
Need more time to analyze and check it...