How does PCHunter enumerate ports?

#29162 by myid
Thu Sep 01, 2016 6:03 pm

Hi, I want to know how does PCHunter enumerate ports. I try these ways to test, all failed:
1.Hook IRP_MJ_DEVICE_CONTROL of TCPIP.SYS(NT5) or TDX.SYS(NT6).
2.Hook IRP_MJ_DEVICE_CONTROL of TCPIP.SYS(NT5) or TDX.SYS(NT6), delete TCPIP.SYS(NT5) or TDX.SYS(NT6) to prevent PCHunter get original address.
3.Hook NETIO!NsiGetAllParametersEx and NETIO!NsiGetParameterEx, return STATUS_UNSUCCESSFUL (test on NT6).
All these ways can bypass NETSTAT.EXE, but no effect for PCHunter.

Username

myid

Posts

157

Joined

Sat Jun 09, 2012 2:54 am

Re: How does PCHunter enumerate ports?

#29163 by EP_X0FF
Fri Sep 02, 2016 5:17 am

Maybe it is locating TCB Table in nonpaged memory, something similar to various forensic tools like volatility etc.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: How does PCHunter enumerate ports?

#29166 by myid
Fri Sep 02, 2016 10:49 am

EP_X0FF wrote:Maybe it is locating TCB Table in nonpaged memory, something similar to various forensic tools like volatility etc.

What is "TCB Table"? Could you give me a name? I want to explore it by WINDBG.

Username

myid

Posts

157

Joined

Sat Jun 09, 2012 2:54 am

Re: How does PCHunter enumerate ports?

#29169 by EP_X0FF
Fri Sep 02, 2016 1:52 pm

http://mnin.blogspot.ru/2011/03/volatil ... odule.html

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: How does PCHunter enumerate ports?

#29174 by myid
Sat Sep 03, 2016 3:28 am

EP_X0FF wrote:http://mnin.blogspot.ru/2011/03/volatil ... odule.html

Thank you.

Username

myid

Posts

157

Joined

Sat Jun 09, 2012 2:54 am