[__Genius__]

Hi,
Basically I'm using Rootkit-Unhooker as my first Anti-Rootkit software, also beside Rku, Icesword & Gmer are great tools .
recently I was curious about terminating rku,
seems, there's no specific method for terminating RKU process ... ( regardless of that, it's possible but it's difficult :) ) . (Process Monitoring & such a like softwares could not termiate it ... )
I tried many tools with no success (Personally, I didn't try any programmatic solution till now) but I'm curious about this way ... .
It's interesting to note about other Anti-Rootkits (Kernel detective, Gmer, IceSword & many others) didn't use any self-protection mechanism & this is like a joke in case of a software in the field of system protection ...,These softwares could be terminated as simple as task manager could do this !
I want to get information about this technique (the technique that EP used in his software (RKU)) ... .
Any help & useful information would be appreciated .

thanks .

[EP_X0FF]

Hello,

previously RkU used splicing of several API functions. It was hard to support with each new version of NT kernel and it was completely unsafe.

Currently SR2 uses most stable known method - Kernel Objects Hooking + several additional methods.
Go to RkU -> Code Hooks tab, hold left SHIFT at keyboard and press Scan button in RkU, it will list you all it's own hooks.

There are still some ways to terminate it, but for common malware it is enough.

[Alex]

XueTr also implements some self defense techniques based on hooking many services - Killing XueTr from User Mode (oXueTb Poc). It is exactly as EP_X0FF said, RkU's and XueTr self defenses methods are enough for common malware. In both cases the weakest point of these tools is win32 subsystem (their GUIs), which allows to destroy/terminate their GUIs and/or processes.

Alex

[erick]

Hi, can someone please let me know what is the latest version of Rootkit Unhooker available, and where I can download it from?

Also, in regards to anti-termination technique, how does Rootkit Unhooker overcome against self termination injected code (ExitProcess) by the ZeroAccess/Max++ Rootkit? This rootkit allocates memory via ZwAllocateVirtualMemory and does a memcpy of self termination code which basically trashes the process stack and calls ExitProcess from within the target process. The injected code is running in the context of the target process and is scheduled to run by queuing kernel mode APC thread.

Regards,
Eric K.

[EP_X0FF]

Hi, can someone please let me know what is the latest version of Rootkit Unhooker available, and where I can download it from?

http://www.kernelmode.info/forum/viewto ... ?f=11&t=10

Also, in regards to anti-termination technique, how does Rootkit Unhooker overcome against self termination injected code (ExitProcess) by the ZeroAccess/Max++ Rootkit?

Public version nohow. Private has different self-protection and this rootkit can't terminate it.
If you have specific question or want to discuss ZAccess kill feature - create new thread in appreciate sub forum.

[lorddoskias]

Hi,
As a result of your discussion I downloaded RKU and listed it's hooks and something got my attention: the Process/Thread Object -> OpenProcedure . So I'm guessing this means it tinkers with ETHREAD/EPROCESS objects? If so - what exactly the does the OpenProcedure field (I'm assuming it is a field?) does? I tried looking up on several web sites which have description of the relative structures but I wasn't able to find such a field? Commons sense suggests it changes some function pointers - I'm just curious.

[Vrtule]

OpenProcedure is a function that is called when the new handle to the process is created. The function has right to block the creation, or (in newer versions of Windows) to silently change new handle access rights.

Address of this routine is not present in EPROCESS/ETHREAD structure. There might exist one such routine for every type of executive objects (process, threads, files, registry keys...). The address is stored in OBJECT_TYPE_INITIALIZER structure which is a part of OBJECT_TYPE structure. Every OBJECT_TYPE structure describes characteristics of one certain type of objects. Actually, this structure is executive object on its own – of type ObjectType.

[erick]

Public version nohow. Private has different self-protection and this rootkit can't terminate it.

Thanks for your reply "EP_X0FF". Is it possible to license your anti-rootkit technology? Specifically looking at RootkitUnhooker, RootRepeal capabilities to overcome malicious rootkits such as TDSS/TDL3/TDL4, Bootkit/Sinowal/MBR-rootkit, ZeroAccess/Max++ rootkit. Please let me know, or if I need to contact you off-list about this.

Regards,
Eric K.