Hi,
Regards.
Thanks. Try this one.Retested (Win XP SP3/Win7) --->> status fixed.
Regards.
A forum for reverse engineering, OS internals and malware analysis
Thanks for the updates and additions, working great here :)
Who controls the past controls the future
Who controls the present controls the past
Who controls the present controls the past
Thanks for tests and feedback. Minor fix will be released after NY.
Ring0 - the source of inspiration
RKUnhookerLE.rar
Standalone exe
(126.26 KiB) Downloaded 18 times
Running the one above on a Vista x32 system, runs a process without window, unable to kill proces itself. That last bit is probably by design I guess, but the no window bit... ?
RkU3.8.389.592.rar
RkUnhooker v3.8 SR2 25.12.2010
(619.84 KiB) Downloaded 39 times
Until I have time to reboot, I can install but not run this version because the other process is already running of course
Nope. Both run as a process in task manager or procexp, but 1 of the cores is being utilized 100% continuously by that process. It is not in the applications list and doesn't show a window to interact with. Previous versions worked. I installed threatfire on that system too (win vista ultimate x32) so will remove that first and try again.
Standalone exe
(126.26 KiB) Downloaded 18 times
Running the one above on a Vista x32 system, runs a process without window, unable to kill proces itself. That last bit is probably by design I guess, but the no window bit... ?
RkU3.8.389.592.rar
RkUnhooker v3.8 SR2 25.12.2010
(619.84 KiB) Downloaded 39 times
Until I have time to reboot, I can install but not run this version because the other process is already running of course
Nope. Both run as a process in task manager or procexp, but 1 of the cores is being utilized 100% continuously by that process. It is not in the applications list and doesn't show a window to interact with. Previous versions worked. I installed threatfire on that system too (win vista ultimate x32) so will remove that first and try again.
Every1is= wrote: I installed threatfire on that system too (win vista ultimate x32) so will remove that first and try again.Threatfire will always cause problems with most ARKs. Exit the Threatfire GUI and end the Threatfire Service before running.
This is caused by ThreatFire CreateRemoteThread hook.
Here is normal function
And that with ThreatFire.
RkU hooks CreateRemoteThread inside itself to provide self-protection compatibility with Win32 subsystem notification. It can't hook normally such destroyed code.
Perhaps I will add flag to command line to start without self-protection. However I would not recommend anyone use TF because of this perversion. It hooks numerous API in user mode (including ANSI/Unicode standalone hooks), so whole kernel32.dll is trashed.
Here is normal function
And that with ThreatFire.
RkU hooks CreateRemoteThread inside itself to provide self-protection compatibility with Win32 subsystem notification. It can't hook normally such destroyed code.
Perhaps I will add flag to command line to start without self-protection. However I would not recommend anyone use TF because of this perversion. It hooks numerous API in user mode (including ANSI/Unicode standalone hooks), so whole kernel32.dll is trashed.
Ring0 - the source of inspiration
Minidump attached.BSOD with stealth code scanning.
Last edited by EP_X0FF on Mon Jan 03, 2011 7:48 am, edited 1 time in total.
Reason: removed attach
Invalid memory referenced while reading from kernel space. Cannot be fixed right now because it is too specific - I don't know when this event occurred and what this routine is tried to read.
However if this bug appears continuously I need to know more details to reproduce it here.
However if this bug appears continuously I need to know more details to reproduce it here.
Ring0 - the source of inspiration
Minor update.
changelog:
fixed: STRELiTZIA discovered bugs (more of same kind)
fixed: ThreatFire caused bugs
changelog:
fixed: STRELiTZIA discovered bugs (more of same kind)
fixed: ThreatFire caused bugs
MD5 for RkU3.8.389.592.exe
9953e08a9669f70ffb1d1b3dca1c583f
SHA-512 for RkU3.8.389.592.exe
32b80bc8b4d49ef3f254f0e41a6897670c6eb93401fddb85985a226b98ee89b6
fc822a57628d416b54964d1ec40c68f8069ac532549aa5c1c2aeff7f60eab9b3
MD5 for RkUnhookerLE.exe
e74bfded61b0b9a97ff8077c8ba2aa41
SHA-512 for RkUnhookerLE.exe
0f08a78329f8224a81a25a8008e9caa17ccd4b4abdc986ccf407aa99d3899f98
bc51ec5e6ce84f93521ab2bcbf2eb7e56228352a68aad2953ff4850a1e79c952
Ring0 - the source of inspiration
Well,BSOD in stealth code scan cannot be reproduced 
.
.