A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #4239  by EP_X0FF
 Mon Jan 03, 2011 8:13 am
Unfortunately same here :( However this does not mean that problem is not exists.
 #4332  by STRELiTZIA
 Fri Jan 07, 2011 5:48 pm
Hi EP,
Code hooks tab.
I performed several user-mode hooks (inside current process):
- TerminateProcess.
- TerminateThread.
- ...
- ...
- ...
Were successfully detected without problems, but wintrust.dll WinVerifyTrust hook not detected by RkU and GMER.
Successfully deteted by XueTr.

Attached sample for tests.

Regards.
Attachments
(26.08 KiB) Downloaded 29 times
 #4333  by EP_X0FF
 Fri Jan 07, 2011 5:56 pm
wintrust.dll is not core system dll, rku does not check it so there is nothing to fix.
 #4334  by STRELiTZIA
 Fri Jan 07, 2011 6:16 pm
EP_X0FF wrote:wintrust.dll is not core system dll, rku does not check it so there is nothing to fix.
I told myself that there is good reason for RKU to ignore wintrust.dll

Thanks Ep.

Regards
 #4343  by EP_X0FF
 Sat Jan 08, 2011 5:01 am
Implaer wrote:RkU Crash report
Thanks. When exactly this crash occurred? On startup?
 #4345  by Implaer
 Sat Jan 08, 2011 7:32 am
EP_X0FF wrote: Thanks. When exactly this crash occurred? On startup?
Yep, on startup. Maybe problem because of the large amounts of RAM and PAE ?
 #4346  by EP_X0FF
 Sat Jan 08, 2011 7:50 am
Is this one also fails?

Also if it possible please attach your ntkrnlpa.exe file.
 #4347  by liangtong
 Sat Jan 08, 2011 9:02 am
Hi EP,
the BSOD bug reproduced using the latest build.

1: kd> .trap 0xffffffffb42b5a14
BlackBox+0x650c:
a92e450c f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

ChildEBP RetAddr Args to Child
b42b59fc 84896638 00000000 9b136000 00000000 nt!MmAccessFault+0x106
b42b59fc a92e450c 00000000 9b136000 00000000 nt!KiTrap0E+0xdc (FPO: [0,0] TrapFrame @ b42b5a14)
WARNING: Stack unwind information not available. Following frames may be wrong.
b42b5aa8 a92e2731 87153480 87157998 00000000 BlackBox+0x650c
b42b5b08 8488c4bc 87157998 87289dd8 87289dd8 BlackBox+0x4731

1: kd> dps esp
b42b5a88 050ef690
b42b5a8c 9b135fe0
b42b5a90 a92e1711 BlackBox+0x3711
b42b5a94 00000028
b42b5a98 00000000
b42b5a9c 87289dd8
b42b5aa0 00000028
b42b5aa4 00000028
b42b5aa8 b42b5b08
b42b5aac a92e2731 BlackBox+0x4731
b42b5ab0 87153480

1:kd> dt _irp -b 87289dd8
+0x020 CurrentStackLocation : 0x87289e48
1:kd>dt _io_stack_location -b 0x87289e48
+0x004 Parameters
+0x000 DeviceIoControl : <unnamed-tag>
+0x008 IoControlCode : 0x220443

1:kd> u a92e4501
BlackBox+0x6501:
a92e4501 57 push edi
a92e4502 56 push esi
a92e4503 8bf9 mov edi,ecx
a92e4505 8bf2 mov esi,edx
a92e4507 8bc8 mov ecx,eax
a92e4509 c1e902 shr ecx,2
a92e450c f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

1: kd> db edx (Source to copy)
9b135fe0 63 39 92 89 70 7c e0 86-c0 66 15 8a 90 46 00 00 c9..p|...f...F..
9b135ff0 9f 46 00 00 07 00 00 84-00 00 00 00 00 00 00 00 .F..............
9b136000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
1: kd> db esi
9b136000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
1: kd> r eax(Size)
Last set context:
eax=00000028
1: kd> db edx+eax
9b136008 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
 #4348  by Implaer
 Sat Jan 08, 2011 10:23 am
EP_X0FF wrote:Is this one also fails?

Also if it possible please attach your ntkrnlpa.exe file.
no, this one works correctly, I haven't found any problems.
Attachments
(1.16 MiB) Downloaded 31 times
  • 1
  • 10
  • 11
  • 12
  • 13
  • 14
  • 16