A forum for reverse engineering, OS internals and malware analysis 

RootRepeal 2.0.0 Beta-Test

Forum for announcements and questions about tools and software.

Re: RootRepeal 2.0.0 Beta-Test

 #908  by EP_X0FF
 Wed Apr 28, 2010 3:25 am
Looks strange :?
Cr4sh can you provide sample you used please? In my test RootRepeal2 detects TDL3.

Re: RootRepeal 2.0.0 Beta-Test

 #912  by Cr4sh
 Wed Apr 28, 2010 11:15 am
nullptr wrote:
STEALTH CODE
-------------------
System 0x816f78b4 - Hidden Code
System 0x816f7ac8 - Hidden Code [Driver: , IRP: IRP_MJ_CLEANUP
...
System 0x816f7ac8 - Hidden Code [Driver: , IRP: IRP_MJ_WRITE]
System 0xf9af4657 - Modified Entry Point [Driver: TermDD, Other Val: 0xf9af5214]
Looks to me like it detects tdl3 - TermDD.sys
Yes, but I mean detection of infected driver (which contents are replacing by miniport hooks), during files scan.
EP_X0FF wrote:Looks strange :?
Cr4sh can you provide sample you used please? In my test RootRepeal2 detects TDL3.
Shure (only Dr.Web and remover from Norman detects this build).
Attachments
pwd: malware
(109.47 KiB) Downloaded 46 times

Re: RootRepeal 2.0.0 Beta-Test

 #918  by ConanTheLibrarian
 Wed Apr 28, 2010 2:25 pm
I can confirm and back up cr4sh on this.

RR sees plenty of hidden code but nothing points to a driver or modified entry point.

%temp%\2.tmp is mentioned as a hidden module as well as a mysterious empty "hidden code". All others are IRP hidden codes.

Re: RootRepeal 2.0.0 Beta-Test

 #919  by EP_X0FF
 Wed Apr 28, 2010 3:10 pm
Yes, I can confirm. Infected driver is atapi.sys, no proper detection.

Re: RootRepeal 2.0.0 Beta-Test

 #931  by nullptr
 Thu Apr 29, 2010 3:28 am
InsaneKaos wrote:RR will show the infected one. But only after a reboot.
I can confirm this, prior to reboot:
STEALTH CODE
-------------------
System 0x82ee28b4 - Hidden Code
System 0x82ee2ac8 - Hidden Code [Driver: , IRP: IRP_MJ_CLEANUP]
etc
Also with occasional reference to *.tmp

After reboot:
STEALTH CODE
-------------------
System 0x833028b4 - Hidden Code
System 0x83302ac8 - Hidden Code [Driver: , IRP: IRP_MJ_CLEANUP]
etc
System 0x83302ac8 - Hidden Code [Driver: , IRP: IRP_MJ_WRITE]
System 0xf762b8ad - Modified Entry Point [Driver: Disk, Other Val: 0xf762c514]

CALLBACKS
-------------------
LoadImage 0x8330496e <unknown>
In this case infected driver is Disk.sys, but no mention of miniport port disk driver being associated with irp redirection.

Re: RootRepeal 2.0.0 Beta-Test

 #932  by EP_X0FF
 Thu Apr 29, 2010 4:46 am
In case of detection after reboot - this is not RootRepeal2 bug. I think if you still interested you all should PM a_d_13.

Re: RootRepeal 2.0.0 Beta-Test

 #1056  by Maniac
 Mon May 10, 2010 9:36 pm
Crash report:
ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows 7 SP0
Exception Code: 0xc0000005
Exception Address: 0x012c0c9e
Attempt to write to address: 0x034e3000
ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows XP SP2
Exception Code: 0xc0000005
Exception Address: 0x7c9108f3
Attempt to write to address: 0x02029470
Another one here:
http://forums.malwarebytes.org/index.ph ... t&p=249041
RootRepeal crashes, with a message that says:
"Windows Version: Windows
Exception code 0xc0000005"
Ant this one:
http://forums.malwarebytes.org/index.ph ... t&p=255401
ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows XP SP3
Exception Code: 0xc0000005
Exception Address: 0x00417e70
Attempt to read from address: 0x00000000
What you need?

Re: RootRepeal 2.0.0 Beta-Test

 #1185  by coconut
 Sun May 30, 2010 3:48 am
xp sp3 32bit, ms forefront 1.5.1981.0, kerio firewall 2.1.5

crashed when scanning SSDT entries

**

ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows XP SP3
Exception Code: 0xc0000005
Exception Address: 0x00417e70
Attempt to read from address: 0x00000000
Attachments
(19.84 KiB) Downloaded 26 times
 Return to “Tools/Software”