A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #5013  by EP_X0FF
 Fri Feb 11, 2011 1:54 pm
Flopik wrote:By the way if you want to remove false positive for ImageRes.dll hidden that appear in Win7, you can add a check for
(IAT) IMAGE_DATA_DIRECTORY.VirtualAddress and HeadNt.OptionalHeader32.AddressOfEntryPoint , they will be zero , a quick look at the PE header is interesting to detect loaded ressource DLLs
Sure, which ImageRes.dll issue you are referring? Normally it shouldn't list non executable images at all.
 #5133  by cornflake
 Tue Feb 22, 2011 3:41 am
Hi thanks very much for your continuing work on RkU. I've downloaded the RkU standalone version from your January 26, 2011 post and verified the sha512 hash. It will not run on one of my Vista SP2 x86 computers. It does not appear to crash (I initially mistook another Rootkit program crash for RkU in my original post -- sorry about that!) but instead loads and then immediately terminates. I did rename the file to random letters and numbers but it still terminates. It says Initializing@ and then nothing happens. I can see in process explorer it terminates.

I have Avira, Sandboxie and Secunia PSI installed on this computer. I disabled Avira's Guard and Secunia's service but this doesn't help. I cannot disable Sandboxie at present.

Is this a known issue?

Thanks
 #5144  by EP_X0FF
 Wed Feb 23, 2011 10:36 am
Hi,
Is this a known issue?
No, I just tested with Windows XP SP3 + Avira Personal 9.0.13/10 + Secunia PSI + Sandboxie, everything work as expected.

What is your Avira version?
 #5148  by cornflake
 Wed Feb 23, 2011 11:31 pm
EP_X0FF wrote:What is your Avira version?
It is Avira free AV product version 10.0.0.611. Attached is a screen capture with its detailed version information.
Also I have Sandboxie 3.52, Secunia PSI 2.0.0.1003. The other programs that have signed drivers on my computer are VMWare Workstation 7.1.3 build-324285, LatencyMon 200.31002, Paragon Drive Backup Pro 10. I have run RkU on other Vista SP2 x86 computers without a problem. Please let me know if there's anything I can do to help you track down the issue.
Attachments
Capture.PNG
Capture.PNG (28.84 KiB) Viewed 457 times
 #5152  by EP_X0FF
 Thu Feb 24, 2011 6:20 am
I've installed Avira Personal 10.0.611 on Vista SP2 and still found no problem.

Try running rku from console.
Create shortcut for rku.exe and add the following string to the path -console

e.g. c:\dir\rku.exe -console

in console type nohooks, press enter (this will disable self-protection that maybe causing this bug)
after this type start, press enter
 #5154  by gjf
 Thu Feb 24, 2011 8:59 am
Actually I have to state that some hooks made by antivirus products really makes it impossible to work with subj.

If you try RkU with installed and (of course!) shutted down KIS 11.0.2.556 the whole system will hang so it would be necessary to perform cold reboot.
 #5155  by EP_X0FF
 Thu Feb 24, 2011 10:09 am
gjf wrote:If you try RkU with installed and (of course!) shutted down KIS 11.0.2.556 the whole system will hang so it would be necessary to perform cold reboot.
Works fine here. Default settings.
Anything specific to check in KIS?

Image
RkU Version: 3.8.389.592, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>SSDT State
==============================================
ntoskrnl.exe-->NtAdjustPrivilegesToken, Type: Address change 0x8058D0A1-->F8F4F5FA [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtClose, Type: Address change 0x805678DD-->F8F4FEFE [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtConnectPort, Type: Address change 0x805879EB-->F8F50D32 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreateEvent, Type: Address change 0x8056D57A-->F8F5127C [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreateFile, Type: Address change 0x8056CDC0-->F8F501DA [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreateKey, Type: Address change 0x8057065D-->F8F4E46A [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreateMutant, Type: Address change 0x80578037-->F8F51162 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreateNamedPipeFile, Type: Address change 0x80583F3F-->F8F4F1E8 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreatePort, Type: Address change 0x805975B1-->F8F51036 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreateSection, Type: Address change 0x805652B3-->F8F4F390 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreateSemaphore, Type: Address change 0x8057243B-->F8F5139C [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreateThread, Type: Address change 0x8058E63F-->F8F4FB86 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtCreateWaitablePort, Type: Address change 0x805DB124-->F8F510CC [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtDebugActiveProcess, Type: Address change 0x8065B1CD-->F8F52A84 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtDeleteKey, Type: Address change 0x805952BE-->F8F4EA74 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtDeleteValueKey, Type: Address change 0x80592D50-->F8F4EE28 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtDeviceIoControlFile, Type: Address change 0x8058EFAD-->F8F5065C [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtDuplicateObject, Type: Address change 0x805715E0-->F8F53C90 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtEnumerateKey, Type: Address change 0x80570D64-->F8F4EF74 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtEnumerateValueKey, Type: Address change 0x8059066B-->F8F4F00C [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtFsControlFile, Type: Address change 0x8057AAB5-->F8F5046A [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtLoadDriver, Type: Address change 0x805A3AF1-->F8F52B76 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtLoadKey, Type: Address change 0x805AED5D-->F8F4E446 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtLoadKey2, Type: Address change 0x805AEB9A-->F8F4E458 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtMapViewOfSection, Type: Address change 0x80573B61-->F8F532DE [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtNotifyChangeKey, Type: Address change 0x8058A68D-->F8F4F138 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtOpenEvent, Type: Address change 0x8057DCDD-->F8F51312 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtOpenFile, Type: Address change 0x8056CD5B-->F8F4FF80 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtOpenKey, Type: Address change 0x80568D59-->F8F4E62A [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtOpenMutant, Type: Address change 0x805780E5-->F8F511F2 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtOpenProcess, Type: Address change 0x805717C7-->F8F4F836 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtOpenSection, Type: Address change 0x80570FD7-->F8F53078 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtOpenSemaphore, Type: Address change 0x8059EFC5-->F8F51432 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtOpenThread, Type: Address change 0x8058A1BD-->F8F4F728 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtQueryKey, Type: Address change 0x80570A6D-->F8F4F0A4 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtQueryMultipleValueKey, Type: Address change 0x8064E320-->F8F4ECDC [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtQuerySection, Type: Address change 0x8057D4CC-->F8F53618 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtQueryValueKey, Type: Address change 0x8056A1F1-->F8F4E906 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtQueueApcThread, Type: Address change 0x8059108B-->F8F52F0A [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtRenameKey, Type: Address change 0x8064E79E-->F8F4EB96 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtReplaceKey, Type: Address change 0x8064F0FA-->F8F4DE80 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtReplyPort, Type: Address change 0x8057CCDA-->F8F51796 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtReplyWaitReceivePort, Type: Address change 0x8056B82E-->F8F5165C [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtRequestWaitReplyPort, Type: Address change 0x80576CE6-->F8F5281E [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtRestoreKey, Type: Address change 0x8064EC91-->F8F4E1F8 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtResumeThread, Type: Address change 0x8058ECB2-->F8F53B32 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSaveKey, Type: Address change 0x8064ED92-->F8F4DE18 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSecureConnectPort, Type: Address change 0x8058F4DE-->F8F50A78 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSetContextThread, Type: Address change 0x8062DCDF-->F8F4FDA2 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSetInformationToken, Type: Address change 0x805A86F0-->F8F520BE [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSetSecurityObject, Type: Address change 0x8059B19B-->F8F52D14 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSetSystemInformation, Type: Address change 0x805A7BDD-->F8F53768 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSetValueKey, Type: Address change 0x80572889-->F8F4E780 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSuspendProcess, Type: Address change 0x8062F8C1-->F8F5385A [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSuspendThread, Type: Address change 0x805E045E-->F8F53994 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtSystemDebugControl, Type: Address change 0x80649CE3-->F8F529A8 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtTerminateProcess, Type: Address change 0x805822E0-->F8F4F9D2 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtTerminateThread, Type: Address change 0x8057B885-->F8F4F932 [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtUnmapViewOfSection, Type: Address change 0x805736E6-->F8F534BC [C:\WINDOWS\system32\DRIVERS\klif.sys]
ntoskrnl.exe-->NtWriteVirtualMemory, Type: Address change 0x8057E420-->F8F4FABC [C:\WINDOWS\system32\DRIVERS\klif.sys]
==============================================
>Shadow
==============================================
win32k.sys-->NtGdiBitBlt, Type: Address change 0xBF809FDF-->F8F6004C [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtGdiMaskBlt, Type: Address change 0xBF838560-->F8F60122 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtGdiPlgBlt, Type: Address change 0xBF9438F8-->F8F60192 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtGdiStretchBlt, Type: Address change 0xBF873983-->F8F600B6 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserAttachThreadInput, Type: Address change 0xBF8F4FC9-->F8F6071A [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserBuildHwndList, Type: Address change 0xBF835F21-->F8F601FA [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserFindWindowEx, Type: Address change 0xBF8B1369-->F8F5FE70 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserGetAsyncKeyState, Type: Address change 0xBF84928E-->F8F5FC7E [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserGetKeyboardState, Type: Address change 0xBF852720-->F8F5FF7E [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserGetKeyState, Type: Address change 0xBF820E6C-->F8F5FCCA [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserMessageCall, Type: Address change 0xBF80EE6B-->F8F5FDC2 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserPostMessage, Type: Address change 0xBF8089B4-->F8F5FD16 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserPostThreadMessage, Type: Address change 0xBF8B3D3D-->F8F5FD6A [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserRegisterRawInputDevices, Type: Address change 0xBF915BA7-->F8F5FF06 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserSendInput, Type: Address change 0xBF8C31E7-->F8F5FE22 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserSetParent, Type: Address change 0xBF879695-->F8F605CC [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserSetWindowsHookEx, Type: Address change 0xBF8527E0-->F8F5FBC4 [C:\WINDOWS\system32\DRIVERS\klif.sys]
win32k.sys-->NtUserSetWinEventHook, Type: Address change 0xBF8ED991-->F8F5FC1C [C:\WINDOWS\system32\DRIVERS\klif.sys]
==============================================
>Hooks
==============================================
fastfat.sys-->ntoskrnl.exe-->IoCreateDevice, Type: IAT modification 0xF546790C-->F9270EB0 [kl1.sys]
ntoskrnl.exe-->FsRtlCheckLockForReadAccess, Type: Inline - RelativeJump 0x80512919-->F8F41FEC [klif.sys]
ntoskrnl.exe-->IoCreateDevice, Type: EAT modification 0x806837F4-->F9270EB0 [kl1.sys]
ntoskrnl.exe-->IoIsOperationSynchronous, Type: Inline - RelativeJump 0x804E875A-->F8F423C8 [klif.sys]
tcpip.sys-->ntoskrnl.exe-->IoCreateDevice, Type: IAT modification 0xF8ED6408-->F9270EB0 [kl1.sys]
wanarp.sys-->ntoskrnl.exe-->IoCreateDevice, Type: IAT modification 0xF9B6FC08-->F9270EB0 [kl1.sys]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)
 #5156  by gjf
 Thu Feb 24, 2011 10:41 am
Attached is my config file. You can import it, update KIS (I see your bases are outdated - it's OK, but what about patches? The actual version is 11.0.2.556 a.b.c.d), reboot and check if RkU will work.
Attachments
(479.06 KiB) Downloaded 26 times
 #5157  by EP_X0FF
 Thu Feb 24, 2011 1:13 pm
No changes, they works.
Described above deadlock can be caused by 3rd party software or hardware problem.
  • 1
  • 12
  • 13
  • 14
  • 15
  • 16