A forum for reverse engineering, OS internals and malware analysis 

RkUnhooker 3.8 SR2 public beta test

Forum for announcements and questions about tools and software.
 Topic locked

RkUnhooker 3.8 SR2 public beta test

 #101  by EP_X0FF
 Sun Mar 14, 2010 6:13 am
Hello everyone,

here is beta version of next RkU LE public build. It will be cumulative update (SR2) containing all previously applied bugfixes,
improvements and additions. However it is still public LE version so does not expect something extraordinary from it :)
Important note: since SR2 Windows 2000 support is fully dropped.

This is not release. Some features maybe altered or unavailable in release version.
You use this tool at your own risk.

changelog:
added: unlinked dll's detection
added: little fix for drivers scan
added: callgates detector, GDT/LDT modifications (thanks to Dreg)
added: Exclude .NET modules option to reduce f/p at stealth code page
updated: internal service executable
updated: report generator has been rewritten (ported from VX version)
improved: stealth code detection (thanks Alex)
fixed: multiple bugs in multiprocessors environment
fixed: incompatibilities with some 3rd party software
fixed: some application and driver bugs
fixed: vulnerability reported by Fyyre
important: since this version Windows 2000 support is fully dropped

Re: RkUnhooker 3.8 SR2 public beta test

 #195  by Twister
 Mon Mar 15, 2010 5:19 pm
Another false-positive actuation on "Stealth code" tab:
i have two imageres.dll in my Explorer.exe, one of them RkU show as hidden.

Also i have deadlock when press File->QuickReport->Save Info from current page (not for first time, you know ;) )

PS. Win7

Re: RkUnhooker 3.8 SR2 public beta test

 #196  by EP_X0FF
 Mon Mar 15, 2010 5:23 pm
Thanks for bug report. Perhaps related to new self-protection. Need more debugging :)

Deadlock confirmed and reproduced. Will be fixed in next update.

Re: RkUnhooker 3.8 SR2 public beta test

 #259  by liangtong
 Wed Mar 17, 2010 5:11 am
Exception occured when scanning user mode hooks on Win7.
Exception code : 0xC0000005
Instruction address : 0x0042EF3E
Attempt to read at address : 0x0000003C

And viewing process properties may cause deadlock.

Re: RkUnhooker 3.8 SR2 public beta test

 #260  by EP_X0FF
 Wed Mar 17, 2010 6:26 am
Thank you.

Can you please reproduce this deadlock also on Vista if you have it? :)
And another deadlock, mentioned by Twister? I'm testing fix for this right now.

Re: RkUnhooker 3.8 SR2 public beta test

 #261  by liangtong
 Wed Mar 17, 2010 8:18 am
Hi EP,
I've no Vista environment to test the build. :oops:

I just ran it on my VM(XP) and it got a BSOD when scanning stealth code(minidump is included in the attachment).
Last edited by EP_X0FF on Wed Apr 14, 2010 6:01 pm, edited 1 time in total. Reason: Removed attach

Re: RkUnhooker 3.8 SR2 public beta test

 #266  by EP_X0FF
 Wed Mar 17, 2010 1:44 pm
Thanks for report.

This is caused by callgates detector. More debug required :)
 Topic locked
  • 1
  • 2
  • 3
  • 4
  • 5
  • 16
 Return to “Tools/Software”