KernelMode.info

Yeah some sort like archaeological bug, fixed. I don't want to reupload stuff just because of 4 new lines of code.

//repacked with fix and reuploaded :)

imageres.dll is probably loaded as data (LOAD_LIBRARY_AS_IMAGE_RESOURCE) , those DLLs are not loaded normally.

Twister wrote:Another false-positive actuation on "Stealth code" tab:
i have two imageres.dll in my Explorer.exe, one of them RkU show as hidden.

Also i have deadlock when press File->QuickReport->Save Info from current page (not for first time, you know ;) )

PS. Win7

Win 7 x64 en
on first launch:
Exception code : 0xC0000005
Instruction address : 0x00402EAA
Attempt to read at address : 0xFFFFFFFF

baldey-abaldey wrote:Win 7 x64 en

Unsupported by design.

EP_X0FF wrote:

baldey-abaldey wrote:Win 7 x64 en

Unsupported by design.

Why don't you want to spend some money for signature from MS? ;)

Because it need almost full recode for x64, not simple signing driver, which is actually not a problem.
For project with more than 150000 lines of code it's quite big work, especially when almost all this was coded with only x86 in head.

What is Ldr supicious modification?

0x77050000 Ldr suspicious modification-->LPK.dll [ EPROCESS 0x84C32040 ] PID: 1056 [VEN], 40960 bytes
0x750E0000 Ldr suspicious modification-->COMCTL32.dll [ EPROCESS 0x860BFA70 ] PID: 816 [SDBN][VFN], 540672 bytes
0x750E0000 Ldr suspicious modification-->COMCTL32.dll [ EPROCESS 0x849F1B68 ] PID: 2796 [SDBN][VFN], 540672 bytes
0x750E0000 Ldr suspicious modification-->Comctl32.dll [ EPROCESS 0x84439A50 ] PID: 3176 [SDBN][VFN][FEP], 540672 bytes
0x03220000 Ldr suspicious modification-->avxdisk.dll [ EPROCESS 0x860BFA70 ] PID: 816 [VFN], 57344 bytes
0x004C0000 Ldr suspicious modification-->SvcHost.exe [ EPROCESS 0x86877818 ] PID: 1912 [VEN][FEP][FRS][FTDS], 57344 bytes

Flopik wrote:What is Ldr supicious modification?

0x77050000 Ldr suspicious modification-->LPK.dll [ EPROCESS 0x84C32040 ] PID: 1056 [VEN], 40960 bytes
0x750E0000 Ldr suspicious modification-->COMCTL32.dll [ EPROCESS 0x860BFA70 ] PID: 816 [SDBN][VFN], 540672 bytes
0x750E0000 Ldr suspicious modification-->COMCTL32.dll [ EPROCESS 0x849F1B68 ] PID: 2796 [SDBN][VFN], 540672 bytes
0x750E0000 Ldr suspicious modification-->Comctl32.dll [ EPROCESS 0x84439A50 ] PID: 3176 [SDBN][VFN][FEP], 540672 bytes
0x03220000 Ldr suspicious modification-->avxdisk.dll [ EPROCESS 0x860BFA70 ] PID: 816 [VFN], 57344 bytes
0x004C0000 Ldr suspicious modification-->SvcHost.exe [ EPROCESS 0x86877818 ] PID: 1912 [VEN][FEP][FRS][FTDS], 57344 bytes

Described in help file->Users Manual section. What you see is Dreg's engine based detections. For example [SDBN] means duplicate entry for BaseDllName found in PEB (likely two COMCTL32.dll loaded in same time at different addresses). SvcHost, what's Windows version? Vista or 7? AV/HIPS installed?

Im running Windows 7 Ultimate x86 and I have BitDefender . Thanks I forgot about the help file. I will load windbg to seem more details.

By the way if you want to remove false positive for ImageRes.dll hidden that appear in Win7, you can add a check for
(IAT) IMAGE_DATA_DIRECTORY.VirtualAddress and HeadNt.OptionalHeader32.AddressOfEntryPoint , they will be zero , a quick look at the PE header is interesting to detect loaded ressource DLLs