A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #1030  by YGV
 Fri May 07, 2010 5:32 pm
Device object-->ParseProcedure, Type: Kernel Object [unknown_code_page]
File object-->ParseProcedure, Type: Kernel Object [unknown_code_page]
Key object-->ParseProcedure, Type: Kernel Object [unknown_code_page]
LpcPort object-->OpenProcedure, Type: Kernel Object [unknown_code_page]
ntkrnlpa.exe+0x0006ECAE, Type: Inline - RelativeJump 0x80545CAE-->80545CB5 [ntkrnlpa.exe]
ntkrnlpa.exe-->NtRequestPort, Type: Inline - RelativeJump 0x805A2A10-->BA75ECA0 [unknown_code_page]
ntkrnlpa.exe-->NtRequestWaitReplyPort, Type: Inline - RelativeJump 0x805A2D3C-->BA75ED40 [unknown_code_page]
ntkrnlpa.exe-->NtTraceEvent, Type: Inline - RelativeJump 0x80535114-->BA75EC00 [unknown_code_page]
[1976]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DC1218-->00000000 [shimeng.dll]
[1976]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[1976]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[1976]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[1976]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E36133C-->00000000 [shimeng.dll]
[1976]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x40C114B0-->00000000 [shimeng.dll]
[1976]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AA109C-->00000000 [shimeng.dll]

Tom & Jerry snooping around or a bug? :? :|
 #1031  by EP_X0FF
 Fri May 07, 2010 5:35 pm

this is not a bug. Few false positives in kernel mode and usual shimeng.dll caused fp in user mode.
What about Device/File/Key/LpcPort objects - please tell what do you have from security software installed.


(topic moved from General Discussion to Tools/Software).
 #1033  by EP_X0FF
 Fri May 07, 2010 5:46 pm
This is Sandboxie object type hooks


also belongs to Sandboxie :)
 #1034  by YGV
 Fri May 07, 2010 5:53 pm
Ok it's tzuk and not Tom & Jerry You say?

well then I can take some more beer and relax.

Thank you :D