A forum for reverse engineering, OS internals and malware analysis 

RkUnhooker 3.8 SR2 public beta test

Forum for announcements and questions about tools and software.
 Topic locked

Re: RkUnhooker 3.8 SR2 public beta test

 #4758  by EP_X0FF
 Thu Jan 27, 2011 1:59 pm
Yeah some sort like archaeological bug, fixed. I don't want to reupload stuff just because of 4 new lines of code.

//repacked with fix and reuploaded :)
Last edited by EP_X0FF on Fri Jan 28, 2011 4:37 am, edited 1 time in total. Reason: edit

Re: RkUnhooker 3.8 SR2 public beta test

 #4888  by Flopik
 Fri Feb 04, 2011 8:27 pm
imageres.dll is probably loaded as data (LOAD_LIBRARY_AS_IMAGE_RESOURCE) , those DLLs are not loaded normally.

Twister wrote:Another false-positive actuation on "Stealth code" tab:
i have two imageres.dll in my Explorer.exe, one of them RkU show as hidden.

Also i have deadlock when press File->QuickReport->Save Info from current page (not for first time, you know ;) )

PS. Win7

Re: RkUnhooker 3.8 SR2 public beta test

 #4967  by EP_X0FF
 Wed Feb 09, 2011 12:00 pm
baldey-abaldey wrote:Win 7 x64 en
Unsupported by design.

Re: RkUnhooker 3.8 SR2 public beta test

 #4969  by EP_X0FF
 Wed Feb 09, 2011 12:16 pm
Because it need almost full recode for x64, not simple signing driver, which is actually not a problem.
For project with more than 150000 lines of code it's quite big work, especially when almost all this was coded with only x86 in head.

Re: RkUnhooker 3.8 SR2 public beta test

 #4997  by Flopik
 Thu Feb 10, 2011 5:23 pm
What is Ldr supicious modification?

0x77050000 Ldr suspicious modification-->LPK.dll [ EPROCESS 0x84C32040 ] PID: 1056 [VEN], 40960 bytes
0x750E0000 Ldr suspicious modification-->COMCTL32.dll [ EPROCESS 0x860BFA70 ] PID: 816 [SDBN][VFN], 540672 bytes
0x750E0000 Ldr suspicious modification-->COMCTL32.dll [ EPROCESS 0x849F1B68 ] PID: 2796 [SDBN][VFN], 540672 bytes
0x750E0000 Ldr suspicious modification-->Comctl32.dll [ EPROCESS 0x84439A50 ] PID: 3176 [SDBN][VFN][FEP], 540672 bytes
0x03220000 Ldr suspicious modification-->avxdisk.dll [ EPROCESS 0x860BFA70 ] PID: 816 [VFN], 57344 bytes
0x004C0000 Ldr suspicious modification-->SvcHost.exe [ EPROCESS 0x86877818 ] PID: 1912 [VEN][FEP][FRS][FTDS], 57344 bytes

Re: RkUnhooker 3.8 SR2 public beta test

 #4998  by EP_X0FF
 Thu Feb 10, 2011 5:31 pm
Flopik wrote:What is Ldr supicious modification?

0x77050000 Ldr suspicious modification-->LPK.dll [ EPROCESS 0x84C32040 ] PID: 1056 [VEN], 40960 bytes
0x750E0000 Ldr suspicious modification-->COMCTL32.dll [ EPROCESS 0x860BFA70 ] PID: 816 [SDBN][VFN], 540672 bytes
0x750E0000 Ldr suspicious modification-->COMCTL32.dll [ EPROCESS 0x849F1B68 ] PID: 2796 [SDBN][VFN], 540672 bytes
0x750E0000 Ldr suspicious modification-->Comctl32.dll [ EPROCESS 0x84439A50 ] PID: 3176 [SDBN][VFN][FEP], 540672 bytes
0x03220000 Ldr suspicious modification-->avxdisk.dll [ EPROCESS 0x860BFA70 ] PID: 816 [VFN], 57344 bytes
0x004C0000 Ldr suspicious modification-->SvcHost.exe [ EPROCESS 0x86877818 ] PID: 1912 [VEN][FEP][FRS][FTDS], 57344 bytes
Described in help file->Users Manual section. What you see is Dreg's engine based detections. For example [SDBN] means duplicate entry for BaseDllName found in PEB (likely two COMCTL32.dll loaded in same time at different addresses). SvcHost, what's Windows version? Vista or 7? AV/HIPS installed?

Re: RkUnhooker 3.8 SR2 public beta test

 #5000  by Flopik
 Thu Feb 10, 2011 5:50 pm
Im running Windows 7 Ultimate x86 and I have BitDefender . Thanks I forgot about the help file. I will load windbg to seem more details.

Re: RkUnhooker 3.8 SR2 public beta test

 #5012  by Flopik
 Fri Feb 11, 2011 1:51 pm
By the way if you want to remove false positive for ImageRes.dll hidden that appear in Win7, you can add a check for
(IAT) IMAGE_DATA_DIRECTORY.VirtualAddress and HeadNt.OptionalHeader32.AddressOfEntryPoint , they will be zero , a quick look at the PE header is interesting to detect loaded ressource DLLs
 Topic locked
  • 1
  • 12
  • 13
  • 14
  • 15
  • 16
 Return to “Tools/Software”