A forum for reverse engineering, OS internals and malware analysis 

RootRepeal 2.0.0 Beta-Test

Forum for announcements and questions about tools and software.

RootRepeal 2.0.0 Beta-Test

 #758  by a_d_13
 Sun Apr 18, 2010 8:11 am
Hello,

Finally, after nearly a year, another release of RootRepeal is close to ready. I've rewritten most of the code involved in RootRepeal, and rewritten the GUI from scratch. As a result, the file size is now about 130KB, and it's substantially more stable and extensible.

In addition, I have included some upgrades that will allow RootRepeal to detect the TDL3 rootkit. It should detect all variants conceptually, including the latest version(s).

This is BETA software, so it may crash your computer, or break something. Please be sure to backup all your files first! If you experience a crash, please upload the minidumps and/or crash report(s) here, or you can email them to me at rootrepeal[at]gmail[d0t]com.

Sample report detecting TDL3:
Code: Select all
ROOTREPEAL (c) AD, 2007-2010
==================================================
Report Save Time:		2010/04/18 00:09
Program Version:		Version 2.0.0.0
Windows Version:		Windows XP SP2
==================================================

DRIVERS
-------------------
File Invisible	Dbgv.sys		0xfbe9f000	C:\WINDOWS\system32\Drivers\Dbgv.sys, 15616 bytes
File Invisible	dump_atapi.sys		0xfbe83000	C:\WINDOWS\System32\Drivers\dump_atapi.sys, 98304 bytes
File Invisible	dump_WMILIB.SYS		0xfc9f4000	C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS, 8192 bytes
File Invisible	rootrepeal.sys		0xfb4d7000	C:\WINDOWS\system32\drivers\rootrepeal.sys, 90112 bytes

PROCESSES
-------------------
4	-	System
324	-	C:\WINDOWS\system32\smss.exe
388	-	C:\WINDOWS\system32\alg.exe
420	-	C:\WINDOWS\system32\csrss.exe
452	-	C:\WINDOWS\system32\winlogon.exe
548	-	C:\WINDOWS\system32\services.exe
560	-	C:\WINDOWS\system32\lsass.exe
716	-	C:\WINDOWS\system32\svchost.exe
784	-	C:\WINDOWS\system32\svchost.exe
860	-	C:\WINDOWS\system32\svchost.exe
980	-	C:\WINDOWS\system32\svchost.exe
1004	-	C:\WINDOWS\system32\svchost.exe
1084	-	C:\WINDOWS\system32\wbem\wmiprvse.exe
1144	-	C:\WINDOWS\system32\cmd.exe
1172	-	C:\Documents and Settings\A\Desktop\RRGui.exe
1176	-	C:\WINDOWS\system32\svchost.exe
1196	-	C:\WINDOWS\explorer.exe
1260	-	C:\Documents and Settings\A\Desktop\Dbgview.exe
1344	-	C:\WINDOWS\system32\spoolsv.exe
1476	-	C:\WINDOWS\system32\wuauclt.exe
1484	-	C:\WINDOWS\system32\wbem\wmiadap.exe
1656	-	C:\WINDOWS\system32\wbem\wmiprvse.exe
1864	-	C:\WINDOWS\system32\wuauclt.exe

FILES
-------------------

STEALTH CODE
-------------------
System		0x8125a02f	-	Hidden Code [ETHREAD: 0x812915a8, TID: 8]
System		0x81257ff4	-	Hidden Code [ETHREAD: 0x812915a8, TID: 8]
System		0x8125807e	-	Hidden Code [ETHREAD: 0x812915a8, TID: 8]
System		0x81256434	-	Hidden Code [ETHREAD: 0x812915a8, TID: 8]
System		0x81262dff	-	Hidden Code [ETHREAD: 0xffb67608, TID: 1568]
System		0xfc4145f7	-	Modified Entry Point [Driver: atapi, Other Val: 0xfc415380]
System		0x8129e680	-	Modified Image Section [Driver: atapi, Section Name: .reloc]
System		0x8129e680	-	Modified Image Section [Driver: atapi, Section Name: .rsrc]
System		0x8129e680	-	Modified Image Section [Driver: atapi, Section Name: INIT]

HIDDEN SERVICES
-------------------

SSDT
-------------------
SYSCALL OK, INT 0x2E OK, ServiceTable OK, Driver IAT OK

SHADOW SSDT
-------------------

CALLBACKS
-------------------
LoadImage			0x8125a6a8	<unknown>
Thanks,
--AD
Attachments
RootRepeal 2.0.0 Beta
(125.46 KiB) Downloaded 261 times

Re: RootRepeal 2.0.0 Beta-Test

 #759  by EP_X0FF
 Sun Apr 18, 2010 8:20 am
Hi AD,

nice to see new release. I'm trying it now on my machines.

Few suggestions and bug? reports.

I see drivers page constantly resorting after adding new element.
Size mismatch detection will be more reliable if it will exclude non-executable data e.g. text files.
On report page, if I click Cancel then program locks itself - I can't change tab etc.

Regards.

Re: RootRepeal 2.0.0 Beta-Test

 #760  by a_d_13
 Sun Apr 18, 2010 8:29 am
Hello,

Thank you for testing :D
The refresh after adding each element is by design - when verifying digital signatures (option available in "Settings" dialog), the scan takes a long time, and so, showing every element as it is inserted makes the program not look like it has frozen.
I will add an option to exclude non-executable data from the size mismatch detection in the next build. The bug on the reports scan will also be fixed.

Thanks,
--AD

Re: RootRepeal 2.0.0 Beta-Test

 #761  by EP_X0FF
 Sun Apr 18, 2010 8:41 am
Thank you for reply :D

More bug reports for you :) I'm testing RootRepeal 2 under Windows 7 Ultimate now (VMWare 7.0.1 2 CPU).

Drivers scan works good, but it found some unknown unnamed driver which is not exists.
Image

btw clicking on Properties of this unknown file give me properties of drivers folder.

Processes scan works good, stealth code and registry also.
On SSDT page RootRepeal crashed.
ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows 7 SP0
Exception Code: 0xc0000005
Exception Address: 0x00237e70
Attempt to read from address: 0x00000000
In attach generated dmp file.

Shadow SSDT works good. On callbacks page RootRepeal crashed.
ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows 7 SP0
Exception Code: 0xc0000005
Exception Address: 0x001fc06a
Attempt to read from address: 0x0000000c
Attached as Dump2.rar

I can provide more information, because I can test RootRepeal over all available NT versions (since 5.0).

edit:

I can confirm that RootRepeal 2 is able to detect TDL3 infection (in this case it was original TDL3 which is more complex to detect).
ROOTREPEAL (c) AD, 2007-2010
==================================================
Report Save Time: 2010/04/18 16:47
Program Version: Version 2.0.0.0
Windows Version: Windows XP SP3
==================================================

STEALTH CODE
-------------------
svchost.exe 0x10000000 24576 Hidden Module [Path: \Device\Ide\IdePort1\oipunnba\oipunnba\tdlcmd.dll]
System 0xf84a89f7 - Modified Entry Point [Driver: atapi, Other Val: 0xf84a9780]
System 0x81fdd878 - Modified Image Section [Driver: atapi, Section Name: .reloc]
System 0x81fdd878 - Modified Image Section [Driver: atapi, Section Name: .rsrc]
System 0x81fdd878 - Modified Image Section [Driver: atapi, Section Name: INIT]

Windows Vista SP0 (Virtual PC 2007 1 CPU)
Crash on drivers page
ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows Vista SP0
Exception Code: 0xc0000005
Exception Address: 0x002983c2
Attempt to write to address: 0x00000004
Dump attached as Dump3.rar

It seems to be unworkable on this OS, because all my attempts to scan leaded to crash on each page I tried :(

Windows Vista SP2 (Virtual PC 2007 1 CPU)

Long initialization and then BSOD. No other tools running, clean system.
BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: 833e55c8, The pool entry we were looking for within the page.
Arg3: 833e59d0, The next pool entry.
Arg4: 08810011, (reserved)

Debugging Details:
------------------

*** WARNING: Unable to verify timestamp for rootrepeal.sys
*** ERROR: Module load completed but symbols could not be loaded for rootrepeal.sys

BUGCHECK_STR: 0x19_20

POOL_ADDRESS: 833e55c8

CUSTOMER_CRASH_COUNT: 2

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

PROCESS_NAME: RootRepeal.exe

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from 8191fc2c to 818f6859

STACK_TEXT:
8ea6bb2c 8191fc2c 00000019 00000020 833e55c8 nt!KeBugCheckEx+0x1e
8ea6bba4 94979888 833e55d0 00000000 00000004 nt!ExFreePoolWithTag+0x17f
WARNING: Stack unwind information not available. Following frames may be wrong.
8ea6bbe4 9497477c 8ea6bc18 83356e38 82f825f8 rootrepeal+0x6888
8ea6bc2c 818811af 82f825f8 833b0008 833b0008 rootrepeal+0x177c
8ea6bc44 81a2de9a 83356e38 833b0008 833b0078 nt!IofCallDriver+0x63
8ea6bc64 81a389db 82f825f8 83356e38 01f97300 nt!IopSynchronousServiceTail+0x1d9
8ea6bd00 81a6a85e 82f825f8 833b0008 00000000 nt!IopXxxControlFile+0x6b7
8ea6bd34 818929aa 000000e8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
8ea6bd34 00ee9b3f 000000e8 00000000 00000000 nt!KiFastCallEntry+0x12a
0029f724 00000000 00000000 00000000 00000000 0xee9b3f


STACK_COMMAND: kb

FOLLOWUP_IP:
rootrepeal+6888
94979888 ?? ???

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: rootrepeal+6888

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: rootrepeal

IMAGE_NAME: rootrepeal.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4bcab9cb

FAILURE_BUCKET_ID: 0x19_20_rootrepeal+6888

BUCKET_ID: 0x19_20_rootrepeal+6888

Followup: MachineOwner
Mindump attached. Let me know if you need whole 90 Mb dump.

Windows 2000 SP0 (VMWare 7.0.1)
I assume it is still supported :)
All works good, except Callbacks, long time waiting and after this BSOD when trying to close RootRepeal.
DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS
Minidump attached.
Attachments
2000 BSOD
(6.42 KiB) Downloaded 33 times
Vista BSOD
(17.15 KiB) Downloaded 32 times
(24.5 KiB) Downloaded 33 times
(20.42 KiB) Downloaded 32 times
(25.13 KiB) Downloaded 33 times

Re: RootRepeal 2.0.0 Beta-Test

 #762  by Alex
 Sun Apr 18, 2010 9:24 am
It's nice to see this beta :)

I tested it under Windows XP SP2 - VmWare 6.5.

It shows unknown records like these:
Code: Select all
Hidden		<empty>			0x00000000	<empty>, 4083 bytes
Hidden		<empty>			0x00000000	<empty>, 4071 bytes
Hidden		<empty>			0x00000000	<empty>, 4069 bytes
and crashes while showing SSDT and Callbacks. It also shows "Error in scan" on state strip while services and shadow SSDTs scanning.

Alex
Attachments
(30.74 KiB) Downloaded 37 times

Re: RootRepeal 2.0.0 Beta-Test

 #769  by kmd
 Mon Apr 19, 2010 5:13 am
:shock: what is this? intel core2 duo, xp sp3 all updates, MSE as antivirus, hardware firewall
ROOTREPEAL (c) AD, 2007-2010
==================================================
Report Save Time: 2010/04/19 13:12
Program Version: Version 2.0.0.0
Windows Version: Windows XP SP3
==================================================

DRIVERS
-------------------
Hidden <empty> 0x00000000 <empty>, 4087 bytes
Hidden <empty> 0x00000000 <empty>, 4086 bytes
Hidden <empty> 0x00000000 <empty>, 4085 bytes
Hidden <empty> 0x00000000 <empty>, 4083 bytes
Hidden <empty> 0x00000000 <empty>, 4082 bytes
Hidden <empty> 0x00000000 <empty>, 4081 bytes
Hidden <empty> 0x00000000 <empty>, 4080 bytes
Hidden <empty> 0x00000000 <empty>, 4079 bytes
Hidden <empty> 0x00000000 <empty>, 4078 bytes
Hidden <empty> 0x00000000 <empty>, 4077 bytes
Hidden <empty> 0x00000000 <empty>, 4076 bytes
Hidden <empty> 0x00000000 <empty>, 4075 bytes
Hidden <empty> 0x00000000 <empty>, 4074 bytes
Hidden <empty> 0x00000000 <empty>, 4073 bytes
Hidden <empty> 0x00000000 <empty>, 4072 bytes
Hidden <empty> 0x00000000 <empty>, 4071 bytes
Hidden <empty> 0x00000000 <empty>, 4069 bytes
Hidden <empty> 0x00000000 <empty>, 4087 bytes
Hidden <empty> 0x00000000 <empty>, 4086 bytes
Hidden <empty> 0x00000000 <empty>, 4085 bytes
Hidden <empty> 0x00000000 <empty>, 4083 bytes
Hidden <empty> 0x00000000 <empty>, 4082 bytes
Hidden <empty> 0x00000000 <empty>, 4081 bytes
Hidden <empty> 0x00000000 <empty>, 4079 bytes
Hidden <empty> 0x00000000 <empty>, 4075 bytes
Hidden <empty> 0x00000000 <empty>, 4074 bytes
Hidden <empty> 0x00000000 <empty>, 4072 bytes
Hidden <empty> 0x00000000 <empty>, 4071 bytes
Hidden <empty> 0x00000000 <empty>, 4069 bytes
Hidden <empty> 0x00000000 <empty>, 4095 bytes
Hidden <empty> 0x00000000 <empty>, 4094 bytes
Hidden <empty> 0x00000000 <empty>, 4093 bytes
Hidden <empty> 0x00000000 <empty>, 4092 bytes
Hidden <empty> 0x00000000 <empty>, 4091 bytes
Hidden <empty> 0x00000000 <empty>, 4090 bytes
Hidden <empty> 0x00000000 <empty>, 4089 bytes
Hidden <empty> 0x00000000 <empty>, 4088 bytes
Hidden <empty> 0x00000000 <empty>, 4087 bytes
Hidden <empty> 0x00000000 <empty>, 4086 bytes
Hidden <empty> 0x00000000 <empty>, 4085 bytes
Hidden <empty> 0x00000000 <empty>, 4084 bytes
Hidden <empty> 0x00000000 <empty>, 4083 bytes
Hidden <empty> 0x00000000 <empty>, 4082 bytes
Hidden <empty> 0x00000000 <empty>, 4081 bytes
Hidden <empty> 0x00000000 <empty>, 4080 bytes
Hidden <empty> 0x00000000 <empty>, 4079 bytes
Hidden <empty> 0x00000000 <empty>, 4078 bytes
Hidden <empty> 0x00000000 <empty>, 4077 bytes
Hidden <empty> 0x00000000 <empty>, 4076 bytes
Hidden <empty> 0x00000000 <empty>, 4075 bytes
Hidden <empty> 0x00000000 <empty>, 4074 bytes
Hidden <empty> 0x00000000 <empty>, 4073 bytes
Hidden <empty> 0x00000000 <empty>, 4072 bytes
Hidden <empty> 0x00000000 <empty>, 4071 bytes
Hidden <empty> 0x00000000 <empty>, 4070 bytes
Hidden <empty> 0x00000000 <empty>, 4069 bytes
Hidden <empty> 0x00000000 <empty>, 4087 bytes
Hidden <empty> 0x00000000 <empty>, 4084 bytes
Hidden <empty> 0x00000000 <empty>, 4083 bytes
Hidden <empty> 0x00000000 <empty>, 4071 bytes
Hidden <empty> 0x00000000 <empty>, 4069 bytes
Hidden <empty> 0x00000000 <empty>, 4092 bytes
Hidden <empty> 0x00000000 <empty>, 4091 bytes
Hidden <empty> 0x00000000 <empty>, 4084 bytes
Hidden <empty> 0x00000000 <empty>, 4083 bytes
Hidden <empty> 0x00000000 <empty>, 4071 bytes
Hidden <empty> 0x00000000 <empty>, 4069 bytes
Hidden <empty> 0x00000000 <empty>, 4092 bytes
Hidden <empty> 0x00000000 <empty>, 4091 bytes
Hidden <empty> 0x00000000 <empty>, 4085 bytes
Hidden <empty> 0x00000000 <empty>, 4084 bytes
Hidden <empty> 0x00000000 <empty>, 4083 bytes
Hidden <empty> 0x00000000 <empty>, 4078 bytes
Hidden <empty> 0x00000000 <empty>, 4073 bytes
Hidden <empty> 0x00000000 <empty>, 4072 bytes
Hidden <empty> 0x00000000 <empty>, 4071 bytes
Hidden <empty> 0x00000000 <empty>, 4069 bytes
Hidden <empty> 0x00000000 <empty>, 4092 bytes
Hidden <empty> 0x00000000 <empty>, 4091 bytes
Hidden <empty> 0x00000000 <empty>, 4083 bytes
Hidden <empty> 0x00000000 <empty>, 4071 bytes
Hidden <empty> 0x00000000 <empty>, 4069 bytes
Hidden <empty> 0x00000000 <empty>, 4092 bytes
Hidden <empty> 0x00000000 <empty>, 4091 bytes
Hidden <empty> 0x00000000 <empty>, 4083 bytes
Hidden <empty> 0x00000000 <empty>, 4071 bytes
Hidden <empty> 0x00000000 <empty>, 4069 bytes
Hidden <empty> 0x00000000 <empty>, 4095 bytes
Hidden <empty> 0x00000000 <empty>, 4094 bytes
Hidden <empty> 0x00000000 <empty>, 4090 bytes
Hidden <empty> 0x00000000 <empty>, 4089 bytes
Hidden <empty> 0x00000000 <empty>, 4087 bytes
Hidden <empty> 0x00000000 <empty>, 4086 bytes
Hidden <empty> 0x00000000 <empty>, 4085 bytes
Hidden <empty> 0x00000000 <empty>, 4083 bytes
Hidden <empty> 0x00000000 <empty>, 4082 bytes
Hidden <empty> 0x00000000 <empty>, 4081 bytes
Hidden <empty> 0x00000000 <empty>, 4080 bytes
Hidden <empty> 0x00000000 <empty>, 4079 bytes
Hidden <empty> 0x00000000 <empty>, 4078 bytes
Hidden <empty> 0x00000000 <empty>, 4077 bytes
Hidden <empty> 0x00000000 <empty>, 4076 bytes
Hidden <empty> 0x00000000 <empty>, 4075 bytes
Hidden <empty> 0x00000000 <empty>, 4074 bytes
Hidden <empty> 0x00000000 <empty>, 4073 bytes
Hidden <empty> 0x00000000 <empty>, 4072 bytes
Hidden <empty> 0x00000000 <empty>, 4071 bytes
Hidden <empty> 0x00000000 <empty>, 4069 bytes
Hidden <empty> 0x00000000 <empty>, 4092 bytes
Hidden <empty> 0x00000000 <empty>, 4091 bytes
Hidden <empty> 0x00000000 <empty>, 4084 bytes
Hidden <empty> 0x00000000 <empty>, 4083 bytes
Hidden <empty> 0x00000000 <empty>, 4071 bytes
Hidden <empty> 0x00000000 <empty>, 4069 bytes
Hidden <empty> 0x00000000 <empty>, 4092 bytes
Hidden <empty> 0x00000000 <empty>, 4091 bytes
Hidden <empty> 0x00000000 <empty>, 4085 bytes
Hidden <empty> 0x00000000 <empty>, 4084 bytes
Hidden <empty> 0x00000000 <empty>, 4083 bytes
Hidden <empty> 0x00000000 <empty>, 4078 bytes
Hidden <empty> 0x00000000 <empty>, 4073 bytes
Hidden <empty> 0x00000000 <empty>, 4072 bytes
Hidden <empty> 0x00000000 <empty>, 4071 bytes
Hidden <empty> 0x00000000 <empty>, 4069 bytes
Hidden <empty> 0x00000000 <empty>, 4092 bytes
Hidden <empty> 0x00000000 <empty>, 4091 bytes
Hidden <empty> 0x00000000 <empty>, 4087 bytes
Hidden <empty> 0x00000000 <empty>, 4085 bytes
Hidden <empty> 0x00000000 <empty>, 4084 bytes
Hidden <empty> 0x00000000 <empty>, 4083 bytes
Hidden <empty> 0x00000000 <empty>, 4078 bytes
Hidden <empty> 0x00000000 <empty>, 4073 bytes
Hidden <empty> 0x00000000 <empty>, 4072 bytes
Hidden <empty> 0x00000000 <empty>, 4069 bytes
Hidden atapi.sys 0x00000000 atapi.sys, 0 bytes
File Invisible dump_atapi.sys 0xb3f7b000 C:\WINDOWS\System32\Drivers\dump_atapi.sys, 98304 bytes
File Invisible dump_WMILIB.SYS 0xb862c000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS, 8192 bytes
Hidden PCI_PNP3504 0x00000000 \Driver\PCI_PNP3504, 0 bytes
File Invisible rootrepeal.sys 0xb352e000 C:\WINDOWS\system32\drivers\rootrepeal.sys, 49152 bytes
Hidden sptd 0x00000000 \Driver\sptd, 0 bytes
File Invisible spvn.sys 0xb7ea7000 spvn.sys, 1048576 bytes
i believe it has bug on stealth page
listing atapi.sys as modified entry point while it is not (i'm pretty sure, gmer, last rku do not showing anything)

Re: RootRepeal 2.0.0 Beta-Test

 #770  by Brookit
 Mon Apr 19, 2010 1:50 pm
I encounter the same problems as kmd and Alex (dumps attached below).

Second, if you click on "Report" -> "Scan" -> "Cancel", all other tabs are frozen.

And last, "Wipe, Copy and Delete" and "Delete Registry Key" tools are not working:
  • "Wipe File" -> "Yes" -> "Successfully wiped file!", but it is still there.
    "Copy File" -> success, but file contains only NULL bytes
    "Force Delete" -> always error, whatever you choose
    "Delete Registry Key" -> always error, whatever you choose
My setup:
Windows XP 32-bit (SP3)
No AV/security programs or firewall
Only known system intervention program is DAEMON Tools Lite

Regards
Attachments
(39 KiB) Downloaded 31 times

Re: RootRepeal 2.0.0 Beta-Test

 #845  by InsaneKaos
 Fri Apr 23, 2010 2:13 am
I've tested RootRepeal, too. Got some crashes with SSDT (always), Callbacks (always) and sometimes during HiddenCode. Tested with Windows 7 Ultimate on Vbox. All crash and dmp files are attached.

btw.:The unknown driver that is almost hidden is the driversfolder. Right click on it and open properties.
Attachments
Rootrepeal crashreport and dumpfile. Windows 7 Ultimate on Vbox 3.1.4 r57640
(74.83 KiB) Downloaded 31 times

Re: RootRepeal 2.0.0 Beta-Test

 #906  by Cr4sh
 Wed Apr 28, 2010 12:28 am
a_d_13 wrote:
In addition, I have included some upgrades that will allow RootRepeal to detect the TDL3 rootkit. It should detect all variants conceptually, including the latest version(s).
3.273 version is not detectable by RootRepeal

Program log:
Code: Select all
ROOTREPEAL (c) AD, 2007-2010
==================================================
Report Save Time:		2010/04/28 01:23
Program Version:		Version 2.0.0.0
Windows Version:		Windows XP SP3
==================================================

DRIVERS
-------------------
Hidden					0x00000000	, 0 bytes
File Invisible	rootrepeal.sys		0xf7db2000	C:\WINDOWS\system32\drivers\rootrepeal.sys, 49152 bytes

PROCESSES
-------------------
4	-	System
432	-	C:\Program Files\VMware\VMware Tools\VMwareService.exe
700	-	C:\WINDOWS\system32\smss.exe
772	-	C:\WINDOWS\system32\csrss.exe
796	-	C:\WINDOWS\system32\winlogon.exe
852	-	C:\WINDOWS\system32\services.exe
864	-	C:\WINDOWS\system32\lsass.exe
924	-	C:\DOCUME~1\Test\LOCALS~1\Temp\Rar$EX39.281\RootRepeal.exe
1040	-	C:\WINDOWS\system32\svchost.exe
1136	-	C:\WINDOWS\system32\svchost.exe
1164	-	C:\Program Files\WinRAR\WinRAR.exe
1296	-	C:\WINDOWS\system32\svchost.exe
1432	-	C:\WINDOWS\system32\svchost.exe
1524	-	C:\WINDOWS\explorer.exe
1540	-	C:\WINDOWS\system32\svchost.exe
1724	-	C:\WINDOWS\system32\spoolsv.exe
1820	-	C:\Program Files\VMware\VMware Tools\VMwareTray.exe
1828	-	C:\Program Files\VMware\VMware Tools\VMwareUser.exe
1836	-	C:\WINDOWS\system32\ctfmon.exe

FILES
-------------------
Mismatch	C:\Documents and Settings\Test\NTUSER.DAT.LOG, Size mismatch (API: 16384, Raw: 1024)

STEALTH CODE
-------------------
System		0x816f78b4	-	Hidden Code
System		0x816f7ac8	-	Hidden Code [Driver: , IRP: IRP_MJ_CLEANUP]
System		0x816f7ac8	-	Hidden Code [Driver: , IRP: IRP_MJ_CLOSE]
System		0x816f7ac8	-	Hidden Code [Driver: , IRP: IRP_MJ_CREATE]
System		0x816f7ac8	-	Hidden Code [Driver: , IRP: IRP_MJ_CREATE_MAILSLOT]
System		0x816f7ac8	-	Hidden Code [Driver: , IRP: IRP_MJ_CREATE_NAMED_PIPE]
System		0x816f7ac8	-	Hidden Code [Driver: , IRP: IRP_MJ_DEVICE_CHANGE]
System		0x816f7ac8	-	Hidden Code [Driver: , IRP: IRP_MJ_DEVICE_CONTROL]
System		0x816f7ac8	-	Hidden Code [Driver: , IRP: IRP_MJ_DIRECTORY_CONTROL]
System		0x816f7ac8	-	Hidden Code [Driver: , IRP: IRP_MJ_FILE_SYSTEM_CONTROL]
System		0x816f7ac8	-	Hidden Code [Driver: , IRP: IRP_MJ_FLUSH_BUFFERS]
System		0x816f7ac8	-	Hidden Code [Driver: , IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL]
System		0x816f7ac8	-	Hidden Code [Driver: , IRP: IRP_MJ_LOCK_CONTROL]
System		0x816f7ac8	-	Hidden Code [Driver: , IRP: IRP_MJ_POWER]
System		0x816f7ac8	-	Hidden Code [Driver: , IRP: IRP_MJ_QUERY_EA]
System		0x816f7ac8	-	Hidden Code [Driver: , IRP: IRP_MJ_QUERY_INFORMATION]
System		0x816f7ac8	-	Hidden Code [Driver: , IRP: IRP_MJ_QUERY_QUOTA]
System		0x816f7ac8	-	Hidden Code [Driver: , IRP: IRP_MJ_QUERY_SECURITY]
System		0x816f7ac8	-	Hidden Code [Driver: , IRP: IRP_MJ_QUERY_VOLUME_INFORMATION]
System		0x816f7ac8	-	Hidden Code [Driver: , IRP: IRP_MJ_READ]
System		0x816f7ac8	-	Hidden Code [Driver: , IRP: IRP_MJ_SCSI]
System		0x816f7ac8	-	Hidden Code [Driver: , IRP: IRP_MJ_SET_EA]
System		0x816f7ac8	-	Hidden Code [Driver: , IRP: IRP_MJ_SET_INFORMATION]
System		0x816f7ac8	-	Hidden Code [Driver: , IRP: IRP_MJ_SET_SECURITY]
System		0x816f7ac8	-	Hidden Code [Driver: , IRP: IRP_MJ_SET_VOLUME_INFORMATION]
System		0x816f7ac8	-	Hidden Code [Driver: , IRP: IRP_MJ_SHUTDOWN]
System		0x816f7ac8	-	Hidden Code [Driver: , IRP: IRP_MJ_SYSTEM_CONTROL]
System		0x816f7ac8	-	Hidden Code [Driver: , IRP: IRP_MJ_WRITE]
System		0xf9af4657	-	Modified Entry Point [Driver: TermDD, Other Val: 0xf9af5214]

HIDDEN SERVICES
-------------------

SHADOW SSDT
-------------------
TDL3 config.ini:
Code: Select all
[main]
quote=You people voted for Hubert Humphrey, and you killed Jesus
version=3.273
botid=7a91eb86-a6be-4db5-8694-0337dad2c75d
affid=20592
subid=0
installdate=22.4.2010 23:42:43
builddate=20.4.2010 16:17:53
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://li1i16b0.com/;https://19js810300z.com/;https://lj1i16b0.com/;
https://zz87jhfda88.com/;https://n16fa53.com/;https://01n02n4cx00.cc/
wspservers=http://7gafd33ja90a.com/;http://n1mo661s6cx0.com/;
http://30xc1cjh91.com/;http://j00k877x.cc/;http://m01n83kjf7.com/
popupservers=http
version=3.741
Also, I have some user mode crashes while scanning SSDT and Callbacks:
Code: Select all
ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows XP SP3
Exception Code: 0xc0000005
Exception Address: 0x00417e70
Attempt to read from address: 0x00000000
Code: Select all
ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows XP SP3
Exception Code: 0xc0000005
Exception Address: 0x0040c06a
Attempt to read from address: 0x0000000c

Re: RootRepeal 2.0.0 Beta-Test

 #907  by nullptr
 Wed Apr 28, 2010 2:46 am
STEALTH CODE
-------------------
System 0x816f78b4 - Hidden Code
System 0x816f7ac8 - Hidden Code [Driver: , IRP: IRP_MJ_CLEANUP
...
System 0x816f7ac8 - Hidden Code [Driver: , IRP: IRP_MJ_WRITE]
System 0xf9af4657 - Modified Entry Point [Driver: TermDD, Other Val: 0xf9af5214]
Looks to me like it detects tdl3 - TermDD.sys
 Return to “Tools/Software”