A forum for reverse engineering, OS internals and malware analysis 

RkUnhooker 3.8 SR2 public beta test

Forum for announcements and questions about tools and software.
 Topic locked

Re: RkUnhooker 3.8 SR2 public beta test

 #457  by EP_X0FF
 Fri Mar 26, 2010 2:23 pm
\Device\Ptilink is driver object of PTILINK.SYS which is related to Parallel Technologies DirectParallel IO Library.

What about second one, I'm not sure what is this. If you interested then can you attach it here for further analysis (or upload somewhere to free file hoster)?

NOD32 v4? I've tried rku before together with NOD without any problems. Did you tried running full scan of chkdsk for your system disk?

Re: RkUnhooker 3.8 SR2 public beta test

 #459  by wealllbe20
 Fri Mar 26, 2010 3:09 pm
Hampa wrote:
EP_X0FF wrote:Hello,
Code: Select all
Name: Ptilink
Image Path: \Driver\Ptilink
Address: 0xF7966000	Size: 20608	File Visible: No	Signed: -
Status: Hidden from the Windows API!

Name: ࠂం扏楄
Image Path: ࠂం扏楄
Address: 0xF697F000	Size: 158720	File Visible: No	Signed: -
Status: Hidden from the Windows API!
http://www.virustotal.com/en/analisis/7 ... 1269611971
http://www.virustotal.com/en/analisis/5 ... 1269611988



somewhat looks familar on this forum:
http://www.d-a-l.com/help/spyware-adwar ... dll-4.html

search for: 扏煓

I really don't know though

Re: RkUnhooker 3.8 SR2 public beta test

 #460  by Hampa
 Fri Mar 26, 2010 3:17 pm
EP_X0FF wrote:\Device\Ptilink is driver object of PTILINK.SYS which is related to Parallel Technologies DirectParallel IO Library.

What about second one, I'm not sure what is this. If you interested then can you attach it here for further analysis (or upload somewhere to free file hoster)?

NOD32 v4? I've tried rku before together with NOD without any problems. Did you tried running full scan of chkdsk for your system disk?
Im gonna post all things i find that might be related to my problem with RKu, so sorry if i get to much offtopic, but i figure its best to post all i found.

First, those two hidden drivers didnt show up after reboot, havnt seen them again
I uploaded them both to:
http://rapidshare.com/files/368404568/drivers.rar.html
PW: kernelmode
MD5: E4A26610E59854FBBE407F01D71B350B

Secondly, I was wrong, in rootrepeal the hooks i though was from nod32 was from outpost.
I dont have it active but apparently it had a driver running which did those hooks, so i uninstaled it and disabled nod (to be sure)

Now after reboot (without outpost or nod running) i have some new results from rootrepeal (still the same with RKu, it hangs on the same place as before),
Rootrepeal shows some weird hooks (they werent shown before, maybe cus outpost hooks was shown instead, i dont know)

http://img411.imageshack.us/img411/534/hooks.png
And this is the log file:
http://rapidshare.com/files/368408426/rep.txt.htm

log from stealth objects:
http://rapidshare.com/files/368415011/s ... s.txt.html

(Also i think its a bug in rootrepeal, when sorting the hooks like in the left window in the image and then saving a log file, the log file is different
http://rapidshare.com/files/368409417/rep2.txt.html )

edit: I run chkdsk and it reported 0 damaged sectors

Re: RkUnhooker 3.8 SR2 public beta test

 #461  by EP_X0FF
 Fri Mar 26, 2010 3:40 pm
Hello,

second unknown driver was Intel(R) PRO/100 Adapter NDIS 5.1 driver. I'm not sure why RootRepeal reported it so weird.
http://img411.imageshack.us/img411/534/hooks.png
This is NOD32 hooks. I'm observing the same on my test machine with NOD32 v4 installed. They wasn't visible because of Outpost hooks.

Everything else also NOD32 related.

Are you sure you don't have anything else installed?

Kind Regards.

Re: RkUnhooker 3.8 SR2 public beta test

 #462  by Hampa
 Fri Mar 26, 2010 3:54 pm
EP_X0FF wrote:second unknown driver was Intel(R) PRO/100 Adapter NDIS 5.1 driver. I'm not sure why RootRepeal reported it so weird.
Alright, thats good then
EP_X0FF wrote:Are you sure you don't have anything else installed?
I have had kerio installed before but removed it long ago, and outpost as said but its also removed now.

Except for those its only nod32, nothing else

log from full scan with rootrepeal:
http://rapidshare.com/files/368421934/f ... n.txt.html

Some time ago RKu worked on my system, but in some of the later versions it stopped working, since then no new av/fw/hips have been installed, and i never used any disc encryption program or similiar
(also if im not mistaken rootrepeal didnt give that error about invalid PE image before, i think its only more lately its been doing this, but not sure)

When trying to start RKu in safe mode it doesnt hang, it says there is error loading/opening driver

edit: after restart, rootrepeal shows a new driver as hidden
Code: Select all
Name: disk.sys
Image Path: disk.sys
Address: 0xF772C000	Size: 36352	File Visible: -	Signed: -
Status: Hidden from the Windows API!
http://www.virustotal.com/en/analisis/e ... 1269619543

Re: RkUnhooker 3.8 SR2 public beta test

 #463  by EP_X0FF
 Fri Mar 26, 2010 4:11 pm
Well rku can work in safe mode, but it needs to be configured to do that. In your case safe mode does not necessary. This hidden disk.sys gives me only one explanation, something wrong with your hardware. I'm not sure if it disk or ram or maybe both.

Re: RkUnhooker 3.8 SR2 public beta test

 #464  by Hampa
 Fri Mar 26, 2010 4:24 pm
EP_X0FF wrote:Well rku can work in safe mode, but it needs to be configured to do that. In your case safe mode does not necessary. This hidden disk.sys gives me only one explanation, something wrong with your hardware. I'm not sure if it disk or ram or maybe both.
just for the record, after new reboot, disk.sys isnt shown as hidden, and those <unknown> SSDT hooks isnt there either even if nod is running

so, hardware error :(
well, as long as the system works for my needs and that it isnt doing anything malicious, then im happy
just tell me if there is anything more you want me to try

and thanks for taking your time :)

Re: RkUnhooker 3.8 SR2 public beta test

 #465  by EP_X0FF
 Fri Mar 26, 2010 4:27 pm
RootRepeal as well as many other antirootkits including RootkitUnhooker intensively using memory scanning while their work. This can be reason of RkU freeze at startup (it is doing full memory scanning) and unknown entries in RootRepeal logs. NOD32 seems to be also become crazy.

One last thing, maybe you using overclocking of something? RAM timings?

Re: RkUnhooker 3.8 SR2 public beta test

 #466  by Hampa
 Fri Mar 26, 2010 4:37 pm
EP_X0FF wrote:RootRepeal as well as many other antirootkits including RootkitUnhooker intensively using memory scanning while their work. This can be reason of RkU freeze at startup (it is doing full memory scanning) and unknown entries in RootRepeal logs. NOD32 seems to be also become crazy.

One last thing, maybe you using overclocking of something? RAM timings?
I never did anything with my hardware.
But my comp have been used very intensively for 4 years now so a hardware error sounds kinda likely

Re: RkUnhooker 3.8 SR2 public beta test

 #468  by EP_X0FF
 Sat Mar 27, 2010 9:06 am
liangtong wrote:On Windows7 XP Mode,scanning stealth code failed.
Exception code : 0xC0000005
Instruction address : 0x0043D470
Attempt to read at address : 0x013A1007
Hello,

Cannot reproduce, x86 Windows 7 Ultimate Eng, Windows XP Mode installed, hardware VT enabled.
RkU 3.8 Stealth Code scanning working well with SelfProtection and without.
Your CPU supports HW VT?

Image

Regards.
 Topic locked
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 16
 Return to “Tools/Software”