PDA

View Full Version : System Virginity Verifier 1.0 Finds Kernel Jump Hole

charlestek
October 22nd, 2005, 10:50 PM
Hi. I just tried the System Virginity Verifier cited from the Sunbelt Software Blog <URL: http://www.invisiblethings.org/tools.html >
http://www.rootkit.com/newsread.php?newsid=357
(Description below in asterisked section)
and it warns me that I have a massive difference between kernel32.dll on disk and in memory on my WinXp Pro Sp2 System. I also have ZoneAlarm Pro on my system and Pivx's Pre-Empt. The log shows the Zonealarm vsdatant.sys driver, and says I have a bad problem in kernel32.dll. Can anyone offer an opinion as to whether this could a false positive, or do I need to panic???
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
module ntoskrnl.exe [0x80800000 - 0x80a14100]:
0x8080403d [RtlPrefetchMemoryNonTemporal()+0] 1 byte(s): exclusion

filter: single byte modification
file :c3
memory :90
verdict = 1

0x80804aa2 18 byte(s): exclusion filter: KeFlushCurrentTb()
file :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80
memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3
verdict = 1

0x80804aba 1 byte(s): exclusion filter: single byte modification
file :c3
memory :00
verdict = 1

0x808078ea 1 byte(s): exclusion filter: single byte modification
file :05
memory :06
verdict = 1

0x8080b724 [KiServiceTable[31]] 4 byte(s): KiServiceTable HOOK:
address 0xb96d01c0 is inside vsdatant.sys module
[0xb96b5000-0xb970e000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :ad 24 8b 80
memory :c0 01 6d b9
verdict = 2

0x8080b73c [KiServiceTable[37]] 4 byte(s): KiServiceTable HOOK:
address 0xb96cd2d0 is inside vsdatant.sys module
[0xb96b5000-0xb970e000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :48 9d 89 80
memory :d0 d2 6c b9
verdict = 2

0x8080b74c [KiServiceTable[41]] 4 byte(s): KiServiceTable HOOK:
address 0xb96e5864 is inside vsdatant.sys module
[0xb96b5000-0xb970e000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :61 77 89 80
memory :64 58 6e b9
verdict = 2

0x8080b764 [KiServiceTable[47]] 4 byte(s): KiServiceTable HOOK:
address 0xb96e4680 is inside vsdatant.sys module
[0xb96b5000-0xb970e000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :14 63 8d 80
memory :80 46 6e b9
verdict = 2

0x8080b768 [KiServiceTable[48]] 4 byte(s): KiServiceTable HOOK:
address 0xb96e48a0 is inside vsdatant.sys module
[0xb96b5000-0xb970e000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :1a 94 8a 80
memory :a0 48 6e b9
verdict = 2

0x8080b770 [KiServiceTable[50]] 4 byte(s): KiServiceTable HOOK:
address 0xb96e7280 is inside vsdatant.sys module
[0xb96b5000-0xb970e000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :1b d4 88 80
memory :80 72 6e b9
verdict = 2

0x8080b7a0 [KiServiceTable[62]] 4 byte(s): KiServiceTable HOOK:
address 0xb96cd7b0 is inside vsdatant.sys module
[0xb96b5000-0xb970e000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :07 cc 8f 80
memory :b0 d7 6c b9
verdict = 2

0x8080b7a4 [KiServiceTable[63]] 4 byte(s): KiServiceTable HOOK:
address 0xb96e5fb0 is inside vsdatant.sys module
[0xb96b5000-0xb970e000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :78 9f 8b 80
memory :b0 5f 6e b9
verdict = 2

0x8080b7ac [KiServiceTable[65]] 4 byte(s): KiServiceTable HOOK:
address 0xb96e5d90 is inside vsdatant.sys module
[0xb96b5000-0xb970e000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :fa 79 8b 80
memory :90 5d 6e b9
verdict = 2

0x8080b7b8 [KiServiceTable[68]] 4 byte(s): KiServiceTable HOOK:
address 0xb96e3fc0 is inside vsdatant.sys module
[0xb96b5000-0xb970e000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :b6 ca 89 80
memory :c0 3f 6e b9
verdict = 2

0x8080b82c [KiServiceTable[97]] 4 byte(s): KiServiceTable HOOK:
address 0xb96cb380 is inside vsdatant.sys module
[0xb96b5000-0xb970e000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :ec 98 8c 80
memory :80 b3 6c b9
verdict = 2

0x8080b830 [KiServiceTable[98]] 4 byte(s): KiServiceTable HOOK:
address 0xb96e6160 is inside vsdatant.sys module
[0xb96b5000-0xb970e000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :f0 3c 8d 80
memory :60 61 6e b9
verdict = 2

0x8080b858 [KiServiceTable[108]] 4 byte(s): KiServiceTable HOOK:
address 0xb96e74e0 is inside vsdatant.sys module
[0xb96b5000-0xb970e000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :fc c2 89 80
memory :e0 74 6e b9
verdict = 2

0x8080b878 [KiServiceTable[116]] 4 byte(s): KiServiceTable HOOK:
address 0xb96cd5e0 is inside vsdatant.sys module
[0xb96b5000-0xb970e000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :e3 9c 89 80
memory :e0 d5 6c b9
verdict = 2

0x8080b890 [KiServiceTable[122]] 4 byte(s): KiServiceTable HOOK:
address 0xb96e3dc0 is inside vsdatant.sys module
[0xb96b5000-0xb970e000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :96 cc 89 80
memory :c0 3d 6e b9
verdict = 2

0x8080b8a8 [KiServiceTable[128]] 4 byte(s): KiServiceTable HOOK:
address 0xb96e3b90 is inside vsdatant.sys module
[0xb96b5000-0xb970e000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :74 19 8b 80
memory :90 3b 6e b9
verdict = 2

0x8080b9ac [KiServiceTable[193]] 4 byte(s): KiServiceTable HOOK:
address 0xb96e6420 is inside vsdatant.sys module
[0xb96b5000-0xb970e000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :32 62 97 80
memory :20 64 6e b9
verdict = 2

0x8080b9c8 [KiServiceTable[200]] 4 byte(s): KiServiceTable HOOK:
address 0xb96cfe90 is inside vsdatant.sys module
[0xb96b5000-0xb970e000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :ba fe 89 80
memory :90 fe 6c b9
verdict = 2

0x8080b9d8 [KiServiceTable[204]] 4 byte(s): KiServiceTable HOOK:
address 0xb96e66a0 is inside vsdatant.sys module
[0xb96b5000-0xb970e000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :56 4d 97 80
memory :a0 66 6e b9
verdict = 2

0x8080b9f0 [KiServiceTable[210]] 4 byte(s): KiServiceTable HOOK:
address 0xb96d0370 is inside vsdatant.sys module
[0xb96b5000-0xb970e000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :ca e9 8a 80
memory :70 03 6d b9
verdict = 2

0x8080ba28 [KiServiceTable[224]] 4 byte(s): KiServiceTable HOOK:
address 0xb96cd920 is inside vsdatant.sys module
[0xb96b5000-0xb970e000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :2c 0e 8a 80
memory :20 d9 6c b9
verdict = 2

0x8080ba68 [KiServiceTable[240]] 4 byte(s): KiServiceTable HOOK:
address 0xb96cb1f0 is inside vsdatant.sys module
[0xb96b5000-0xb970e000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :d6 7e 8c 80
memory :f0 b1 6c b9
verdict = 2

0x8080ba84 [KiServiceTable[247]] 4 byte(s): KiServiceTable HOOK:
address 0xb96e5b80 is inside vsdatant.sys module
[0xb96b5000-0xb970e000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :1d dc 89 80
memory :80 5b 6e b9
verdict = 2

0x8080baac [KiServiceTable[257]] 4 byte(s): KiServiceTable HOOK:
address 0xb96e4ad0 is inside vsdatant.sys module
[0xb96b5000-0xb970e000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :2b bc 8a 80
memory :d0 4a 6e b9
verdict = 2

0x8080bac0 [KiServiceTable[262]] 4 byte(s): KiServiceTable HOOK:
address 0xb96cb530 is inside vsdatant.sys module
[0xb96b5000-0xb970e000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :54 14 94 80
memory :30 b5 6c b9
verdict = 2

0x8080bac4 [KiServiceTable[263]] 4 byte(s): KiServiceTable HOOK:
address 0xf7a1f63c is inside uphcleanhlp.sys module
[0xf7a1f000-0xf7a21000]
target module path: \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
module file is NOT PRESENT!!!
file :2b 50 97 80
memory :3c f6 a1 f7
verdict = 3

module ntoskrnl.exe: end of details
kernel32.dll (7c800000 - 7c8f4000)... suspected! (verdict = 5).
module kernel32.dll [0x7c800000 - 0x7c8f4000]:
0x7c801af1 [LoadLibraryExW()+0] 6 byte(s): JMPing code (jmp to:
0x5f05001e)
address 0x5f05001e DOES NOT belong to ANY MODULE!
file :6a 34 68 88 e2 80
memory :ff 25 1e 00 05 5f
verdict = 5

0x7c80aa7b [FreeLibrary()+15] 4 byte(s): SUSPECTED code
modification:
file :dc ff ff ff
memory :bd 55 7f e2
verdict = 5

module kernel32.dll: end of details

SYSTEM INFECTION LEVEL: 5
0 - BLUE
1 - GREEN
2 - YELLOW
3 - ORANGE
4 - RED
--> 5 - DEEPRED
SUSPECTED modifications detected. System is probably infected!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

The woman who wrote it describes it:
***************************************************************************************************************
The idea behind SVV is to check important Windows System components, which are usually altered by various
stealth malware, in order to ensure system integrity and to discovery potential system compromise.

SVV 1.0 implements only code virginity verification which is the first step in SVV implementation and its task
is to ensure the integrity of the code sections of in-memory mapped kernel and usermode modules (that is kernel
drivers and usermode DLLs).

Yes, there are dozens of ways to write a rootkit not detectable by SVV 1.0, because SVV 1.0 is not intended to
be an ultimate solution - it's just a first step in building integrity based compromise detector. Next steps
will involve IDT, SDT, IRP dispatch tables checking, etc...

How SVV is different form VICE? SVV doesn’t look for a known patterns of infection as VICE does (JMP hooks)
just ensures in-memory code integrity. VICE seems to generate lots of false positives, while SVV was designed to
minimize the number of false positives. On the other hand, SVV 1.0 checks only code sections, while VICE is
able to check also IAT/EAT, SDT and IRP dispatch tables.

More details about SVV can be found in my recent HITB presentation:
[url]http://invisiblethings.org/papers/hitb05_virginity_verifier.ppt[/url]

SVV 1.0 can be downloaded here:
[url]http://invisiblethings.org/tools/svv-1.0-public.zip[/url]
charlestek
October 22nd, 2005, 11:09 PM
Well, on the advice of a security expert from criticalsites.com,
I shut down the PreEmpt service, snoozed my antivirus, shutdown zonealarm,
and killed my antispyware. Now I only get an error from the user hive profile cleaner that I know has a problem (uninstalling it removes this error)
Here is the new log:

verifying module: [ ntoskrnl.exe] 0%... -
verifying module: [ hal.dll] 1%... \
verifying module: [ KDCOM.DLL] 1%... |
verifying module: [ BOOTVID.dll] 2%... /
verifying module: [ ACPI.sys] 3%... -
verifying module: [ WMILIB.SYS] 3%... \
verifying module: [ pci.sys] 4%... |
verifying module: [ isapnp.sys] 5%... /
verifying module: [ viaide.sys] 5%... -
verifying module: [ PCIIDEX.SYS] 6%... \
verifying module: [ MountMgr.sys] 6%... |
verifying module: [ ftdisk.sys] 7%... /
verifying module: [ dmload.sys] 8%... -
verifying module: [ dmio.sys] 8%... \
verifying module: [ vIdeBus.sys] 9%... |
verifying module: [ PartMgr.sys] 10%... /
verifying module: [ VolSnap.sys] 10%... -
verifying module: [ atapi.sys] 11%... \
verifying module: [ si3112r.sys] 12%... |
verifying module: [ SCSIPORT.SYS] 12%... /
verifying module: [ hpt3xx.sys] 13%... -
verifying module: [ vIdePort.sys] 13%... \
verifying module: [ SiWinAcc.sys] 14%... |
verifying module: [ disk.sys] 15%... /
verifying module: [ CLASSPNP.SYS] 15%... -
verifying module: [ fltmgr.sys] 16%... \
verifying module: [ sr.sys] 17%... |
verifying module: [ PxHelp20.sys] 17%... /
verifying module: [ hptpro.sys] 18%... -
verifying module: [ PQV2i.sys] 18%... \
verifying module: [ KSecDD.sys] 19%... |
verifying module: [ Defrag32b.sys] 20%... /
verifying module: [ Ntfs.sys] 20%... -
verifying module: [ NDIS.sys] 21%... \
verifying module: [ viaagp1.sys] 22%... |
verifying module: [ Mup.sys] 22%... /
verifying module: [ amdk7.sys] 23%... -
verifying module: [ nv4_mini.sys] 24%... \
verifying module: [ VIDEOPRT.SYS] 24%... |
verifying module: [ hercspud.sys] 25%... /
verifying module: [ hercos.sys] 25%... -
verifying module: [ ks.sys] 26%... \
verifying module: [ winachcf.sys] 27%... |
verifying module: [ Modem.SYS] 27%... /
verifying module: [ usbuhci.sys] 28%... -
verifying module: [ USBPORT.SYS] 29%... \
verifying module: [ usbehci.sys] 29%... |
verifying module: [ imapi.sys] 30%... /
verifying module: [ cdrom.sys] 31%... -
verifying module: [ redbook.sys] 31%... \
verifying module: [ GearAspiWDM.SYS] 32%... |
verifying module: [ fetnd5bv.sys] 32%... /
verifying module: [ fdc.sys] 33%... -
verifying module: [ serial.sys] 34%... \
verifying module: [ serenum.sys] 34%... |
verifying module: [ parport.sys] 35%... /
verifying module: [ i8042prt.sys] 36%... -
verifying module: [ L8042pr2.Sys] 36%... \
verifying module: [ LMouFlt2.Sys] 37%... |
verifying module: [ mouclass.sys] 37%... /
verifying module: [ kbdclass.sys] 38%... -
verifying module: [ audstub.sys] 39%... \
verifying module: [ rasl2tp.sys] 39%... |
verifying module: [ ndistapi.sys] 40%... /
verifying module: [ ndiswan.sys] 41%... -
verifying module: [ raspppoe.sys] 41%... \
verifying module: [ raspptp.sys] 42%... |
verifying module: [ TDI.SYS] 43%... /
verifying module: [ ptilink.sys] 43%... -
verifying module: [ raspti.sys] 44%... \
verifying module: [ rdpdr.sys] 44%... |
verifying module: [ termdd.sys] 45%... /
verifying module: [ SetupSys.sys] 46%... -
verifying module: [ swenum.sys] 46%... \
verifying module: [ update.sys] 47%... |
verifying module: [ mssmbios.sys] 48%... /
verifying module: [ NDProxy.SYS] 48%... -
verifying module: [ dmboot.sys] 49%... \
verifying module: [ hercwdm.sys] 50%... |
verifying module: [ portcls.sys] 50%... /
verifying module: [ drmk.sys] 51%... -
verifying module: [ gameenum.sys] 51%... \
verifying module: [ MODEMCSA.sys] 52%... |
verifying module: [ usbhub.sys] 53%... /
verifying module: [ USBD.SYS] 53%... -
verifying module: [ flpydisk.sys] 54%... \
verifying module: [ VETFDDNT.SYS] 55%... |
verifying module: [ Fs_Rec.SYS] 55%... /
verifying module: [ VETEFILE.SYS] 56%... -
verifying module: [ VET-REC.SYS] 56%... \
verifying module: [ VET-FILT.SYS] 57%... |
verifying module: [ VETMONNT.SYS] 58%... /
verifying module: [ VETEBOOT.SYS] 58%... -
verifying module: [ Null.SYS] 59%... \
verifying module: [ Beep.SYS] 60%... |
verifying module: [ HIDPARSE.SYS] 60%... /
verifying module: [ vga.sys] 61%... -
verifying module: [ mnmdd.SYS] 62%... \
verifying module: [ RDPCDD.sys] 62%... |
verifying module: [ Msfs.SYS] 63%... /
verifying module: [ Npfs.SYS] 63%... -
verifying module: [ rasacd.sys] 64%... \
verifying module: [ ipsec.sys] 65%... |
verifying module: [ msgpc.sys] 65%... /
verifying module: [ tcpip.sys] 66%... -
verifying module: [ netbt.sys] 67%... \
verifying module: [ afd.sys] 67%... |
verifying module: [ netbios.sys] 68%... /
verifying module: [ rdbss.sys] 68%... -
verifying module: [ PQNTDrv.SYS] 69%... \
verifying module: [ PQIMount.SYS] 70%... |
verifying module: [ mrxsmb.sys] 70%... /
verifying module: [ Fips.SYS] 71%... -
verifying module: [ atkkbnt.sys] 72%... \
verifying module: [ ipnat.sys] 72%... |
verifying module: [ wanarp.sys] 73%... /
verifying module: [ usbprint.sys] 74%... -
verifying module: [ Cdfs.SYS] 74%... \
verifying module: [ win32k.sys] 75%... |
verifying module: [ Dxapi.sys] 75%... /
verifying module: [ watchdog.sys] 76%... -
verifying module: [ dxg.sys] 77%... \
verifying module: [ dxgthk.sys] 77%... |
verifying module: [ nvcap.sys] 78%... /
verifying module: [ STREAM.SYS] 79%... -
verifying module: [ nvtvsnd.sys] 79%... \
verifying module: [ NVxbar.sys] 80%... |
verifying module: [ nvtunep.sys] 81%... /
verifying module: [ atkdisp.dll] 81%... -
verifying module: [ nv4_disp.dll] 82%... \
verifying module: [ vsdatant.sys] 82%... |
verifying module: [ OkiPar.SYS] 83%... /
verifying module: [ ParVdm.SYS] 84%... -
verifying module: [ Defrag32.SYS] 84%... \
verifying module: [ EIO.sys] 85%... |
verifying module: [ EPoXUSDM.SYS] 86%... /
verifying module: [ mdmxsdk.sys] 86%... -
verifying module: [ srv.sys] 87%... \
verifying module: [ uphcleanhlp.sys] 87%... |
verifying module: [ wdmaud.sys] 88%... /
verifying module: [ sysaudio.sys] 89%... -
verifying module: [ ATMFD.DLL] 89%... \
verifying module: [ kmixer.sys] 90%... |
verifying module: [ svv.sys] 91%... /
verifying module: [ ntdll.dll] 91%... -
verifying module: [ svv.exe] 92%... \
verifying module: [ ntdll.dll] 93%... |
verifying module: [ kernel32.dll] 93%... /
verifying module: [ PSAPI.DLL] 94%... -
verifying module: [ WS2_32.dll] 94%... \
verifying module: [ msvcrt.dll] 95%... |
verifying module: [ WS2HELP.dll] 96%... /
verifying module: [ ADVAPI32.dll] 96%... -
verifying module: [ RPCRT4.dll] 97%... \
verifying module: [ USER32.dll] 98%... |
verifying module: [ GDI32.dll] 98%... /
verifying module: [ LPK.DLL] 99%... -
verifying module: [ USP10.dll] 100%... \

ntoskrnl.exe (80800000 - 80a14100)... innocent hooking (verdict = 3).
module ntoskrnl.exe [0x80800000 - 0x80a14100]:
0x8080403d [RtlPrefetchMemoryNonTemporal()+0] 1 byte(s): exclusion filter: single byte modification
file :c3
memory :90
verdict = 1

0x80804aa2 18 byte(s): exclusion filter: KeFlushCurrentTb()
file :d8 0f 22 d8 c3 0f 20 e0 25 7f ff ff ff 0f 22 e0 0d 80
memory :e0 25 7f ff ff ff 0f 22 e0 0d 80 00 00 00 0f 22 e0 c3
verdict = 1

0x80804aba 1 byte(s): exclusion filter: single byte modification
file :c3
memory :00
verdict = 1

0x808078ea 1 byte(s): exclusion filter: single byte modification
file :05
memory :06
verdict = 1

0x8080b73c [KiServiceTable[37]] 4 byte(s): KiServiceTable HOOK:
address 0xb9bd52d0 is inside vsdatant.sys module [0xb9bbd000-0xb9c16000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :48 9d 89 80
memory :d0 52 bd b9
verdict = 2

0x8080b74c [KiServiceTable[41]] 4 byte(s): KiServiceTable HOOK:
address 0xb9bed864 is inside vsdatant.sys module [0xb9bbd000-0xb9c16000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :61 77 89 80
memory :64 d8 be b9
verdict = 2

0x8080b764 [KiServiceTable[47]] 4 byte(s): KiServiceTable HOOK:
address 0xb9bec680 is inside vsdatant.sys module [0xb9bbd000-0xb9c16000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :14 63 8d 80
memory :80 c6 be b9
verdict = 2

0x8080b768 [KiServiceTable[48]] 4 byte(s): KiServiceTable HOOK:
address 0xb9bec8a0 is inside vsdatant.sys module [0xb9bbd000-0xb9c16000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :1a 94 8a 80
memory :a0 c8 be b9
verdict = 2

0x8080b770 [KiServiceTable[50]] 4 byte(s): KiServiceTable HOOK:
address 0xb9bef280 is inside vsdatant.sys module [0xb9bbd000-0xb9c16000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :1b d4 88 80
memory :80 f2 be b9
verdict = 2

0x8080b7a0 [KiServiceTable[62]] 4 byte(s): KiServiceTable HOOK:
address 0xb9bd57b0 is inside vsdatant.sys module [0xb9bbd000-0xb9c16000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :07 cc 8f 80
memory :b0 57 bd b9
verdict = 2

0x8080b7a4 [KiServiceTable[63]] 4 byte(s): KiServiceTable HOOK:
address 0xb9bedfb0 is inside vsdatant.sys module [0xb9bbd000-0xb9c16000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :78 9f 8b 80
memory :b0 df be b9
verdict = 2

0x8080b7ac [KiServiceTable[65]] 4 byte(s): KiServiceTable HOOK:
address 0xb9bedd90 is inside vsdatant.sys module [0xb9bbd000-0xb9c16000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :fa 79 8b 80
memory :90 dd be b9
verdict = 2

0x8080b7b8 [KiServiceTable[68]] 4 byte(s): KiServiceTable HOOK:
address 0xb9bebfc0 is inside vsdatant.sys module [0xb9bbd000-0xb9c16000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :b6 ca 89 80
memory :c0 bf be b9
verdict = 2

0x8080b830 [KiServiceTable[98]] 4 byte(s): KiServiceTable HOOK:
address 0xb9bee160 is inside vsdatant.sys module [0xb9bbd000-0xb9c16000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :f0 3c 8d 80
memory :60 e1 be b9
verdict = 2

0x8080b878 [KiServiceTable[116]] 4 byte(s): KiServiceTable HOOK:
address 0xb9bd55e0 is inside vsdatant.sys module [0xb9bbd000-0xb9c16000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :e3 9c 89 80
memory :e0 55 bd b9
verdict = 2

0x8080b890 [KiServiceTable[122]] 4 byte(s): KiServiceTable HOOK:
address 0xb9bebdc0 is inside vsdatant.sys module [0xb9bbd000-0xb9c16000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :96 cc 89 80
memory :c0 bd be b9
verdict = 2

0x8080b8a8 [KiServiceTable[128]] 4 byte(s): KiServiceTable HOOK:
address 0xb9bebb90 is inside vsdatant.sys module [0xb9bbd000-0xb9c16000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :74 19 8b 80
memory :90 bb be b9
verdict = 2

0x8080b9ac [KiServiceTable[193]] 4 byte(s): KiServiceTable HOOK:
address 0xb9bee420 is inside vsdatant.sys module [0xb9bbd000-0xb9c16000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :32 62 97 80
memory :20 e4 be b9
verdict = 2

0x8080b9d8 [KiServiceTable[204]] 4 byte(s): KiServiceTable HOOK:
address 0xb9bee6a0 is inside vsdatant.sys module [0xb9bbd000-0xb9c16000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :56 4d 97 80
memory :a0 e6 be b9
verdict = 2

0x8080b9f0 [KiServiceTable[210]] 4 byte(s): KiServiceTable HOOK:
address 0xb9bd8370 is inside vsdatant.sys module [0xb9bbd000-0xb9c16000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :ca e9 8a 80
memory :70 83 bd b9
verdict = 2

0x8080ba28 [KiServiceTable[224]] 4 byte(s): KiServiceTable HOOK:
address 0xb9bd5920 is inside vsdatant.sys module [0xb9bbd000-0xb9c16000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :2c 0e 8a 80
memory :20 59 bd b9
verdict = 2

0x8080ba84 [KiServiceTable[247]] 4 byte(s): KiServiceTable HOOK:
address 0xb9bedb80 is inside vsdatant.sys module [0xb9bbd000-0xb9c16000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :1d dc 89 80
memory :80 db be b9
verdict = 2

0x8080baac [KiServiceTable[257]] 4 byte(s): KiServiceTable HOOK:
address 0xb9becad0 is inside vsdatant.sys module [0xb9bbd000-0xb9c16000]
target module path: \??\C:\WINDOWS\system32\vsdatant.sys
file :2b bc 8a 80
memory :d0 ca be b9
verdict = 2

0x8080bac4 [KiServiceTable[263]] 4 byte(s): KiServiceTable HOOK:
address 0xf057163c is inside uphcleanhlp.sys module [0xf0571000-0xf0573000]
target module path: \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
module file is NOT PRESENT!!!
file :2b 50 97 80
memory :3c 16 57 f0
verdict = 3

module ntoskrnl.exe: end of details

SYSTEM INFECTION LEVEL: 3
0 - BLUE
1 - GREEN
2 - YELLOW
--> 3 - ORANGE
4 - RED
5 - DEEPRED
Some hooking detected but it is probably caused by some tracing tools,
like SysInternals' RegMon or DbgView.
Stop all those tools and rerun the tests.