RkUnhooker has become a appreciated anti-rootkit tool, but you will see
that RkU does not tell you the whole story, this is a lack that should be improved, I guess we all appreciate to see the whole truth and not 50%,70% or only 80%. Check this screen to see what RkU still not wants or still not is able to detect:

http://i14.tinypic.com/2u40npe.png

what tool is that youre using? rku has been under pretty constant development for a while, and is always improving. but its best to always double check with different tools to be sure one tool doesnt miss anything

Indeed, they got a lot of glory for this tool, but it´s important to see that this creation is extreme far away from being the all in one solution against rootkits and/or especially code hook detection, also it is a warning for other users or developers to stay very very watchful.

Rootkit Unhooker check only system dll's (ntdll.dll, kernel32.dll, user32.dll, gdi32.dll and some others). It doesn't check any available dlls (objects.dll, rtl60.bpl as on screenshot) in the system since this is simple idiocy.

KeDelayExecutionThread is our hook.

BTW systemJunkie, what is the other tool in snapshot?

@aigle: Gmer and Spybro.

{QUOTE-> It doesn't check any available dlls (objects.dll, rtl60.bpl as on screenshot) in the system since this is simple idiocy. <-QUOTE}

But if this is idiocy why are these hooks in existence?
And second would it not be useful to unhook them?
Should it not be useful to be able to unhook everything, e.g. to build an extended option in RkU for this case.

Beside the device scanner in Gmer is very progressive, it reveals starforce rootkit, with RkU you don´t see directly starforce, you can find it via driver detection, but it would be easier to build a device scan option, I mean it´s also okay to focus on essential but some add-on options would be cool too.

{QUOTE-> But if this is idiocy why are these hooks in existence? <-QUOTE}

They do not affect on system in any way, so showing modifications in third-party nonsystem and non-critical files is idiocy. What is the purpose of such scan? I imagine, that hundreds of rootkits hooks rtl60.bpl (delphi runtime library) to stealth their files/reg keys - nonsense and impossible thing.

{QUOTE-> And second would it not be useful to unhook them?
Should it not be useful to be able to unhook everything, e.g. to build an extended option in RkU for this case. <-QUOTE}

The answer on this question is above. No sense in unhooking these hooks. They can't affect on system and consequently on application.

{QUOTE-> Beside the device scanner in Gmer is very progressive, it reveals starforce rootkit, with RkU you don´t see directly starforce, you can find it via driver detection, but it would be easier to build a device scan option, I mean it´s also okay to focus on essential but some add-on options would be cool too. <-QUOTE}

Hidden Drivers Detector, -> "References". I don't like how GMER shows IRP states. In first it list everything in the system and gives hundred of suspicios (as it think) entries, excuse me, for what?

{QUOTE-> In first it list everything in the system and gives hundred of suspicios (as it think) entries, excuse me, for what? <-QUOTE}
To simplify the process of finding suspicious things (saves time, no manual search via driver detector necessary), especially starforce rootkit, with in fact is not harmful but represents rootkit technique.
[this was only related to Gmers device scanning engine]

And what about IceSwords capabilities? The red line looks wicked. Seems only IceSword was able to take notice of this.

http://i14.tinypic.com/2iu3ls4.png

China one leap ahead?

It is not a detection part of IceSword, it is different startup/closeup monitoring.

If I am not totally confused I guess that Red means bad/infected, right?

Only Rootkit that comes in my mind showing this behaviour is vanquish, but it´s method is very old and normally easy to detect.

Spybro was the reason, it´s nearly sure. Damn this crazy app makes one paranoid, I quit using it. Sorry for inconvenience. Horrible lawenforcer.dll digs deep into system.

Unfortunatelly, since IceSword do not have any kind of documentation we can only guess what does these colors means. Definitelly it is not a detection part of IceSword, it is startup monitoring, but what means these colors is a big mystery to everyone except PJF.

As far as I noticed red colored activities of IceSword, that happens mostly then when one app starts that uses lots of Api Hooks.

csrss?

Yesterday tested just for fun Norton2007 while scanning it passed a exe file with chinese letters on c:\. But this exe is not existent nowhere, only when norton passed during scanning procedure, here a nice screen about lots of false positives (:D)

During one scan yesterday RkU 3.31 found once this Inline Relative Jump, today nothing more.

{QUOTE-> http://i14.tinypic.com/4xy0rgi.png <-QUOTE}

The pic above is a collection of several anomalies during this and last year.

Bugs and false positives generated by your software in a whole, I guess. Nice screens :)

Yes, hehe, I guess too, mostly false positives..

I double checked this spybro nonsense on another computer, the same red emptiness..
it´s wicked the more tools you use the more nonsense and confusion is produced.

The non existence sh*t must come from a firewall hook I guess.

Beside Gmer detects this:

SSDT \WINDOWS\system32\ntkrnlpa.exe ZwSuspendProcess

Rku nothing. Probably not important but I see that first time.

I absolutely have to inject my own opinion into this Topic. EP_X0ff and his team mate (MP_Art) in my opinion have made history thanks to their offer with a great ARK as RKUnhooker. Apps like this are very rare and it's usefullness help more than users could ever expect. I could go on all day long over all the benefits RKU provides users. One thing i see is that if they still had control of it the app would advanced further and in a manner unmatched by any others commercial or freelance developer. IMO it;s a one of a kind and is great with what it does accomplish.

Thanks EASTER.

SystemJunkie, can you show screen of that invisible SSDT hook? Screen with GMER? Probably another GMER bug is discovered :)

{QUOTE-> had control of it the app would advanced further and in a manner unmatched by any others commercial or freelance developer. IMO it;s a one of a kind and is great with what it does accomplish.
<-QUOTE}

Yes, it´s a great tool, actually unmatched related to massive unhooking capabilities. (except Nortons cruel SPBBC..exe and Dynamic Security Agent hooks, they resist the unhook procedure as far as I have tested)

{QUOTE-> SystemJunkie, can you show screen of that invisible SSDT hook? Screen with GMER? Probably another GMER bug is discovered
Yesterday 11:47 PM
<-QUOTE}

Yes.

http://i11.tinypic.com/66ell46.png

Another fp, with high probability:

File C:\Programme\Gemeinsame Dateien\aol\1161085309\ee\services\widgetsapp\ver0_9_10_1\
---- EOF - GMER 1.0.12 ----

LOL, what will be if you press Restore SSDT?

{QUOTE-> LOL, what will be if you press Restore SSDT? <-QUOTE}
Nothing special, it simulates the restoring. ;D ;D ;D

http://i15.tinypic.com/6czidsy.png

That´s what Rku shows today. I guess this happens mostly then when I unhook ieframe.

{QUOTE-> I guess this happens mostly then when I unhook ieframe. <-QUOTE}

I can't agree with that. Because IE7 frame hook is in user mode, ntkrnlpa+blabla in kernel mode, they can't be dependent.

I can give you advice. If you really want to know what is it -> dump A534F74E address by using RkU dump memory region feature. Set size of dump to 1000. This is value in hex, in bytes it will be 4Kb. After that upload this dump somewhere where I can access and take a look.

{QUOTE-> I can give you advice. If you really want to know what is it -> dump A534F74E address by using RkU dump memory region feature. Set size of dump to 1000. <-QUOTE}
Okay I will do so, if this event occurs again on my very volatile windows environment, actually it doesn´t, but maybe after 2 or more reboots it may reappear.

I made exactly what you said, I dumped A534F74E, but the memory.dmp file is totally empty.

So I have 4 kb of emptiness. Beside the entry in rku never changes,
it always stays at A534F74E unknown code page.

If you once see a screen or text like this: Matrix has you

http://i14.tinypic.com/67nwao1.png

Don´t be afraid it´s RkUnhooker.

{QUOTE-> I made exactly what you said, I dumped A534F74E, but the memory.dmp file is totally empty. <-QUOTE}

It can contains unprintable characters. Please upload it somewhere to check.

Even if I reviewed the whole file`?

I also used hex edit to check: there are only 0000000000000000zero´´sssss

In Wordpad it looks like a endless line of squares.

Just for info, did you ever see this?

http://i17.tinypic.com/62nxjxx.png

Yes, it is a series of bugs in 3.31. Use 3.30 instead.

Can you dump whole ntoskrnl.exe with that hook and upload to review? But don't forget to say hook address.

{QUOTE-> Can you dump whole ntoskrnl.exe with that hook and upload to review? But don't forget to say hook address. <-QUOTE}

Yes, if this occurs again, actually rku shows 0 hooks.

Actually it re-occurs, but how to dump?

ntrknlpa+0x002CB40 0x80503B40 --> E534F74E [unknown code page]
Inline-Relative Jump

What region is to dump know?? I dumped again E53... but again only zeros, I dumped 80503b40 there is text in it.
Strange stuff like this is to see in hex edit: twOtfOtFOu}.}....t0Ot.Ouo

Another snippet: A driver has leaked %d bytes of physical memory...........U.....V.u.W.

Also very significant is this snippet: V3.95x.U.
(I dumped 10000 = 64 kb)

Beside something is wrong with rku 3.31 it fails to show ieframe hooks, rku 3.30 and gmer show those hooks.

Actually EP doesn´t write any messages here @ wilders, nevertheless that he can´t state, I´ll show you new things that RkU veils, look what I found:

Rkhdrv31.sys is extremely vivid even if you don´t use RKU:

The following message was sent to the eventlog "System" by the source "rkhdrv31":

-----------------------------------
<No textual message>
-----------------------------------
Additional technical info about the event:

Log id: System
Record nr: 20529
Time generated: 29.05.2007 02:05:17 (0x465B6E3D)
Time written: 29.05.2007 02:05:17 (0x465B6E3D)
Event ID: 0x80040036
Event type: EVENTLOG_WARNING_TYPE
Event category: 0x00000000
User sid:
Iser sid size: 0
Event data:
Event data size: 40
Noof merge strings: 1
Merge strings: 1: "\Device\rkhdrv31"

Source name: rkhdrv31

No text message... strange thing.