Things that Rootkit Unhooker veils

Discussion in 'other anti-malware software' started by SystemJunkie, Apr 27, 2007.

Thread Status:
Not open for further replies.
Page 2 of 2
  1. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    SystemJunkie, May 5, 2007
    #26
  2. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    It can contains unprintable characters. Please upload it somewhere to check.
     
    EP_X0FF, May 5, 2007
    #27
  3. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Even if I reviewed the whole file`?

    I also used hex edit to check: there are only 0000000000000000zero´´sssss

    In Wordpad it looks like a endless line of squares.

    Just for info, did you ever see this?

    http://i17.tinypic.com/62nxjxx.png
     
    Last edited: May 6, 2007
    SystemJunkie, May 6, 2007
    #28
  4. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Yes, it is a series of bugs in 3.31. Use 3.30 instead.

    Can you dump whole ntoskrnl.exe with that hook and upload to review? But don't forget to say hook address.
     
    Last edited: May 6, 2007
    EP_X0FF, May 6, 2007
    #29
  5. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Yes, if this occurs again, actually rku shows 0 hooks.

    Actually it re-occurs, but how to dump?

    ntrknlpa+0x002CB40 0x80503B40 --> E534F74E [unknown code page]
    Inline-Relative Jump

    What region is to dump know?? I dumped again E53... but again only zeros, I dumped 80503b40 there is text in it.
    Strange stuff like this is to see in hex edit: twOtfOtFOu}.}....t0Ot.Ouo

    Another snippet: A driver has leaked %d bytes of physical memory...........U.....V.u.W.

    Also very significant is this snippet: V3.95x.U.
    (I dumped 10000 = 64 kb)

    Beside something is wrong with rku 3.31 it fails to show ieframe hooks, rku 3.30 and gmer show those hooks.
     
    Last edited: May 7, 2007
    SystemJunkie, May 7, 2007
    #30
  6. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Actually EP doesn´t write any messages here @ wilders, nevertheless that he can´t state, I´ll show you new things that RkU veils, look what I found:

    Rkhdrv31.sys is extremely vivid even if you don´t use RKU:

    The following message was sent to the eventlog "System" by the source "rkhdrv31":

    -----------------------------------
    <No textual message>
    -----------------------------------
    Additional technical info about the event:

    Log id: System
    Record nr: 20529
    Time generated: 29.05.2007 02:05:17 (0x465B6E3D)
    Time written: 29.05.2007 02:05:17 (0x465B6E3D)
    Event ID: 0x80040036
    Event type: EVENTLOG_WARNING_TYPE
    Event category: 0x00000000
    User sid:
    Iser sid size: 0
    Event data:
    Event data size: 40
    Noof merge strings: 1
    Merge strings: 1: "\Device\rkhdrv31"

    Source name: rkhdrv31

    No text message... strange thing.
     
    SystemJunkie, May 28, 2007
    #31
Page 2 of 2
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...