ESS v4 and rkunhooker

Discussion in 'ESET Smart Security v4 Beta Forum' started by someuser8, Dec 17, 2008.

Thread Status:
Not open for further replies.
  1. someuser8

    someuser8 Registered Member

    Joined:
    Dec 2, 2008
    Posts:
    9
    Hi could anyone confirm that the hooker SSDT services are due to V4, also the stealth objects.

    RKunhooker LE v3.8.342.554

    Thanks.

    >SSDT State
    NtAssignProcessToJobObject
    Actual Address 0x81F11630
    Hooked by: Unknown module filename

    NtOpenProcess
    Actual Address 0x81F10A60
    Hooked by: Unknown module filename

    NtOpenThread
    Actual Address 0x81F10E80
    Hooked by: Unknown module filename

    NtSuspendProcess
    Actual Address 0x81F11460
    Hooked by: Unknown module filename

    NtSuspendThread
    Actual Address 0x81F11280
    Hooked by: Unknown module filename

    NtTerminateProcess
    Actual Address 0x81F10C90
    Hooked by: Unknown module filename

    NtTerminateThread
    Actual Address 0x81F110B0
    Hooked by: Unknown module filename

    >Shadow
    >Processes
    >Drivers
    >Stealth
    Unknown page with executable code
    Address: 0x81F3F8D6
    Size: 1834
    Unknown page with executable code
    Address: 0x81F38F2E
    Size: 210
    Unknown page with executable code
    Address: 0x81F3A3F3
    Size: 3085
    Unknown page with executable code
    Address: 0x81F0E380
    Size: 3200
    Unknown thread object [ ETHREAD 0x82088030 ] TID: 524
    Address: 0x81F37CF0
    Size: 592
    Unknown thread object [ ETHREAD 0x822CB030 ] TID: 532
    Address: 0x81F0F790
    Size: 592
    Unknown thread object [ ETHREAD 0x82083B18 ] TID: 540
    Address: 0x81F0FFB0
    Size: 592

    !!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)
     
  2. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Hi someuser8 here is a report of xp pro with ESSv4 installed taken from a clean VM for your comparison... :)

    >SSDT State
    NtAssignProcessToJobObject
    Actual Address 0x81715630
    Hooked by: Unknown module filename

    NtOpenProcess
    Actual Address 0x81714A60
    Hooked by: Unknown module filename

    NtOpenThread
    Actual Address 0x81714E80
    Hooked by: Unknown module filename

    NtSuspendProcess
    Actual Address 0x81715460
    Hooked by: Unknown module filename

    NtSuspendThread
    Actual Address 0x81715280
    Hooked by: Unknown module filename

    NtTerminateProcess
    Actual Address 0x81714C90
    Hooked by: Unknown module filename

    NtTerminateThread
    Actual Address 0x817150B0
    Hooked by: Unknown module filename

    >Shadow
    >Processes
    >Drivers
    >Stealth
    Unknown page with executable code
    Address: 0x811198D6
    Size: 1834
    Unknown page with executable code
    Address: 0x81112F2E
    Size: 210
    Unknown page with executable code
    Address: 0x811143F3
    Size: 3085
    Unknown page with executable code
    Address: 0x81712380
    Size: 3200
    Unknown thread object [ ETHREAD 0x814CC8B8 ] TID: 292
    Address: 0x816F7CF0
    Size: 592
    Unknown thread object [ ETHREAD 0x811BE750 ] TID: 528
    Address: 0x81713FB0
    Size: 592
    Unknown thread object [ ETHREAD 0x812BE778 ] TID: 732
    Address: 0x81111CF0
    Size: 592
    Unknown thread object [ ETHREAD 0x81530488 ] TID: 1252
    Address: 0x8160EFB0
    Size: 592
    Unknown thread object [ ETHREAD 0x81878020 ] TID: 1980
    Address: 0x81713790
    Size: 592
    !!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

    eset hooks, hth.

    (Be nice if Eset would name theirs)
     
    Last edited: Dec 18, 2008
  3. someuser8

    someuser8 Registered Member

    Joined:
    Dec 2, 2008
    Posts:
    9
    Many thanks, that puts my mind at rest - I agree, it would be good if they made it obvious it was eset and not just any old rootkit!

    especially the Unknown page with executable code and Unknown thread object, Unknown module filename.
     
  4. qzex

    qzex Registered Member

    Joined:
    Nov 30, 2008
    Posts:
    42
    That might be the "self-defense" they were talking about :p
     
Thread Status:
Not open for further replies.