GMER log results

Discussion in 'other anti-malware software' started by SystemJunkie, Dec 27, 2006.

Thread Status:
Not open for further replies.
  1. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Just a little specimen for non gmer users:

    :D:D :D
    Code:
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!NlsMbOemCodePageTag + FFF84FE8                                7C911000 9 Bytes  [ 00, 00, 00, 00, 00, 00, 00, ... ]
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!RtlEnterCriticalSection + 7                                   7C91100C 7 Bytes  [ 00, 00, 00, 00, 00, 00, 00 ]
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!RtlEnterCriticalSection + F                                   7C911014 18 Bytes  [ 00, 00, 00, 00, 00, 00, 00, ... ]
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!RtlEnterCriticalSection + 24                                  7C911029 4 Bytes  [ 00, 00, 00, 00 ]
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!RtlEnterCriticalSection + 29                                  7C91102E 3 Bytes  [ 00, 00, 00 ]
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!RtlEnterCriticalSection + 30                                  7C911035 15 Bytes  [ 00, 00, 00, 00, 00, 00, 00, ... ]
    .text   ...                                                                                                            
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!RtlLeaveCriticalSection + 17                                  7C911104 5 Bytes  [ 00, 00, 00, 00, 00 ]
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!RtlLeaveCriticalSection + 1D                                  7C91110A 4 Bytes  [ 00, 00, 00, 00 ]
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!RtlLeaveCriticalSection + 22                                  7C91110F 4 Bytes  [ 00, 00, 00, 00 ]
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!RtlLeaveCriticalSection + 2A                                  7C911117 3 Bytes  [ 00, 00, 00 ]
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!RtlLeaveCriticalSection + 31                                  7C91111E 6 Bytes  [ 00, 00, 00, 00, 00, 00 ]
    .text   ...                                                                                                            
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!RtlTryEnterCriticalSection + E                                7C911139 10 Bytes  [ 00, 00, 00, 00, 00, 00, 00, ... ]
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!RtlTryEnterCriticalSection + 1B                               7C911146 7 Bytes  [ 00, 00, 00, 00, 00, 00, 00 ]
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!RtlTryEnterCriticalSection + 25                               7C911150 2 Bytes  [ 00, 00 ]
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!RtlTryEnterCriticalSection + 2A                               7C911155 2 Bytes  [ 00, 00 ]
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!RtlTryEnterCriticalSection + 2D                               7C911158 3 Bytes  [ 00, 00, 00 ]
    .text   ...                                                                                                            
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!LdrInitializeThunk + F                                        7C91118D 34 Bytes  [ 00, 00, 00, 00, 00, 00, 00, ... ]
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!LdrInitializeThunk + 32                                       7C9111B0 15 Bytes  [ 00, 00, 00, 00, 00, 00, 00, ... ]
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!RtlActivateActivationContextUnsafeFast + D                    7C9111C2 4 Bytes  [ 00, 00, 00, 00 ]
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!RtlActivateActivationContextUnsafeFast + 13                   7C9111C8 9 Bytes  [ 00, 00, 00, 00, 00, 00, 00, ... ]
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!RtlActivateActivationContextUnsafeFast + 1E                   7C9111D3 6 Bytes  [ 00, 00, 00, 00, 00, 00 ]
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!RtlActivateActivationContextUnsafeFast + 26                   7C9111DB 6 Bytes  [ 00, 00, 00, 00, 00, 00 ]
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!RtlActivateActivationContextUnsafeFast + 2D                   7C9111E2 4 Bytes  [ 00, 00, 00, 00 ]
    .text   ...                                                                                                            
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!RtlDeactivateActivationContextUnsafeFast + F                  7C911209 6 Bytes  [ 00, 00, 00, 00, 00, 00 ]
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!RtlDeactivateActivationContextUnsafeFast + 16                 7C911210 10 Bytes  [ 00, 00, 00, 00, 00, 00, 00, ... ]
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!RtlDeactivateActivationContextUnsafeFast + 22                 7C91121C 8 Bytes  [ 00, 00, 00, 00, 00, 00, 00, ... ]
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!RtlDeactivateActivationContextUnsafeFast + 2C                 7C911226 4 Bytes  [ 00, 00, 00, 00 ]
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!RtlDeactivateActivationContextUnsafeFast + 31                 7C91122B 31 Bytes  [ 00, 00, 00, 00, 00, 00, 00, ... ]
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!DbgUserBreakPoint + 12                                        7C91124B 8 Bytes  [ 00, 00, 00, 00, 00, 00, 00, ... ]
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!NtCurrentTeb + 6                                              7C911256 17 Bytes  [ 00, 00, 00, 00, 00, 00, 00, ... ]
    .text   C:\WINDOWS\system32\userinit.exe[1436] ntdll.dll!RtlInitString + F                                             7C91126B 20 Bytes  [ 00, 00, 00, 00, 00, 00, 00, ... ]
    .text   C:\WINDOWS\system32\imapi.exe[1952] USER32.dll!DdeQueryNextServer + 37                                         77D5759B 10 Bytes  [ 00, 00, 00, 00, 00, 00, 00, ... ]
    .text   C:\WINDOWS\system32\imapi.exe[1952] USER32.dll!DdeQueryNextServer + 43                                         77D575A7 3 Bytes  [ 00, 00, 00 ]
    .text   C:\WINDOWS\system32\imapi.exe[1952] USER32.dll!DdeQueryNextServer + 48                                         77D575AC 64 Bytes  [ 00, 00, 00, 00, 00, 00, 00, ... ]
    .text   C:\WINDOWS\system32\imapi.exe[1952] USER32.dll!DdeQueryNextServer + 8A                                         77D575EE 6 Bytes  [ 00, 00, 00, 00, 00, 00 ]
    .text   C:\WINDOWS\system32\imapi.exe[1952] USER32.dll!DdeQueryNextServer + 92                                         77D575F6 20 Bytes  [ 00, 00, 00, 00, 00, 00, 00, ... ]
    .text   ...                                                                                                            
    .text   C:\WINDOWS\system32\imapi.exe[1952] USER32.dll!DdeConnect + 75                                                 77D57DF0 4 Bytes  [ 00, 00, 00, 00 ]
    .text   C:\WINDOWS\system32\imapi.exe[1952] USER32.dll!DdeConnect + 7B                                                 77D57DF6 39 Bytes  [ 00, 00, 00, 00, 00, 00, 00, ... ]
    .text   C:\WINDOWS\system32\imapi.exe[1952] USER32.dll!DdeConnect + A3                                                 77D57E1E 37 Bytes  [ 00, 00, 00, 00, 00, 00, 00, ... ]
    .text   C:\WINDOWS\system32\imapi.exe[1952] USER32.dll!DdeReconnect + 22                                               77D57E45 9 Bytes  [ 00, 00, 00, 00, 00, 00, 00, ... ]
    .text   C:\WINDOWS\system32\imapi.exe[1952] USER32.dll!DdeReconnect + 2D                                               77D57E50 3 Bytes  [ 00, 00, 00 ]
    .text   C:\WINDOWS\system32\imapi.exe[1952] USER32.dll!DdeReconnect + 32                                               77D57E55 2 Bytes  [ 00, 00 ]
    .text   C:\WINDOWS\system32\imapi.exe[1952] USER32.dll!DdeReconnect + 37                                               77D57E5A 22 Bytes  [ 00, 00, 00, 00, 00, 00, 00, ... ]
    .text   C:\WINDOWS\system32\imapi.exe[1952] USER32.dll!DdeReconnect + 4F                                               77D57E72 4 Bytes  [ 00, 00, 00, 00 ]
    .text   ...                                                                                                            
    .text   C:\WINDOWS\system32\imapi.exe[1952] USER32.dll!DdeDisconnect + 42                                              77D57FBE 7 Bytes  [ 00, 00, 00, 00, 00, 00, 00 ]
    .text   C:\WINDOWS\system32\imapi.exe[1952] USER32.dll!DdeDisconnect + 4B                                              77D57FC7 3 Bytes  [ 00, 00, 00 ]
    .text   C:\WINDOWS\system32\imapi.exe[1952] USER32.dll!DdeDisconnect + 50                                              77D57FCC 11 Bytes  [ 00, 00, 00, 00, 00, 00, 00, ... ]
    .text   C:\WINDOWS\system32\imapi.exe[1952] USER32.dll!DdeDisconnect + 5C                                              77D57FD8 21 Bytes  [ 00, 00, 00, 00, 00, 00, 00, ... ]
    .text   C:\WINDOWS\system32\imapi.exe[1952] USER32.dll!DdeDisconnect + 72                                              77D57FEE 50 Bytes  [ 00, 00, 00, 00, 00, 00, 00, ... ]
    .text   C:\WINDOWS\system32\imapi.exe[1952] USER32.dll!DdeDisconnectList + 2F                                          77D58022 7 Bytes  [ 00, 00, 00, 00, 00, 00, 00 ]
    .text   C:\WINDOWS\system32\imapi.exe[1952] USER32.dll!DdeDisconnectList + 38                                          77D5802B 3 Bytes  [ 00, 00, 00 ]
    .text   C:\WINDOWS\system32\imapi.exe[1952] USER32.dll!DdeDisconnectList + 3D                                          77D58030 17 Bytes  [ 00, 00, 00, 00, 00, 00, 00, ... ]
    .text   C:\WINDOWS\system32\imapi.exe[1952] USER32.dll!DdeDisconnectList + 4F                                          77D58042 20 Bytes  [ 00, 00, 00, 00, 00, 00, 00, ... ]
    .text   C:\WINDOWS\system32\imapi.exe[1952] USER32.dll!DdeDisconnectList + 64                                          77D58057 27 Bytes  [ 00, 00, 00, 00, 00, 00, 00, ... ]
    .text   ...
    Maybe a threat degree would be useful, you should look to trend micro they seem to be able to make differences between commercial and bad hooks.
     
  2. TECHWG

    TECHWG Guest

    Re: RkUnhooker RC3 released

    kind of like "DEFCON 5" "DEFCON 1" etc lol i think thats what you mean
     
  3. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Re: RkUnhooker RC3 released

    Hi, SystemJunkie.

    Looking on that huge false positives log from GMER I can write some comments.

    As you see last [00 00 00 ....] means what instruction at this address. So here is zeroes, it's can be hook it is false alarm due to primitive hook detection algorithms used in GMER. Let me describe in details.

    How implemented detection of code hooks. For this purpose it is needed to create special loader - an module that will load image from disk and allocates it in memory just like Windows PE loader.
    So detection is trivial and implemented like this.
    1. Loader loads in memory original file. For example user32.dll
    2. From memory reading already loaded by system user32.dll
    3. Detector compares these two files.
    4. Any differences going into special block - "filter" for further analysis
    It is not so hard to find difference in these two files, it is hard to decide what is hook and what is not. So as you see "filter" part of GMER is absent or very weak. This program indicates almost any modification of code, even if this modification was made by operation system. That is unacceptable. Some parts of code is specially opened for modification, but GMER indicates them as "hooks". For example ntoskrnl.exe (main Windows Core component) itself uses self-patching. It's modify itself many times per second. Why it's happening? This was made in reasons of optimisation, why code long block if you can patch yourself in real-time and this take much much lower time than walking into the circles and "if" operators.

    To filter "legitimate" hooks (but this is strange word, because any kind of inline code hooking -> reversing) we need huge base of security products information which will updates every day, maybe every six hours. But such information is closed due to obvious reasons. If everybody will know which functions hooked for example by Agnitum Outpost, then the same malware writers will be happy, because they got this information quickly and without pain in some place =)

    In the end - it is very bad idea to filter any kind of hooks even if they are "legitimate". They are hooks, so they should be displayed.
     
    Last edited: Dec 27, 2006
  4. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Re: RkUnhooker RC3 released

    Hi EP_X0FF,

    That´s good to understand.

    I fully agree, that´s a huge problem of Gmer, this leads to total confusion instead of absolute conclusion.

    That´s a maintainable point of view.
     
  5. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
  6. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
  7. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    @Gmer

    Code:
    GMER 1.0.12.12011 - http://www.gmer.net
    Rootkit scan 2006-12-28 09:03:15
    Windows 5.1.2600 Service Pack 2
    
    
    ---- System - GMER 1.0.12 ----
    
    INT 0x00  ?                                                  F74E6C40
    INT 0x01  ?                                                  F74E6C57
    INT 0x02  ?                                                  F74E6C6E
    INT 0x03  ?                                                  F74E6C85
    INT 0x04  ?                                                  F74E6C9C
    INT 0x05  ?                                                  F74E6CB3
    INT 0x06  ?                                                  F74E6CCA
    INT 0x07  ?                                                  F74E6CE1
    INT 0x09  ?                                                  F74E6D0F
    INT 0x0A  ?                                                  F74E6D26
    INT 0x0B  ?                                                  F74E6D3D
    INT 0x0C  ?                                                  F74E6D54
    INT 0x0D  ?                                                  F74E6D6B
    INT 0x0E  ?                                                  F74E6D82
    INT 0x0F  ?                                                  F74E6D99
    INT 0x10  ?                                                  F74E6DB0
    INT 0x11  ?                                                  F74E6DC7
    INT 0x12  ?                                                  F74E6DDE
    INT 0x13  ?                                                  F74E6DF5
    INT 0x14  ?                                                  F74E6E0C
    INT 0x15  ?                                                  F74E6E23
    INT 0x16  ?                                                  F74E6E3A
    INT 0x17  ?                                                  F74E6E51
    INT 0x18  ?                                                  F74E6E68
    INT 0x19  ?                                                  F74E6E7F
    INT 0x1A  ?                                                  F74E6E96
    INT 0x1B  ?                                                  F74E6EAD
    INT 0x1C  ?                                                  F74E6EC4
    INT 0x1D  ?                                                  F74E6EDB
    INT 0x1E  ?                                                  F74E6EF2
    INT 0x1F  ?                                                  F74E6F09
    INT 0x20  ?                                                  F74E6F20
    INT 0x21  ?                                                  F74E6F37
    INT 0x22  ?                                                  F74E6F4E
    INT 0x23  ?                                                  F74E6F65
    INT 0x24  ?                                                  F74E6F7C
    INT 0x25  ?                                                  F74E6F93
    INT 0x26  ?                                                  F74E6FAA
    INT 0x27  ?                                                  F74E6FC1
    INT 0x28  ?                                                  F74E6FD8
    INT 0x29  ?                                                  F74E6FEF
    INT 0x2A  ?                                                  F74E7006
    INT 0x2B  ?                                                  F74E701D
    INT 0x2C  ?                                                  F74E7034
    INT 0x2D  ?                                                  F74E704B
    INT 0x2E  ?                                                  F74E7062
    INT 0x2F  ?                                                  F74E7079
    INT 0x30  ?                                                  F74E7090
    INT 0x31  ?                                                  F74E70A7
    INT 0x32  ?                                                  F74E70BE
    INT 0x33  ?                                                  F74E70D5
    INT 0x34  ?                                                  F74E70EC
    INT 0x35  ?                                                  F74E7103
    INT 0x36  ?                                                  F74E711A
    INT 0x37  ?                                                  F74E7131
    INT 0x38  ?                                                  F74E7148
    INT 0x39  ?                                                  F74E715F
    INT 0x3A  ?                                                  F74E7176
    INT 0x3B  ?                                                  F74E718D
    INT 0x3C  ?                                                  F74E71A4
    INT 0x3D  ?                                                  F74E71BB
    INT 0x3E  ?                                                  F74E71D2
    INT 0x3F  ?                                                  F74E71E9
    INT 0x40  ?                                                  F74E7200
    INT 0x41  ?                                                  F74E7217
    INT 0x42  ?                                                  F74E722E
    INT 0x43  ?                                                  F74E7245
    INT 0x44  ?                                                  F74E725C
    INT 0x45  ?                                                  F74E7273
    INT 0x46  ?                                                  F74E728A
    INT 0x47  ?                                                  F74E72A1
    INT 0x48  ?                                                  F74E72B8
    INT 0x49  ?                                                  F74E72CF
    INT 0x4A  ?                                                  F74E72E6
    INT 0x4B  ?                                                  F74E72FD
    INT 0x4C  ?                                                  F74E7314
    INT 0x4D  ?                                                  F74E732B
    INT 0x4E  ?                                                  F74E7342
    INT 0x4F  ?                                                  F74E7359
    INT 0x50  ?                                                  F74E7370
    INT 0x51  ?                                                  F74E7387
    INT 0x52  ?                                                  F74E739E
    INT 0x53  ?                                                  F74E73B5
    INT 0x54  ?                                                  F74E73CC
    INT 0x55  ?                                                  F74E73E3
    INT 0x56  ?                                                  F74E73FA
    INT 0x57  ?                                                  F74E7411
    INT 0x58  ?                                                  F74E7428
    INT 0x59  ?                                                  F74E743F
    INT 0x5A  ?                                                  F74E7456
    INT 0x5B  ?                                                  F74E746D
    INT 0x5C  ?                                                  F74E7484
    INT 0x5D  ?                                                  F74E749B
    INT 0x5E  ?                                                  F74E74B2
    INT 0x5F  ?                                                  F74E74C9
    INT 0x60  ?                                                  F74E74E0
    INT 0x61  ?                                                  F74E74F7
    INT 0x62  ?                                                  F74E750E
    INT 0x63  ?                                                  F74E7525
    INT 0x64  ?                                                  F74E753C
    INT 0x65  ?                                                  F74E7553
    INT 0x66  ?                                                  F74E756A
    INT 0x67  ?                                                  F74E7581
    INT 0x68  ?                                                  F74E7598
    INT 0x69  ?                                                  F74E75AF
    INT 0x6A  ?                                                  F74E75C6
    INT 0x6B  ?                                                  F74E75DD
    INT 0x6C  ?                                                  F74E75F4
    INT 0x6D  ?                                                  F74E760B
    INT 0x6E  ?                                                  F74E7622
    INT 0x6F  ?                                                  F74E7639
    INT 0x70  ?                                                  F74E7650
    INT 0x71  ?                                                  F74E7667
    INT 0x72  ?                                                  F74E767E
    INT 0x73  ?                                                  F74E7695
    INT 0x74  ?                                                  F74E76AC
    INT 0x75  ?                                                  F74E76C3
    INT 0x76  ?                                                  F74E76DA
    INT 0x77  ?                                                  F74E76F1
    INT 0x78  ?                                                  F74E7708
    INT 0x79  ?                                                  F74E771F
    INT 0x7A  ?                                                  F74E7736
    INT 0x7B  ?                                                  F74E774D
    INT 0x7C  ?                                                  F74E7764
    INT 0x7D  ?                                                  F74E777B
    INT 0x7E  ?                                                  F74E7792
    INT 0x7F  ?                                                  F74E77A9
    INT 0x80  ?                                                  F74E77C0
    INT 0x81  ?                                                  F74E77D7
    INT 0x82  ?                                                  F74E77EE
    INT 0x83  ?                                                  F74E7805
    INT 0x84  ?                                                  F74E781C
    INT 0x85  ?                                                  F74E7833
    INT 0x86  ?                                                  F74E784A
    INT 0x87  ?                                                  F74E7861
    INT 0x88  ?                                                  F74E7878
    INT 0x89  ?                                                  F74E788F
    INT 0x8A  ?                                                  F74E78A6
    INT 0x8B  ?                                                  F74E78BD
    INT 0x8C  ?                                                  F74E78D4
    INT 0x8D  ?                                                  F74E78EB
    INT 0x8E  ?                                                  F74E7902
    INT 0x8F  ?                                                  F74E7919
    INT 0x90  ?                                                  F74E7930
    INT 0x91  ?                                                  F74E7947
    INT 0x92  ?                                                  F74E795E
    INT 0x93  ?                                                  F74E7975
    INT 0x94  ?                                                  F74E798C
    INT 0x95  ?                                                  F74E79A3
    INT 0x96  ?                                                  F74E79BA
    INT 0x97  ?                                                  F74E79D1
    INT 0x98  ?                                                  F74E79E8
    INT 0x99  ?                                                  F74E79FF
    INT 0x9A  ?                                                  F74E7A16
    INT 0x9B  ?                                                  F74E7A2D
    INT 0x9C  ?                                                  F74E7A44
    INT 0x9D  ?                                                  F74E7A5B
    INT 0x9E  ?                                                  F74E7A72
    INT 0x9F  ?                                                  F74E7A89
    INT 0xA0  ?                                                  F74E7AA0
    INT 0xA1  ?                                                  F74E7AB7
    INT 0xA2  ?                                                  F74E7ACE
    INT 0xA3  ?                                                  F74E7AE5
    INT 0xA4  ?                                                  F74E7AFC
    INT 0xA5  ?                                                  F74E7B13
    INT 0xA6  ?                                                  F74E7B2A
    INT 0xA7  ?                                                  F74E7B41
    INT 0xA8  ?                                                  F74E7B58
    INT 0xA9  ?                                                  F74E7B6F
    INT 0xAA  ?                                                  F74E7B86
    INT 0xAB  ?                                                  F74E7B9D
    INT 0xAC  ?                                                  F74E7BB4
    INT 0xAD  ?                                                  F74E7BCB
    INT 0xAE  ?                                                  F74E7BE2
    INT 0xAF  ?                                                  F74E7BF9
    INT 0xB0  ?                                                  F74E7C10
    INT 0xB1  ?                                                  F74E7C27
    INT 0xB2  ?                                                  F74E7C3E
    INT 0xB3  ?                                                  F74E7C55
    INT 0xB4  ?                                                  F74E7C6C
    INT 0xB5  ?                                                  F74E7C83
    INT 0xB6  ?                                                  F74E7C9A
    INT 0xB7  ?                                                  F74E7CB1
    INT 0xB8  ?                                                  F74E7CC8
    INT 0xB9  ?                                                  F74E7CDF
    INT 0xBA  ?                                                  F74E7CF6
    INT 0xBB  ?                                                  F74E7D0D
    INT 0xBC  ?                                                  F74E7D24
    INT 0xBD  ?                                                  F74E7D3B
    INT 0xBE  ?                                                  F74E7D52
    INT 0xBF  ?                                                  F74E7D69
    INT 0xC0  ?                                                  F74E7D80
    INT 0xC1  ?                                                  F74E7D97
    INT 0xC2  ?                                                  F74E7DAE
    INT 0xC3  ?                                                  F74E7DC5
    INT 0xC4  ?                                                  F74E7DDC
    INT 0xC5  ?                                                  F74E7DF3
    INT 0xC6  ?                                                  F74E7E0A
    INT 0xC7  ?                                                  F74E7E21
    INT 0xC8  ?                                                  F74E7E38
    INT 0xC9  ?                                                  F74E7E4F
    INT 0xCA  ?                                                  F74E7E66
    INT 0xCB  ?                                                  F74E7E7D
    INT 0xCC  ?                                                  F74E7E94
    INT 0xCD  ?                                                  F74E7EAB
    INT 0xCE  ?                                                  F74E7EC2
    INT 0xCF  ?                                                  F74E7ED9
    INT 0xD0  ?                                                  F74E7EF0
    INT 0xD1  ?                                                  F74E7F07
    INT 0xD2  ?                                                  F74E7F1E
    INT 0xD3  ?                                                  F74E7F35
    INT 0xD4  ?                                                  F74E7F4C
    INT 0xD5  ?                                                  F74E7F63
    INT 0xD6  ?                                                  F74E7F7A
    INT 0xD7  ?                                                  F74E7F91
    INT 0xD8  ?                                                  F74E7FA8
    INT 0xD9  ?                                                  F74E7FBF
    INT 0xDA  ?                                                  F74E7FD6
    INT 0xDB  ?                                                  F74E7FED
    INT 0xDC  ?                                                  F74E8004
    INT 0xDD  ?                                                  F74E801B
    INT 0xDE  ?                                                  F74E8032
    INT 0xDF  ?                                                  F74E8049
    INT 0xE0  ?                                                  F74E8060
    INT 0xE1  ?                                                  F74E8077
    INT 0xE2  ?                                                  F74E808E
    INT 0xE3  ?                                                  F74E80A5
    INT 0xE4  ?                                                  F74E80BC
    INT 0xE5  ?                                                  F74E80D3
    INT 0xE6  ?                                                  F74E80EA
    INT 0xE7  ?                                                  F74E8101
    INT 0xE8  ?                                                  F74E8118
    INT 0xE9  ?                                                  F74E812F
    INT 0xEA  ?                                                  F74E8146
    INT 0xEB  ?                                                  F74E815D
    INT 0xEC  ?                                                  F74E8174
    INT 0xED  ?                                                  F74E818B
    INT 0xEE  ?                                                  F74E81A2
    INT 0xEF  ?                                                  F74E81B9
    INT 0xF0  ?                                                  F74E81D0
    INT 0xF1  ?                                                  F74E81E7
    INT 0xF2  ?                                                  F74E81FE
    INT 0xF3  ?                                                  F74E8215
    INT 0xF4  ?                                                  F74E822C
    INT 0xF5  ?                                                  F74E8243
    INT 0xF6  ?                                                  F74E825A
    INT 0xF7  ?                                                  F74E8271
    INT 0xF8  ?                                                  F74E8288
    INT 0xF9  ?                                                  F74E829F
    INT 0xFA  ?                                                  F74E82B6
    INT 0xFB  ?                                                  F74E82CD
    INT 0xFC  ?                                                  F74E82E4
    INT 0xFD  ?                                                  F74E82FB
    INT 0xFE  ?                                                  F74E8312
    INT 0xFF  ?                                                  F74E8329
    
    SYSENTER  ?                                                  81694774
    
    ---- Kernel code sections - GMER 1.0.12 ----
    
    .text     ntoskrnl.exe!KiIpiServiceRoutine + F8              804D8FD7 1 Byte  [ 90 ]
    .text     ntoskrnl.exe!KiIpiServiceRoutine + FE              804D8FDD 4 Bytes  [ 8B, 4B, 1B, 01 ]
    .text     ntoskrnl.exe!ZwYieldExecution + AFF                804DE773 7 Bytes  JMP 8168DB85 
    .text     ntoskrnl.exe!ZwYieldExecution + B89                804DE7FD 5 Bytes  JMP 816710AA 
    
    ---- EOF - GMER 1.0.12 ----
    
    This one too Gmer. IDT table dumping is buggy. And what about nop wonderful hook? I'm sorry probably I need to update my brains but how you hook functions with no operation instruction? =)

    I can't agree with your explanation because I see SystemJunkie logs everytime when I do scan with your tool.

    & btw, nice too see you here again.
     
    Last edited: Dec 27, 2006
  8. EASTER.2010

    EASTER.2010 Guest

    GMER Greets and grief to find your site off-line. Looking forward to better improvements. Please try to stablize you program without annoying flickering problem and shore up the ability to use it's buttons as function not holding breathe that they will stick. You do have a interesting program and would be nice if some of us could actually resume using a more stable version.
     
  9. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    Thank you guys. Keep up the good work. If anyone have any problem with my program please PM me.
     
  10. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Welcome back Gmer ;)

    That´s indeed with nearly every reboot, especially if you directly start Gmer then. The userinit phenomenon o_O o_O :D

    Gmer filescan sometimes leads to BSODs and if you e.g. rename a dll in system or windows dir Gmer immediately
    alarms rootkit activity from the process that uses those files.
     
  11. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    We hope that your site soon will return to life :)
     
  12. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    @SystemJunkie thanks.

    As I wrote -> https://www.wilderssecurity.com/showpost.php?p=899613&postcount=29

    1) winlogon.exe runs userinit.exe
    2) userinit.exe runs explorer.exe
    3) explorer.exe ( by your click ) runs gmer.exe
    4) userinit.exe teminates.
    5) gmer scans userinit.exe <- it's my BUG

    Hint: start gmer.exe after userinit.exe.

    Nice trick. It's not recommended to do any operations during the scan.
    Just click Scan and wait when it ends.
    If you have BSOD, please attach your minidum file.
     
  13. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    ok Gmer thanks for re-explaination
     
Loading...
Thread Status:
Not open for further replies.