Hooks

Discussion in 'malware problems & news' started by agiantt, Dec 28, 2010.

Thread Status:
Not open for further replies.
  1. agiantt

    agiantt Registered Member

    Joined:
    Dec 28, 2010
    Posts:
    2
    Hi everyone. I came here to get these hooks analyzed to see if it's possible rootkit.

    This is from an avz4 log after an extended scan.

    Code:
    1. Searching for Rootkits and programs intercepting API functions
    1.1 Searching for user-mode API hooks
     Analysis: kernel32.dll, export table found in section .text
    Function kernel32.dll:CopyFileA (114) intercepted, method APICodeHijack.JmpTo[1002CC36]
    Function kernel32.dll:CopyFileExA (115) intercepted, method APICodeHijack.JmpTo[1002CBF6]
    Function kernel32.dll:CopyFileExW (116) intercepted, method APICodeHijack.JmpTo[1002CBD6]
    Function kernel32.dll:CopyFileW (119) intercepted, method APICodeHijack.JmpTo[1002CC16]
    Function kernel32.dll:CreateFileA (138) intercepted, method APICodeHijack.JmpTo[1002CC76]
    Function kernel32.dll:CreateFileW (145) intercepted, method APICodeHijack.JmpTo[1002CC56]
    Function kernel32.dll:CreateProcessA (166) intercepted, method APICodeHijack.JmpTo[10028316]
    Function kernel32.dll:CreateProcessW (170) intercepted, method APICodeHijack.JmpTo[10027786]
    Function kernel32.dll:DeleteFileA (213) intercepted, method APICodeHijack.JmpTo[1002CAF6]
    Function kernel32.dll:DeleteFileW (216) intercepted, method APICodeHijack.JmpTo[1002CAD6]
    Function kernel32.dll:GetModuleHandleA (535) intercepted, method APICodeHijack.JmpTo[1002CAB6]
    Function kernel32.dll:GetModuleHandleW (538) intercepted, method APICodeHijack.JmpTo[1002CA96]
    Function kernel32.dll:GetProcAddress (583) intercepted, method APICodeHijack.JmpTo[1002CD16]
    Function kernel32.dll:LoadLibraryA (829) intercepted, method APICodeHijack.JmpTo[1002CA76]
    Function kernel32.dll:LoadLibraryExA (830) intercepted, method APICodeHijack.JmpTo[1002CCD6]
    Function kernel32.dll:LoadLibraryExW (831) intercepted, method APICodeHijack.JmpTo[1002CCB6]
    Function kernel32.dll:LoadLibraryW (832) intercepted, method APICodeHijack.JmpTo[1002CA56]
    Function kernel32.dll:LoadModule (833) intercepted, method APICodeHijack.JmpTo[1002CCF6]
    Function kernel32.dll:MoveFileA (863) intercepted, method APICodeHijack.JmpTo[1002CBB6]
    Function kernel32.dll:MoveFileExA (864) intercepted, method APICodeHijack.JmpTo[1002CB76]
    Function kernel32.dll:MoveFileExW (865) intercepted, method APICodeHijack.JmpTo[1002CB56]
    Function kernel32.dll:MoveFileW (868) intercepted, method APICodeHijack.JmpTo[1002CB96]
    Function kernel32.dll:MoveFileWithProgressA (869) intercepted, method APICodeHijack.JmpTo[1002CB36]
    Function kernel32.dll:MoveFileWithProgressW (870) intercepted, method APICodeHijack.JmpTo[1002CB16]
    Function kernel32.dll:OpenFile (887) intercepted, method APICodeHijack.JmpTo[1002CC96]
    Function kernel32.dll:WinExec (1299) intercepted, method APICodeHijack.JmpTo[1002CA36]
     Analysis: ntdll.dll, export table found in section .text
    Function ntdll.dll:LdrGetProcedureAddress (130) intercepted, method APICodeHijack.JmpTo[1002CD36]
    Function ntdll.dll:LdrLoadDll (137) intercepted, method APICodeHijack.JmpTo[1002A626]
    Function ntdll.dll:LdrUnloadDll (161) intercepted, method APICodeHijack.JmpTo[1001CE36]
    Function ntdll.dll:NtAdjustPrivilegesToken (190) intercepted, method APICodeHijack.JmpTo[100206A6]
    Function ntdll.dll:NtAllocateVirtualMemory (197) intercepted, method APICodeHijack.JmpTo[1002CDF6]
    Function ntdll.dll:NtAlpcConnectPort (200) intercepted, method APICodeHijack.JmpTo[100210C6]
    Function ntdll.dll:NtClose (228) intercepted, method APICodeHijack.JmpTo[1001CD16]
    Function ntdll.dll:NtConnectPort (237) intercepted, method APICodeHijack.JmpTo[10023BF6]
    Function ntdll.dll:NtCreateEvent (242) intercepted, method APICodeHijack.JmpTo[10020256]
    Function ntdll.dll:NtCreateFile (244) intercepted, method APICodeHijack.JmpTo[1002CDB6]
    Function ntdll.dll:NtCreateMutant (252) intercepted, method APICodeHijack.JmpTo[100202A6]
    Function ntdll.dll:NtCreateProcess (257) intercepted, method APICodeHijack.JmpTo[1002CE76]
    Function ntdll.dll:NtCreateProcessEx (258) intercepted, method APICodeHijack.JmpTo[1002CE56]
    Function ntdll.dll:NtCreateSection (262) intercepted, method APICodeHijack.JmpTo[10022A76]
    Function ntdll.dll:NtCreateSemaphore (263) intercepted, method APICodeHijack.JmpTo[10020206]
    Function ntdll.dll:NtCreateSymbolicLinkObject (264) intercepted, method APICodeHijack.JmpTo[100202C6]
    Function ntdll.dll:NtCreateThread (265) intercepted, method APICodeHijack.JmpTo[100243C6]
    Function ntdll.dll:NtCreateThreadEx (266) intercepted, method APICodeHijack.JmpTo[10020D26]
    Function ntdll.dll:NtDeleteFile (281) intercepted, method APICodeHijack.JmpTo[1002CE16]
    Function ntdll.dll:NtFreeVirtualMemory (310) intercepted, method APICodeHijack.JmpTo[1002C486]
    Function ntdll.dll:NtLoadDriver (335) intercepted, method APICodeHijack.JmpTo[1002CDD6]
    Function ntdll.dll:NtMakeTemporaryObject (344) intercepted, method APICodeHijack.JmpTo[10023566]
    Function ntdll.dll:NtOpenEvent (357) intercepted, method APICodeHijack.JmpTo[10020236]
    Function ntdll.dll:NtOpenFile (359) intercepted, method APICodeHijack.JmpTo[1002CD96]
    Function ntdll.dll:NtOpenMutant (367) intercepted, method APICodeHijack.JmpTo[10020286]
    Function ntdll.dll:NtOpenSection (374) intercepted, method APICodeHijack.JmpTo[100230A6]
    Function ntdll.dll:NtOpenSemaphore (375) intercepted, method APICodeHijack.JmpTo[100201E6]
    Function ntdll.dll:NtProtectVirtualMemory (395) intercepted, method APICodeHijack.JmpTo[1002C436]
    Function ntdll.dll:NtSetInformationProcess (513) intercepted, method APICodeHijack.JmpTo[1002CD56]
    Function ntdll.dll:NtSetSystemInformation (530) intercepted, method APICodeHijack.JmpTo[100237A6]
    Function ntdll.dll:NtShutdownSystem (540) intercepted, method APICodeHijack.JmpTo[10020956]
    Function ntdll.dll:NtSystemDebugControl (548) intercepted, method APICodeHijack.JmpTo[10023366]
    Function ntdll.dll:NtTerminateProcess (550) intercepted, method APICodeHijack.JmpTo[10023F66]
    Function ntdll.dll:NtTerminateThread (551) intercepted, method APICodeHijack.JmpTo[10024186]
    Function ntdll.dll:NtUnloadDriver (559) intercepted, method APICodeHijack.JmpTo[1002CD76]
    Function ntdll.dll:NtWriteVirtualMemory (598) intercepted, method APICodeHijack.JmpTo[1002CE36]
    Function ntdll.dll:RtlAllocateHeap (645) intercepted, method APICodeHijack.JmpTo[1002C4D6]
    Function ntdll.dll:ZwAdjustPrivilegesToken (1441) intercepted, method APICodeHijack.JmpTo[100206A6]
    Function ntdll.dll:ZwAllocateVirtualMemory (1448) intercepted, method APICodeHijack.JmpTo[1002CDF6]
    Function ntdll.dll:ZwAlpcConnectPort (1451) intercepted, method APICodeHijack.JmpTo[100210C6]
    Function ntdll.dll:ZwClose (1479) intercepted, method APICodeHijack.JmpTo[1001CD16]
    Function ntdll.dll:ZwConnectPort (1488) intercepted, method APICodeHijack.JmpTo[10023BF6]
    Function ntdll.dll:ZwCreateEvent (1493) intercepted, method APICodeHijack.JmpTo[10020256]
    Function ntdll.dll:ZwCreateFile (1495) intercepted, method APICodeHijack.JmpTo[1002CDB6]
    Function ntdll.dll:ZwCreateMutant (1503) intercepted, method APICodeHijack.JmpTo[100202A6]
    Function ntdll.dll:ZwCreateProcess (1508) intercepted, method APICodeHijack.JmpTo[1002CE76]
    Function ntdll.dll:ZwCreateProcessEx (1509) intercepted, method APICodeHijack.JmpTo[1002CE56]
    Function ntdll.dll:ZwCreateSection (1513) intercepted, method APICodeHijack.JmpTo[10022A76]
    Function ntdll.dll:ZwCreateSemaphore (1514) intercepted, method APICodeHijack.JmpTo[10020206]
    Function ntdll.dll:ZwCreateSymbolicLinkObject (1515) intercepted, method APICodeHijack.JmpTo[100202C6]
    Function ntdll.dll:ZwCreateThread (1516) intercepted, method APICodeHijack.JmpTo[100243C6]
    Function ntdll.dll:ZwCreateThreadEx (1517) intercepted, method APICodeHijack.JmpTo[10020D26]
    Function ntdll.dll:ZwDeleteFile (1531) intercepted, method APICodeHijack.JmpTo[1002CE16]
    Function ntdll.dll:ZwFreeVirtualMemory (1560) intercepted, method APICodeHijack.JmpTo[1002C486]
    Function ntdll.dll:ZwLoadDriver (1584) intercepted, method APICodeHijack.JmpTo[1002CDD6]
    Function ntdll.dll:ZwMakeTemporaryObject (1593) intercepted, method APICodeHijack.JmpTo[10023566]
    Function ntdll.dll:ZwOpenEvent (1606) intercepted, method APICodeHijack.JmpTo[10020236]
    Function ntdll.dll:ZwOpenFile (1608) intercepted, method APICodeHijack.JmpTo[1002CD96]
    Function ntdll.dll:ZwOpenMutant (1616) intercepted, method APICodeHijack.JmpTo[10020286]
    Function ntdll.dll:ZwOpenSection (1623) intercepted, method APICodeHijack.JmpTo[100230A6]
    Function ntdll.dll:ZwOpenSemaphore (1624) intercepted, method APICodeHijack.JmpTo[100201E6]
    Function ntdll.dll:ZwProtectVirtualMemory (1644) intercepted, method APICodeHijack.JmpTo[1002C436]
    Function ntdll.dll:ZwSetInformationProcess (1762) intercepted, method APICodeHijack.JmpTo[1002CD56]
    Function ntdll.dll:ZwSetSystemInformation (1779) intercepted, method APICodeHijack.JmpTo[100237A6]
    Function ntdll.dll:ZwShutdownSystem (1789) intercepted, method APICodeHijack.JmpTo[10020956]
    Function ntdll.dll:ZwSystemDebugControl (1797) intercepted, method APICodeHijack.JmpTo[10023366]
    Function ntdll.dll:ZwTerminateProcess (1799) intercepted, method APICodeHijack.JmpTo[10023F66]
    Function ntdll.dll:ZwTerminateThread (1800) intercepted, method APICodeHijack.JmpTo[10024186]
    Function ntdll.dll:ZwUnloadDriver (1808) intercepted, method APICodeHijack.JmpTo[1002CD76]
    Function ntdll.dll:ZwWriteVirtualMemory (1847) intercepted, method APICodeHijack.JmpTo[1002CE36]
     Analysis: user32.dll, export table found in section .text
    Function user32.dll:BlockInput (1517) intercepted, method APICodeHijack.JmpTo[10018176]
    Function user32.dll:DefDlgProcA (1657) intercepted, method ProcAddressHijack.GetProcAddress ->767A5F5A->77028944
    Function user32.dll:DefDlgProcW (1658) intercepted, method ProcAddressHijack.GetProcAddress ->767A5F75->77013F54
    Function user32.dll:DefWindowProcA (1664) intercepted, method ProcAddressHijack.GetProcAddress ->767A5F90->76FF2893
    Function user32.dll:DefWindowProcW (1665) intercepted, method ProcAddressHijack.GetProcAddress ->767A5FAB->76FE247D
    Function user32.dll:EnableWindow (1725) intercepted, method APICodeHijack.JmpTo[10017A96]
    Function user32.dll:EndTask (1730) intercepted, method APICodeHijack.JmpTo[1002E3B6]
    Function user32.dll:ExitWindowsEx (1754) intercepted, method APICodeHijack.JmpTo[10017886]
    Function user32.dll:GetAsyncKeyState (1772) intercepted, method APICodeHijack.JmpTo[10018D16]
    Function user32.dll:GetClipboardData (1787) intercepted, method APICodeHijack.JmpTo[10017F66]
    Function user32.dll:GetKeyState (1826) intercepted, method APICodeHijack.JmpTo[10018FC6]
    Function user32.dll:GetKeyboardState (1831) intercepted, method APICodeHijack.JmpTo[10019276]
    Function user32.dll:MoveWindow (2052) intercepted, method APICodeHijack.JmpTo[10018816]
    Function user32.dll:PostMessageA (2078) intercepted, method APICodeHijack.JmpTo[1001BAB6]
    Function user32.dll:PostMessageW (2079) intercepted, method APICodeHijack.JmpTo[1001B816]
    Function user32.dll:PostThreadMessageA (2081) intercepted, method APICodeHijack.JmpTo[1001B576]
    Function user32.dll:PostThreadMessageW (2082) intercepted, method APICodeHijack.JmpTo[1001B2D6]
    Function user32.dll:RegisterHotKey (2111) intercepted, method APICodeHijack.JmpTo[10017D36]
    Function user32.dll:RegisterRawInputDevices (2115) intercepted, method APICodeHijack.JmpTo[10018AF6]
    Function user32.dll:SendDlgItemMessageA (2139) intercepted, method APICodeHijack.JmpTo[10019AA6]
    Function user32.dll:SendDlgItemMessageW (2140) intercepted, method APICodeHijack.JmpTo[100197F6]
    Function user32.dll:SendInput (2143) intercepted, method APICodeHijack.JmpTo[10019526]
    Function user32.dll:SendMessageA (2144) intercepted, method APICodeHijack.JmpTo[1001B036]
    Function user32.dll:SendMessageCallbackA (2145) intercepted, method APICodeHijack.JmpTo[1001A556]
    Function user32.dll:SendMessageCallbackW (2146) intercepted, method APICodeHijack.JmpTo[1001A296]
    Function user32.dll:SendMessageTimeoutA (2147) intercepted, method APICodeHijack.JmpTo[1001AAD6]
    Function user32.dll:SendMessageTimeoutW (2148) intercepted, method APICodeHijack.JmpTo[1001A816]
    Function user32.dll:SendMessageW (2149) intercepted, method APICodeHijack.JmpTo[1001AD96]
    Function user32.dll:SendNotifyMessageA (2150) intercepted, method APICodeHijack.JmpTo[10019FF6]
    Function user32.dll:SendNotifyMessageW (2151) intercepted, method APICodeHijack.JmpTo[10019D56]
    Function user32.dll:SetClipboardViewer (2160) intercepted, method APICodeHijack.JmpTo[10018376]
    Function user32.dll:SetParent (2191) intercepted, method APICodeHijack.JmpTo[10018576]
    Function user32.dll:SetWinEventHook (2216) intercepted, method APICodeHijack.JmpTo[1001BD56]
    Function user32.dll:SetWindowsHookExA (2231) intercepted, method APICodeHijack.JmpTo[1001C716]
    Function user32.dll:SetWindowsHookExW (2232) intercepted, method APICodeHijack.JmpTo[1001C4A6]
    Function user32.dll:SystemParametersInfoA (2260) intercepted, method APICodeHijack.JmpTo[1001C286]
    Function user32.dll:SystemParametersInfoW (2261) intercepted, method APICodeHijack.JmpTo[1001C066]
    Function user32.dll:keybd_event (2329) intercepted, method APICodeHijack.JmpTo[1002B966]
    Function user32.dll:mouse_event (2330) intercepted, method APICodeHijack.JmpTo[1002B756]
     Analysis: advapi32.dll, export table found in section .text
    Function advapi32.dll:AddMandatoryAce (1029) intercepted, method ProcAddressHijack.GetProcAddress ->764F24B5->765DC334
    Function advapi32.dll:CreateProcessAsUserA (1125) intercepted, method APICodeHijack.JmpTo[10026BE6]
    Function advapi32.dll:I_QueryTagInformation (1361) intercepted, method ProcAddressHijack.GetProcAddress ->764F2655->767772D8
    Function advapi32.dll:I_ScIsSecurityProcess (1362) intercepted, method ProcAddressHijack.GetProcAddress ->764F268C->7677733F
    Function advapi32.dll:I_ScPnPGetServiceName (1363) intercepted, method ProcAddressHijack.GetProcAddress ->764F26C3->76777C40
    Function advapi32.dll:I_ScQueryServiceConfig (1364) intercepted, method ProcAddressHijack.GetProcAddress ->764F26FA->76775F8A
    Function advapi32.dll:I_ScSendPnPMessage (1365) intercepted, method ProcAddressHijack.GetProcAddress ->764F2732->76775E7D
    Function advapi32.dll:I_ScSendTSMessage (1366) intercepted, method ProcAddressHijack.GetProcAddress ->764F2766->767771C5
    Function advapi32.dll:I_ScValidatePnPService (1369) intercepted, method ProcAddressHijack.GetProcAddress ->764F2799->76776B9D
    Function advapi32.dll:IsValidRelativeSecurityDescriptor (1389) intercepted, method ProcAddressHijack.GetProcAddress ->764F27D1->765DC5DF
    Function advapi32.dll:PerfCreateInstance (1515) intercepted, method ProcAddressHijack.GetProcAddress ->764F2858->6E702187
    Function advapi32.dll:PerfDecrementULongCounterValue (1516) intercepted, method ProcAddressHijack.GetProcAddress ->764F2871->6E702A1D
    Function advapi32.dll:PerfDecrementULongLongCounterValue (1517) intercepted, method ProcAddressHijack.GetProcAddress ->764F2896->6E702B3C
    Function advapi32.dll:PerfDeleteInstance (1519) intercepted, method ProcAddressHijack.GetProcAddress ->764F28BF->6E702259
    Function advapi32.dll:PerfIncrementULongCounterValue (1522) intercepted, method ProcAddressHijack.GetProcAddress ->764F28D8->6E7027B9
    Function advapi32.dll:PerfIncrementULongLongCounterValue (1523) intercepted, method ProcAddressHijack.GetProcAddress ->764F28FD->6E7028D6
    Function advapi32.dll:PerfQueryInstance (1528) intercepted, method ProcAddressHijack.GetProcAddress ->764F2926->6E702373
    Function advapi32.dll:PerfSetCounterRefValue (1529) intercepted, method ProcAddressHijack.GetProcAddress ->764F293E->6E702447
    Function advapi32.dll:PerfSetCounterSetInfo (1530) intercepted, method ProcAddressHijack.GetProcAddress ->764F295B->6E7020B0
    Function advapi32.dll:PerfSetULongCounterValue (1531) intercepted, method ProcAddressHijack.GetProcAddress ->764F2977->6E702565
    Function advapi32.dll:PerfSetULongLongCounterValue (1532) intercepted, method ProcAddressHijack.GetProcAddress ->764F2996->6E702680
    Function advapi32.dll:PerfStartProvider (1533) intercepted, method ProcAddressHijack.GetProcAddress ->764F29B9->6E701FED
    Function advapi32.dll:PerfStartProviderEx (1534) intercepted, method ProcAddressHijack.GetProcAddress ->764F29D1->6E701F34
    Function advapi32.dll:PerfStopProvider (1535) intercepted, method ProcAddressHijack.GetProcAddress ->764F29EB->6E702026
    Function advapi32.dll:SystemFunction035 (1753) intercepted, method ProcAddressHijack.GetProcAddress ->764F2A3C->730C3EA8
     Analysis: ws2_32.dll, export table found in section .text
    Function ws2_32.dll:WSASocketA (99) intercepted, method APICodeHijack.JmpTo[1002C936]
     Analysis: wininet.dll, export table found in section .text
    Function wininet.dll:InternetConnectA (231) intercepted, method APICodeHijack.JmpTo[1002C976]
    Function wininet.dll:InternetConnectW (232) intercepted, method APICodeHijack.JmpTo[1002C956]
     Analysis: rasapi32.dll, export table found in section .text
     Analysis: urlmon.dll, export table found in section .text
    Function urlmon.dll:URLDownloadToCacheFileA (216) intercepted, method APICodeHijack.JmpTo[1002C8B6]
    Function urlmon.dll:URLDownloadToCacheFileW (217) intercepted, method APICodeHijack.JmpTo[1002C896]
    Function urlmon.dll:URLDownloadToFileA (218) intercepted, method APICodeHijack.JmpTo[1002C8F6]
    Function urlmon.dll:URLDownloadToFileW (219) intercepted, method APICodeHijack.JmpTo[1002C8D6]
     Analysis: netapi32.dll, export table found in section .text
    Function netapi32.dll:DavAddConnection (1) intercepted, method ProcAddressHijack.GetProcAddress ->72443B10->6E6F29DD
    Function netapi32.dll:DavDeleteConnection (2) intercepted, method ProcAddressHijack.GetProcAddress ->72443B29->6E6F181B
    Function netapi32.dll:DavFlushFile (3) intercepted, method ProcAddressHijack.GetProcAddress ->72443B45->6E6F1713
    Function netapi32.dll:DavGetExtendedError (4) intercepted, method ProcAddressHijack.GetProcAddress ->72443B5A->6E6F2347
    Function netapi32.dll:DavGetHTTPFromUNCPath (5) intercepted, method ProcAddressHijack.GetProcAddress ->72443B76->6E6F275B
    Function netapi32.dll:DavGetUNCFromHTTPPath (6) intercepted, method ProcAddressHijack.GetProcAddress ->72443B94->6E6F257D
    Function netapi32.dll:DsAddressToSiteNamesA (7) intercepted, method ProcAddressHijack.GetProcAddress ->72443BB2->6E6D4A4D
    Function netapi32.dll:DsAddressToSiteNamesExA (8) intercepted, method ProcAddressHijack.GetProcAddress ->72443BD1->6E6D4D79
    Function netapi32.dll:DsAddressToSiteNamesExW (9) intercepted, method ProcAddressHijack.GetProcAddress ->72443BF2->6E6D5049
    Function netapi32.dll:DsAddressToSiteNamesW (10) intercepted, method ProcAddressHijack.GetProcAddress ->72443C13->6E6D4C29
    Function netapi32.dll:DsDeregisterDnsHostRecordsA (11) intercepted, method ProcAddressHijack.GetProcAddress ->72443C32->6E6D6DD9
    Function netapi32.dll:DsDeregisterDnsHostRecordsW (12) intercepted, method ProcAddressHijack.GetProcAddress ->72443C57->6E6D6D59
    Function netapi32.dll:DsEnumerateDomainTrustsA (13) intercepted, method ProcAddressHijack.GetProcAddress ->72443C7C->6E6D6771
    Function netapi32.dll:DsEnumerateDomainTrustsW (14) intercepted, method ProcAddressHijack.GetProcAddress ->72443C9E->6E6C60BC
    Function netapi32.dll:DsGetDcCloseW (15) intercepted, method ProcAddressHijack.GetProcAddress ->72443CC0->6E6D495D
    Function netapi32.dll:DsGetDcNameA (16) intercepted, method ProcAddressHijack.GetProcAddress ->72443CD7->6E6D5BB2
    Function netapi32.dll:DsGetDcNameW (17) intercepted, method ProcAddressHijack.GetProcAddress ->72443CED->6E6C4CA8
    Function netapi32.dll:DsGetDcNameWithAccountA (18) intercepted, method ProcAddressHijack.GetProcAddress ->72443D03->6E6D55E9
    Function netapi32.dll:DsGetDcNameWithAccountW (19) intercepted, method ProcAddressHijack.GetProcAddress ->72443D24->6E6C4CD1
    Function netapi32.dll:DsGetDcNextA (20) intercepted, method ProcAddressHijack.GetProcAddress ->72443D45->6E6D4896
    Function netapi32.dll:DsGetDcNextW (21) intercepted, method ProcAddressHijack.GetProcAddress ->72443D5B->6E6D47ED
    Function netapi32.dll:DsGetDcOpenA (22) intercepted, method ProcAddressHijack.GetProcAddress ->72443D71->6E6D473D
    Function netapi32.dll:DsGetDcOpenW (23) intercepted, method ProcAddressHijack.GetProcAddress ->72443D87->6E6D46AB
    Function netapi32.dll:DsGetDcSiteCoverageA (24) intercepted, method ProcAddressHijack.GetProcAddress ->72443D9D->6E6D5239
    Function netapi32.dll:DsGetDcSiteCoverageW (25) intercepted, method ProcAddressHijack.GetProcAddress ->72443DBB->6E6D5409
    Function netapi32.dll:DsGetForestTrustInformationW (26) intercepted, method ProcAddressHijack.GetProcAddress ->72443DD9->6E6D6E6F
    Function netapi32.dll:DsGetSiteNameA (27) intercepted, method ProcAddressHijack.GetProcAddress ->72443DFF->6E6D5B39
    Function netapi32.dll:DsGetSiteNameW (28) intercepted, method ProcAddressHijack.GetProcAddress ->72443E17->6E6C5F24
    Function netapi32.dll:DsMergeForestTrustInformationW (29) intercepted, method ProcAddressHijack.GetProcAddress ->72443E2F->6E6D6F71
    Function netapi32.dll:DsRoleAbortDownlevelServerUpgrade (30) intercepted, method ProcAddressHijack.GetProcAddress ->72443E57->6E6B4339
    Function netapi32.dll:DsRoleCancel (31) intercepted, method ProcAddressHijack.GetProcAddress ->72443E80->6E6B34A9
    Function netapi32.dll:DsRoleDcAsDc (32) intercepted, method ProcAddressHijack.GetProcAddress ->72443E94->6E6B3EAD
    Function netapi32.dll:DsRoleDcAsReplica (33) intercepted, method ProcAddressHijack.GetProcAddress ->72443EA8->6E6B3F99
    Function netapi32.dll:DsRoleDemoteDc (34) intercepted, method ProcAddressHijack.GetProcAddress ->72443EC1->6E6B4189
    Function netapi32.dll:DsRoleDnsNameToFlatName (35) intercepted, method ProcAddressHijack.GetProcAddress ->72443ED7->6E6B32B5
    Function netapi32.dll:DsRoleFreeMemory (36) intercepted, method ProcAddressHijack.GetProcAddress ->72443EF6->6E6B19A9
    Function netapi32.dll:DsRoleGetDatabaseFacts (37) intercepted, method ProcAddressHijack.GetProcAddress ->72443F0E->6E6B3651
    Function netapi32.dll:DsRoleGetDcOperationProgress (38) intercepted, method ProcAddressHijack.GetProcAddress ->72443F2C->6E6B3351
    Function netapi32.dll:DsRoleGetDcOperationResults (39) intercepted, method ProcAddressHijack.GetProcAddress ->72443F50->6E6B3401
    Function netapi32.dll:DsRoleGetPrimaryDomainInformation (40) intercepted, method ProcAddressHijack.GetProcAddress ->72443F73->6E6B1F3D
    Function netapi32.dll:DsRoleIfmHandleFree (41) intercepted, method ProcAddressHijack.GetProcAddress ->72443F9C->6E6B3539
    Function netapi32.dll:DsRoleServerSaveStateForUpgrade (42) intercepted, method ProcAddressHijack.GetProcAddress ->72443FB7->6E6B35C9
    Function netapi32.dll:DsRoleUpgradeDownlevelServer (43) intercepted, method ProcAddressHijack.GetProcAddress ->72443FDE->6E6B4261
    Function netapi32.dll:DsValidateSubnetNameA (44) intercepted, method ProcAddressHijack.GetProcAddress ->72444002->6E6D5AF9
    Function netapi32.dll:DsValidateSubnetNameW (45) intercepted, method ProcAddressHijack.GetProcAddress ->72444021->6E6D49E1
    Function netapi32.dll:I_BrowserDebugCall (46) intercepted, method ProcAddressHijack.GetProcAddress ->72444040->6E6A24A9
    Function netapi32.dll:I_BrowserDebugTrace (47) intercepted, method ProcAddressHijack.GetProcAddress ->7244405B->6E6A2581
    Function netapi32.dll:I_BrowserQueryEmulatedDomains (48) intercepted, method ProcAddressHijack.GetProcAddress ->72444077->6E6A29F9
    Function netapi32.dll:I_BrowserQueryOtherDomains (49) intercepted, method ProcAddressHijack.GetProcAddress ->7244409D->6E6A22C1
    Function netapi32.dll:I_BrowserQueryStatistics (50) intercepted, method ProcAddressHijack.GetProcAddress ->724440C0->6E6A2651
    Function netapi32.dll:I_BrowserResetNetlogonState (51) intercepted, method ProcAddressHijack.GetProcAddress ->724440E1->6E6A23D1
    Function netapi32.dll:I_BrowserResetStatistics (52) intercepted, method ProcAddressHijack.GetProcAddress ->72444105->6E6A2729
    Function netapi32.dll:I_BrowserServerEnum (53) intercepted, method ProcAddressHijack.GetProcAddress ->72444126->6E6A20BF
    Function netapi32.dll:I_BrowserSetNetlogonState (54) intercepted, method ProcAddressHijack.GetProcAddress ->72444142->6E6A2919
    Function netapi32.dll:I_DsUpdateReadOnlyServerDnsRecords (55) intercepted, method ProcAddressHijack.GetProcAddress ->72444164->6E6D5569
    Function netapi32.dll:I_NetAccountDeltas (56) intercepted, method ProcAddressHijack.GetProcAddress ->72444190->6E6D63AB
    Function netapi32.dll:I_NetAccountSync (57) intercepted, method ProcAddressHijack.GetProcAddress ->724441AC->6E6D63AB
    Function netapi32.dll:I_NetChainSetClientAttributes (59) intercepted, method ProcAddressHijack.GetProcAddress ->724441C6->6E6D6FA6
    Function netapi32.dll:I_NetChainSetClientAttributes2 (58) intercepted, method ProcAddressHijack.GetProcAddress ->724441ED->6E6D7029
    Function netapi32.dll:I_NetDatabaseDeltas (60) intercepted, method ProcAddressHijack.GetProcAddress ->72444215->6E6D6391
    Function netapi32.dll:I_NetDatabaseRedo (61) intercepted, method ProcAddressHijack.GetProcAddress ->72444232->6E6D6521
    Function netapi32.dll:I_NetDatabaseSync (63) intercepted, method ProcAddressHijack.GetProcAddress ->7244424D->6E6D6391
    Function netapi32.dll:I_NetDatabaseSync2 (62) intercepted, method ProcAddressHijack.GetProcAddress ->72444268->6E6D639E
    Function netapi32.dll:I_NetDfsGetVersion (64) intercepted, method ProcAddressHijack.GetProcAddress ->72444284->73107CA1
    Function netapi32.dll:I_NetDfsIsThisADomainName (65) intercepted, method ProcAddressHijack.GetProcAddress ->7244429E->6E694E39
    Function netapi32.dll:I_NetGetDCList (66) intercepted, method ProcAddressHijack.GetProcAddress ->724442BF->6E6D5D9C
    Function netapi32.dll:I_NetGetForestTrustInformation (67) intercepted, method ProcAddressHijack.GetProcAddress ->724442D7->6E6D6EF1
    Function netapi32.dll:I_NetLogonControl (69) intercepted, method ProcAddressHijack.GetProcAddress ->724442FF->6E6D63B8
    Function netapi32.dll:I_NetLogonControl2 (68) intercepted, method ProcAddressHijack.GetProcAddress ->7244431A->6E6D6439
    Function netapi32.dll:I_NetLogonGetDomainInfo (70) intercepted, method ProcAddressHijack.GetProcAddress ->72444336->6E6C64A4
    Function netapi32.dll:I_NetLogonSamLogoff (71) intercepted, method ProcAddressHijack.GetProcAddress ->72444357->6E6D6091
    Function netapi32.dll:I_NetLogonSamLogon (72) intercepted, method ProcAddressHijack.GetProcAddress ->72444374->6E6D5F39
    Function netapi32.dll:I_NetLogonSamLogonEx (73) intercepted, method ProcAddressHijack.GetProcAddress ->72444390->6E6D5FE1
    Function netapi32.dll:I_NetLogonSamLogonWithFlags (74) intercepted, method ProcAddressHijack.GetProcAddress ->724443AE->6E6CB22A
    Function netapi32.dll:I_NetLogonSendToSam (75) intercepted, method ProcAddressHijack.GetProcAddress ->724443D3->6E6D6111
    Function netapi32.dll:I_NetLogonUasLogoff (76) intercepted, method ProcAddressHijack.GetProcAddress ->724443F0->6E6D5EC9
    Function netapi32.dll:I_NetLogonUasLogon (77) intercepted, method ProcAddressHijack.GetProcAddress ->7244440D->6E6D5E53
    Function netapi32.dll:I_NetServerAuthenticate (80) intercepted, method ProcAddressHijack.GetProcAddress ->72444429->6E6D6191
    Function netapi32.dll:I_NetServerAuthenticate2 (78) intercepted, method ProcAddressHijack.GetProcAddress ->7244444A->6E6D6211
    Function netapi32.dll:I_NetServerAuthenticate3 (79) intercepted, method ProcAddressHijack.GetProcAddress ->7244446C->6E6C6393
    Function netapi32.dll:I_NetServerGetTrustInfo (81) intercepted, method ProcAddressHijack.GetProcAddress ->7244448E->6E6D6C61
    Function netapi32.dll:I_NetServerPasswordGet (82) intercepted, method ProcAddressHijack.GetProcAddress ->724444AF->6E6D6B61
    Function netapi32.dll:I_NetServerPasswordSet (84) intercepted, method ProcAddressHijack.GetProcAddress ->724444CF->6E6D6291
    Function netapi32.dll:I_NetServerPasswordSet2 (83) intercepted, method ProcAddressHijack.GetProcAddress ->724444EF->6E6D6311
    Function netapi32.dll:I_NetServerReqChallenge (85) intercepted, method ProcAddressHijack.GetProcAddress ->72444510->6E6C6424
    Function netapi32.dll:I_NetServerSetServiceBits (86) intercepted, method ProcAddressHijack.GetProcAddress ->72444531->7310426D
    Function netapi32.dll:I_NetServerSetServiceBitsEx (87) intercepted, method ProcAddressHijack.GetProcAddress ->72444552->73106D11
    Function netapi32.dll:I_NetServerTrustPasswordsGet (88) intercepted, method ProcAddressHijack.GetProcAddress ->72444575->6E6D6BE1
    Function netapi32.dll:I_NetlogonComputeClientDigest (89) intercepted, method ProcAddressHijack.GetProcAddress ->7244459B->6E6C5C20
    Function netapi32.dll:I_NetlogonComputeServerDigest (90) intercepted, method ProcAddressHijack.GetProcAddress ->724445C2->6E6D6AEC
    Function netapi32.dll:NetAddAlternateComputerName (97) intercepted, method ProcAddressHijack.GetProcAddress ->724445E9->72425B21
    Function netapi32.dll:NetAddServiceAccount (98) intercepted, method ProcAddressHijack.GetProcAddress ->7244460C->6E6D70B1
    Function netapi32.dll:NetApiBufferAllocate (101) intercepted, method ProcAddressHijack.GetProcAddress ->7244462A->72431415
    Function netapi32.dll:NetApiBufferFree (102) intercepted, method ProcAddressHijack.GetProcAddress ->72444648->724313D2
    Function netapi32.dll:NetApiBufferReallocate (103) intercepted, method ProcAddressHijack.GetProcAddress ->72444662->72433729
    Function netapi32.dll:NetApiBufferSize (104) intercepted, method ProcAddressHijack.GetProcAddress ->72444682->72433771
    Function netapi32.dll:NetBrowserStatisticsGet (108) intercepted, method ProcAddressHijack.GetProcAddress ->7244469C->6E6A2801
    Function netapi32.dll:NetConnectionEnum (112) intercepted, method ProcAddressHijack.GetProcAddress ->724446BC->73105521
    Function netapi32.dll:NetDfsAdd (113) intercepted, method ProcAddressHijack.GetProcAddress ->724446D5->6E6978FD
    Function netapi32.dll:NetDfsAddFtRoot (114) intercepted, method ProcAddressHijack.GetProcAddress ->724446E6->6E696859
    Function netapi32.dll:NetDfsAddRootTarget (115) intercepted, method ProcAddressHijack.GetProcAddress ->724446FD->6E697401
    Function netapi32.dll:NetDfsAddStdRoot (116) intercepted, method ProcAddressHijack.GetProcAddress ->72444718->6E692B1E
    Function netapi32.dll:NetDfsAddStdRootForced (117) intercepted, method ProcAddressHijack.GetProcAddress ->72444730->6E692BB1
    Function netapi32.dll:NetDfsEnum (118) intercepted, method ProcAddressHijack.GetProcAddress ->7244474E->6E6970F9
    Function netapi32.dll:NetDfsGetClientInfo (119) intercepted, method ProcAddressHijack.GetProcAddress ->72444760->6E693F25
    Function netapi32.dll:NetDfsGetDcAddress (120) intercepted, method ProcAddressHijack.GetProcAddress ->7244477B->6E692C51
    Function netapi32.dll:NetDfsGetFtContainerSecurity (121) intercepted, method ProcAddressHijack.GetProcAddress ->72444795->6E695363
    Function netapi32.dll:NetDfsGetInfo (122) intercepted, method ProcAddressHijack.GetProcAddress ->724447B9->6E692D69
    Function netapi32.dll:NetDfsGetSecurity (123) intercepted, method ProcAddressHijack.GetProcAddress ->724447CE->6E697741
    Function netapi32.dll:NetDfsGetStdContainerSecurity (124) intercepted, method ProcAddressHijack.GetProcAddress ->724447E7->6E693AD5
    Function netapi32.dll:NetDfsGetSupportedNamespaceVersion (125) intercepted, method ProcAddressHijack.GetProcAddress ->7244480C->6E695C19
    Function netapi32.dll:NetDfsManagerGetConfigInfo (126) intercepted, method ProcAddressHijack.GetProcAddress ->72444836->6E692E9C
    Function netapi32.dll:NetDfsManagerInitialize (127) intercepted, method ProcAddressHijack.GetProcAddress ->72444858->6E692F91
    Function netapi32.dll:NetDfsManagerSendSiteInfo (128) intercepted, method ProcAddressHijack.GetProcAddress ->72444877->6E6972C5
    Function netapi32.dll:NetDfsMove (129) intercepted, method ProcAddressHijack.GetProcAddress ->72444898->6E695651
    Function netapi32.dll:NetDfsRemove (130) intercepted, method ProcAddressHijack.GetProcAddress ->724448AA->6E697A19
    Function netapi32.dll:NetDfsRemoveFtRoot (131) intercepted, method ProcAddressHijack.GetProcAddress ->724448BE->6E696A99
    Function netapi32.dll:NetDfsRemoveFtRootForced (132) intercepted, method ProcAddressHijack.GetProcAddress ->724448D8->6E696BE5
    Function netapi32.dll:NetDfsRemoveRootTarget (133) intercepted, method ProcAddressHijack.GetProcAddress ->724448F8->6E695879
    Function netapi32.dll:NetDfsRemoveStdRoot (134) intercepted, method ProcAddressHijack.GetProcAddress ->72444916->6E692CE1
    Function netapi32.dll:NetDfsRename (135) intercepted, method ProcAddressHijack.GetProcAddress ->72444931->6E692E91
    Function netapi32.dll:NetDfsSetClientInfo (136) intercepted, method ProcAddressHijack.GetProcAddress ->72444945->6E694301
    Function netapi32.dll:NetDfsSetFtContainerSecurity (137) intercepted, method ProcAddressHijack.GetProcAddress ->72444960->6E6953AF
    Function netapi32.dll:NetDfsSetInfo (138) intercepted, method ProcAddressHijack.GetProcAddress ->72444984->6E696D8B
    Function netapi32.dll:NetDfsSetSecurity (139) intercepted, method ProcAddressHijack.GetProcAddress ->72444999->6E697822
    Function netapi32.dll:NetDfsSetStdContainerSecurity (140) intercepted, method ProcAddressHijack.GetProcAddress ->724449B2->6E693B24
    Function netapi32.dll:NetEnumerateComputerNames (141) intercepted, method ProcAddressHijack.GetProcAddress ->724449D7->72425E39
    Function netapi32.dll:NetEnumerateServiceAccounts (142) intercepted, method ProcAddressHijack.GetProcAddress ->724449F8->6E6D7199
    Function netapi32.dll:NetEnumerateTrustedDomains (143) intercepted, method ProcAddressHijack.GetProcAddress ->72444A1D->6E6D652E
    Function netapi32.dll:NetFileClose (147) intercepted, method ProcAddressHijack.GetProcAddress ->72444A41->73105659
    Function netapi32.dll:NetFileEnum (148) intercepted, method ProcAddressHijack.GetProcAddress ->72444A55->73105729
    Function netapi32.dll:NetFileGetInfo (149) intercepted, method ProcAddressHijack.GetProcAddress ->72444A68->73105859
    Function netapi32.dll:NetGetAnyDCName (150) intercepted, method ProcAddressHijack.GetProcAddress ->72444A7E->6E6D496D
    Function netapi32.dll:NetGetDCName (151) intercepted, method ProcAddressHijack.GetProcAddress ->72444A97->6E6D5913
    Function netapi32.dll:NetGetDisplayInformationIndex (152) intercepted, method ProcAddressHijack.GetProcAddress ->72444AAD->72414117
    Function netapi32.dll:NetGetJoinInformation (153) intercepted, method ProcAddressHijack.GetProcAddress ->72444AD2->72422DC7
    Function netapi32.dll:NetGetJoinableOUs (154) intercepted, method ProcAddressHijack.GetProcAddress ->72444AEF->724259D1
    Function netapi32.dll:NetGroupAdd (155) intercepted, method ProcAddressHijack.GetProcAddress ->72444B08->724171C3
    Function netapi32.dll:NetGroupAddUser (156) intercepted, method ProcAddressHijack.GetProcAddress ->72444B1B->724173AD
    Function netapi32.dll:NetGroupDel (157) intercepted, method ProcAddressHijack.GetProcAddress ->72444B32->724173CB
    Function netapi32.dll:NetGroupDelUser (158) intercepted, method ProcAddressHijack.GetProcAddress ->72444B45->724173EB
    Function netapi32.dll:NetGroupEnum (159) intercepted, method ProcAddressHijack.GetProcAddress ->72444B5C->72417409
    Function netapi32.dll:NetGroupGetInfo (160) intercepted, method ProcAddressHijack.GetProcAddress ->72444B70->724178C8
    Function netapi32.dll:NetGroupGetUsers (161) intercepted, method ProcAddressHijack.GetProcAddress ->72444B87->72417952
    Function netapi32.dll:NetGroupSetInfo (162) intercepted, method ProcAddressHijack.GetProcAddress ->72444B9F->72417C02
    Function netapi32.dll:NetGroupSetUsers (163) intercepted, method ProcAddressHijack.GetProcAddress ->72444BB6->72417DAE
    Function netapi32.dll:NetIsServiceAccount (164) intercepted, method ProcAddressHijack.GetProcAddress ->72444BCE->6E6D72D9
    Function netapi32.dll:NetJoinDomain (165) intercepted, method ProcAddressHijack.GetProcAddress ->72444BEB->724254B9
    Function netapi32.dll:NetLocalGroupAdd (166) intercepted, method ProcAddressHijack.GetProcAddress ->72444C00->7241875A
    Function netapi32.dll:NetLocalGroupAddMember (167) intercepted, method ProcAddressHijack.GetProcAddress ->72444C18->72418886
    Function netapi32.dll:NetLocalGroupAddMembers (168) intercepted, method ProcAddressHijack.GetProcAddress ->72444C36->72418E99
    Function netapi32.dll:NetLocalGroupDel (169) intercepted, method ProcAddressHijack.GetProcAddress ->72444C55->724188A4
    Function netapi32.dll:NetLocalGroupDelMember (170) intercepted, method ProcAddressHijack.GetProcAddress ->72444C6D->72418928
    Function netapi32.dll:NetLocalGroupDelMembers (171) intercepted, method ProcAddressHijack.GetProcAddress ->72444C8B->72418EBD
    Function netapi32.dll:NetLocalGroupEnum (172) intercepted, method ProcAddressHijack.GetProcAddress ->72444CAA->72418946
    Function netapi32.dll:NetLocalGroupGetInfo (173) intercepted, method ProcAddressHijack.GetProcAddress ->72444CC3->72418CE4
    Function netapi32.dll:NetLocalGroupGetMembers (174) intercepted, method ProcAddressHijack.GetProcAddress ->72444CDF->72412265
    Function netapi32.dll:NetLocalGroupSetInfo (175) intercepted, method ProcAddressHijack.GetProcAddress ->72444CFE->72418D57
    Function netapi32.dll:NetLocalGroupSetMembers (176) intercepted, method ProcAddressHijack.GetProcAddress ->72444D1A->72418E75
    Function netapi32.dll:NetLogonGetTimeServiceParentDomain (177) intercepted, method ProcAddressHijack.GetProcAddress ->72444D39->6E6D6CE9
    Function netapi32.dll:NetLogonSetServiceBits (178) intercepted, method ProcAddressHijack.GetProcAddress ->72444D65->6E6C603C
    Function netapi32.dll:NetProvisionComputerAccount (184) intercepted, method ProcAddressHijack.GetProcAddress ->72444D85->6E67F2D3
    Function netapi32.dll:NetQueryDisplayInformation (185) intercepted, method ProcAddressHijack.GetProcAddress ->72444DA9->72413D87
    Function netapi32.dll:NetQueryServiceAccount (186) intercepted, method ProcAddressHijack.GetProcAddress ->72444DCB->6E6D7249
    Function netapi32.dll:NetRemoteComputerSupports (188) intercepted, method ProcAddressHijack.GetProcAddress ->72444DEB->72432160
    Function netapi32.dll:NetRemoteTOD (189) intercepted, method ProcAddressHijack.GetProcAddress ->72444E0E->73106C11
    Function netapi32.dll:NetRemoveAlternateComputerName (190) intercepted, method ProcAddressHijack.GetProcAddress ->72444E22->72425C29
    Function netapi32.dll:NetRemoveServiceAccount (191) intercepted, method ProcAddressHijack.GetProcAddress ->72444E48->6E6D7129
    Function netapi32.dll:NetRenameMachineInDomain (192) intercepted, method ProcAddressHijack.GetProcAddress ->72444E69->72425751
    Function netapi32.dll:NetRequestOfflineDomainJoin (208) intercepted, method ProcAddressHijack.GetProcAddress ->72444E89->6E67B52F
    Function netapi32.dll:NetScheduleJobAdd (209) intercepted, method ProcAddressHijack.GetProcAddress ->72444EAD->6E6519D1
    Function netapi32.dll:NetScheduleJobDel (210) intercepted, method ProcAddressHijack.GetProcAddress ->72444EC8->6E651AC9
    Function netapi32.dll:NetScheduleJobEnum (211) intercepted, method ProcAddressHijack.GetProcAddress ->72444EE3->6E651BC1
    Function netapi32.dll:NetScheduleJobGetInfo (212) intercepted, method ProcAddressHijack.GetProcAddress ->72444EFF->6E651CE1
    Function netapi32.dll:NetServerAliasAdd (213) intercepted, method ProcAddressHijack.GetProcAddress ->72444F1E->73107843
    Function netapi32.dll:NetServerAliasDel (214) intercepted, method ProcAddressHijack.GetProcAddress ->72444F37->73107A79
    Function netapi32.dll:NetServerAliasEnum (215) intercepted, method ProcAddressHijack.GetProcAddress ->72444F50->73107931
    Function netapi32.dll:NetServerComputerNameAdd (216) intercepted, method ProcAddressHijack.GetProcAddress ->72444F6A->73107411
    Function netapi32.dll:NetServerComputerNameDel (217) intercepted, method ProcAddressHijack.GetProcAddress ->72444F8A->731076FB
    Function netapi32.dll:NetServerDiskEnum (218) intercepted, method ProcAddressHijack.GetProcAddress ->72444FAA->73106559
    Function netapi32.dll:NetServerEnum (219) intercepted, method ProcAddressHijack.GetProcAddress ->72444FC3->6E6A2F61
    Function netapi32.dll:NetServerEnumEx (220) intercepted, method ProcAddressHijack.GetProcAddress ->72444FD9->6E6A2C5F
    Function netapi32.dll:NetServerGetInfo (221) intercepted, method ProcAddressHijack.GetProcAddress ->72444FF1->73103CFA
    Function netapi32.dll:NetServerSetInfo (222) intercepted, method ProcAddressHijack.GetProcAddress ->72445009->73106681
    Function netapi32.dll:NetServerTransportAdd (223) intercepted, method ProcAddressHijack.GetProcAddress ->72445021->73106851
    Function netapi32.dll:NetServerTransportAddEx (224) intercepted, method ProcAddressHijack.GetProcAddress ->7244503E->73107329
    Function netapi32.dll:NetServerTransportDel (225) intercepted, method ProcAddressHijack.GetProcAddress ->7244505D->73106A01
    Function netapi32.dll:NetServerTransportEnum (226) intercepted, method ProcAddressHijack.GetProcAddress ->7244507A->73106AD9
    Function netapi32.dll:NetSessionDel (231) intercepted, method ProcAddressHijack.GetProcAddress ->72445098->73105941
    Function netapi32.dll:NetSessionEnum (232) intercepted, method ProcAddressHijack.GetProcAddress ->724450AD->73105A11
    Function netapi32.dll:NetSessionGetInfo (233) intercepted, method ProcAddressHijack.GetProcAddress ->724450C3->73105B41
    Function netapi32.dll:NetSetPrimaryComputerName (234) intercepted, method ProcAddressHijack.GetProcAddress ->724450DC->72425D31
    Function netapi32.dll:NetShareAdd (235) intercepted, method ProcAddressHijack.GetProcAddress ->724450FD->73105C81
    Function netapi32.dll:NetShareCheck (236) intercepted, method ProcAddressHijack.GetProcAddress ->72445110->73105E91
    Function netapi32.dll:NetShareDel (237) intercepted, method ProcAddressHijack.GetProcAddress ->72445125->73105F81
    Function netapi32.dll:NetShareDelEx (238) intercepted, method ProcAddressHijack.GetProcAddress ->72445138->73107B61
    Function netapi32.dll:NetShareDelSticky (239) intercepted, method ProcAddressHijack.GetProcAddress ->7244514D->731060D1
    Function netapi32.dll:NetShareEnum (240) intercepted, method ProcAddressHijack.GetProcAddress ->72445166->73103F91
    Function netapi32.dll:NetShareEnumSticky (241) intercepted, method ProcAddressHijack.GetProcAddress ->7244517A->731061C9
    Function netapi32.dll:NetShareGetInfo (242) intercepted, method ProcAddressHijack.GetProcAddress ->72445194->7310433F
    Function netapi32.dll:NetShareSetInfo (243) intercepted, method ProcAddressHijack.GetProcAddress ->724451AB->73106341
    Function netapi32.dll:NetUnjoinDomain (245) intercepted, method ProcAddressHijack.GetProcAddress ->724451C2->72425641
    Function netapi32.dll:NetUseAdd (247) intercepted, method ProcAddressHijack.GetProcAddress ->724451D9->72423693
    Function netapi32.dll:NetUseDel (248) intercepted, method ProcAddressHijack.GetProcAddress ->724451EA->72425FA9
    Function netapi32.dll:NetUseEnum (249) intercepted, method ProcAddressHijack.GetProcAddress ->724451FB->72423184
    Function netapi32.dll:NetUseGetInfo (250) intercepted, method ProcAddressHijack.GetProcAddress ->7244520D->72426039
    Function netapi32.dll:NetUserAdd (251) intercepted, method ProcAddressHijack.GetProcAddress ->72445222->7241464F
    Function netapi32.dll:NetUserChangePassword (252) intercepted, method ProcAddressHijack.GetProcAddress ->72445234->72415A06
    Function netapi32.dll:NetUserDel (253) intercepted, method ProcAddressHijack.GetProcAddress ->72445251->72414826
    Function netapi32.dll:NetUserEnum (254) intercepted, method ProcAddressHijack.GetProcAddress ->72445263->724149D6
    Function netapi32.dll:NetUserGetGroups (255) intercepted, method ProcAddressHijack.GetProcAddress ->72445276->72414E01
    Function netapi32.dll:NetUserGetInfo (256) intercepted, method ProcAddressHijack.GetProcAddress ->7244528E->72411C60
    Function netapi32.dll:NetUserGetLocalGroups (257) intercepted, method ProcAddressHijack.GetProcAddress ->724452A4->72412875
    Function netapi32.dll:NetUserModalsGet (258) intercepted, method ProcAddressHijack.GetProcAddress ->724452C1->7241206B
    Function netapi32.dll:NetUserModalsSet (259) intercepted, method ProcAddressHijack.GetProcAddress ->724452D9->724154AA
    Function netapi32.dll:NetUserSetGroups (260) intercepted, method ProcAddressHijack.GetProcAddress ->724452F1->72415095
    Function netapi32.dll:NetUserSetInfo (261) intercepted, method ProcAddressHijack.GetProcAddress ->72445309->72414D1D
    Function netapi32.dll:NetValidateName (262) intercepted, method ProcAddressHijack.GetProcAddress ->7244531F->72425859
    Function netapi32.dll:NetValidatePasswordPolicy (263) intercepted, method ProcAddressHijack.GetProcAddress ->72445336->72419967
    Function netapi32.dll:NetValidatePasswordPolicyFree (264) intercepted, method ProcAddressHijack.GetProcAddress ->72445357->72419B6B
    Function netapi32.dll:NetWkstaTransportAdd (267) intercepted, method ProcAddressHijack.GetProcAddress ->7244537C->72424E45
    Function netapi32.dll:NetWkstaTransportDel (268) intercepted, method ProcAddressHijack.GetProcAddress ->72445398->72424F21
    Function netapi32.dll:NetWkstaTransportEnum (269) intercepted, method ProcAddressHijack.GetProcAddress ->724453B4->72424CF9
    Function netapi32.dll:NetWkstaUserEnum (270) intercepted, method ProcAddressHijack.GetProcAddress ->724453D1->72424AD1
    Function netapi32.dll:NetWkstaUserGetInfo (271) intercepted, method ProcAddressHijack.GetProcAddress ->724453E9->72423280
    Function netapi32.dll:NetWkstaUserSetInfo (272) intercepted, method ProcAddressHijack.GetProcAddress ->72445404->72424C15
    Function netapi32.dll:NetapipBufferAllocate (273) intercepted, method ProcAddressHijack.GetProcAddress ->7244541F->724337AA
    Function netapi32.dll:NetpIsRemote (289) intercepted, method ProcAddressHijack.GetProcAddress ->7244543E->7243382D
    Function netapi32.dll:NetpwNameCanonicalize (296) intercepted, method ProcAddressHijack.GetProcAddress ->72445454->72431C30
    Function netapi32.dll:NetpwNameCompare (297) intercepted, method ProcAddressHijack.GetProcAddress ->72445473->72431F2E
    Function netapi32.dll:NetpwNameValidate (298) intercepted, method ProcAddressHijack.GetProcAddress ->7244548D->72431990
    Function netapi32.dll:NetpwPathCanonicalize (299) intercepted, method ProcAddressHijack.GetProcAddress ->724454A8->7243275D
    Function netapi32.dll:NetpwPathCompare (300) intercepted, method ProcAddressHijack.GetProcAddress ->724454C7->72434086
    Function netapi32.dll:NetpwPathType (301) intercepted, method ProcAddressHijack.GetProcAddress ->724454E1->72432533
    Function netapi32.dll:NlBindingAddServerToCache (302) intercepted, method ProcAddressHijack.GetProcAddress ->724454F8->6E6C61F8
    Function netapi32.dll:NlBindingRemoveServerFromCache (303) intercepted, method ProcAddressHijack.GetProcAddress ->7244551B->6E6C5D67
    Function netapi32.dll:NlBindingSetAuthInfo (304) intercepted, method ProcAddressHijack.GetProcAddress ->72445543->6E6C6198
    
    
    PLEASE, please please please, do not reply with suggestions for tools to scan with, what programs to run, ect. I'm just trying to figure out what these hooks are, why they are there, and what put them there.

    See, this is a brand new fresh installation of windows enterprise that I downloaded directly from microsoft.com (It's a 90 day trial of the enterprise version) and installed from a wiped HD.

    So either these hooks are already created from the Windows Enterprise version of Windows 7 from Microsoft (Highly unlikely. It shouldn't have ANY hooks AT ALL, EVER, on a fresh install.)

    ...or, abootkit/rootkit is creating these hooks as windows installs, after windows installs, or shortly after I boot into the new fresh install of windows.

    (I installed this windows after wiping my whole HD. The hooks are still there.) AVZ4 supports 64 bit and enterprise versions of windows.


    There is one way to find out for sure, and that's if someone downloads the 90 day trial of Windows Enterprise from microsoft.com, installs it, and then scans with AVZ4 from Kaspersky to see if they have the same hooks show up in the logs. If they do, then that means the hooks are legit and come from windows. If they don't show up in the logs, then that means my machine is compromised.

    I don't think it's Windows thats creating the hooks...there is no reason to hook internet-related functions like that....



    Anyone care to analyze the hooks and tell me what the heck they're doing?
     
  2. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    your answer
     
  3. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  4. agiantt

    agiantt Registered Member

    Joined:
    Dec 28, 2010
    Posts:
    2
    Windows doesn't have hooks unless a program installs them. For example, when I scan a fresh install of Windows Vista with the AVZ4 utility there are no hooks found.

    That's a lot of hooks on multiple files...has to be a reason why.

    I googled "Windows Enterprise hooks" and some other keywords, but nothing.
     
  5. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,718
    If it's a fresh install and you're using AVZ to scan for rootkits (I wonder why), then have you considered a possibility of these hooks coming from AVZ itself seeing that you are seemingly running this on a 64-bit system where there exists PatchGuard? I'm making a wild guess here...
     
  6. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    You should try other tools.
    Kernel Detective is very good for what you want. Even has its own debugger so you can see the assembly code of the hooks and follow the jumps.

    Meriadoc is one of those plugged in types, when Meriadoc makes a statement take the time to understand it or ask for clarification.

    As for Microsoft, wouldn't that be for the purpose of gathering usage statistics from those who download the trial OS?
     
Thread Status:
Not open for further replies.