Hooks

Discussion in 'malware problems & news' started by agiantt, Dec 28, 2010.

Thread Status:
Not open for further replies.
  1. agiantt

    agiantt Registered Member

    Joined:
    Dec 28, 2010
    Posts:
    2
    Hi everyone. I came here to get these hooks analyzed to see if it's possible rootkit.

    This is from an avz4 log after an extended scan.

    Code:
    1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
Function kernel32.dll:CopyFileA (114) intercepted, method APICodeHijack.JmpTo[1002CC36]
Function kernel32.dll:CopyFileExA (115) intercepted, method APICodeHijack.JmpTo[1002CBF6]
Function kernel32.dll:CopyFileExW (116) intercepted, method APICodeHijack.JmpTo[1002CBD6]
Function kernel32.dll:CopyFileW (119) intercepted, method APICodeHijack.JmpTo[1002CC16]
Function kernel32.dll:CreateFileA (138) intercepted, method APICodeHijack.JmpTo[1002CC76]
Function kernel32.dll:CreateFileW (145) intercepted, method APICodeHijack.JmpTo[1002CC56]
Function kernel32.dll:CreateProcessA (166) intercepted, method APICodeHijack.JmpTo[10028316]
Function kernel32.dll:CreateProcessW (170) intercepted, method APICodeHijack.JmpTo[10027786]
Function kernel32.dll:DeleteFileA (213) intercepted, method APICodeHijack.JmpTo[1002CAF6]
Function kernel32.dll:DeleteFileW (216) intercepted, method APICodeHijack.JmpTo[1002CAD6]
Function kernel32.dll:GetModuleHandleA (535) intercepted, method APICodeHijack.JmpTo[1002CAB6]
Function kernel32.dll:GetModuleHandleW (538) intercepted, method APICodeHijack.JmpTo[1002CA96]
Function kernel32.dll:GetProcAddress (583) intercepted, method APICodeHijack.JmpTo[1002CD16]
Function kernel32.dll:LoadLibraryA (829) intercepted, method APICodeHijack.JmpTo[1002CA76]
Function kernel32.dll:LoadLibraryExA (830) intercepted, method APICodeHijack.JmpTo[1002CCD6]
Function kernel32.dll:LoadLibraryExW (831) intercepted, method APICodeHijack.JmpTo[1002CCB6]
Function kernel32.dll:LoadLibraryW (832) intercepted, method APICodeHijack.JmpTo[1002CA56]
Function kernel32.dll:LoadModule (833) intercepted, method APICodeHijack.JmpTo[1002CCF6]
Function kernel32.dll:MoveFileA (863) intercepted, method APICodeHijack.JmpTo[1002CBB6]
Function kernel32.dll:MoveFileExA (864) intercepted, method APICodeHijack.JmpTo[1002CB76]
Function kernel32.dll:MoveFileExW (865) intercepted, method APICodeHijack.JmpTo[1002CB56]
Function kernel32.dll:MoveFileW (868) intercepted, method APICodeHijack.JmpTo[1002CB96]
Function kernel32.dll:MoveFileWithProgressA (869) intercepted, method APICodeHijack.JmpTo[1002CB36]
Function kernel32.dll:MoveFileWithProgressW (870) intercepted, method APICodeHijack.JmpTo[1002CB16]
Function kernel32.dll:OpenFile (887) intercepted, method APICodeHijack.JmpTo[1002CC96]
Function kernel32.dll:WinExec (1299) intercepted, method APICodeHijack.JmpTo[1002CA36]
 Analysis: ntdll.dll, export table found in section .text
Function ntdll.dll:LdrGetProcedureAddress (130) intercepted, method APICodeHijack.JmpTo[1002CD36]
Function ntdll.dll:LdrLoadDll (137) intercepted, method APICodeHijack.JmpTo[1002A626]
Function ntdll.dll:LdrUnloadDll (161) intercepted, method APICodeHijack.JmpTo[1001CE36]
Function ntdll.dll:NtAdjustPrivilegesToken (190) intercepted, method APICodeHijack.JmpTo[100206A6]
Function ntdll.dll:NtAllocateVirtualMemory (197) intercepted, method APICodeHijack.JmpTo[1002CDF6]
Function ntdll.dll:NtAlpcConnectPort (200) intercepted, method APICodeHijack.JmpTo[100210C6]
Function ntdll.dll:NtClose (228) intercepted, method APICodeHijack.JmpTo[1001CD16]
Function ntdll.dll:NtConnectPort (237) intercepted, method APICodeHijack.JmpTo[10023BF6]
Function ntdll.dll:NtCreateEvent (242) intercepted, method APICodeHijack.JmpTo[10020256]
Function ntdll.dll:NtCreateFile (244) intercepted, method APICodeHijack.JmpTo[1002CDB6]
Function ntdll.dll:NtCreateMutant (252) intercepted, method APICodeHijack.JmpTo[100202A6]
Function ntdll.dll:NtCreateProcess (257) intercepted, method APICodeHijack.JmpTo[1002CE76]
Function ntdll.dll:NtCreateProcessEx (258) intercepted, method APICodeHijack.JmpTo[1002CE56]
Function ntdll.dll:NtCreateSection (262) intercepted, method APICodeHijack.JmpTo[10022A76]
Function ntdll.dll:NtCreateSemaphore (263) intercepted, method APICodeHijack.JmpTo[10020206]
Function ntdll.dll:NtCreateSymbolicLinkObject (264) intercepted, method APICodeHijack.JmpTo[100202C6]
Function ntdll.dll:NtCreateThread (265) intercepted, method APICodeHijack.JmpTo[100243C6]
Function ntdll.dll:NtCreateThreadEx (266) intercepted, method APICodeHijack.JmpTo[10020D26]
Function ntdll.dll:NtDeleteFile (281) intercepted, method APICodeHijack.JmpTo[1002CE16]
Function ntdll.dll:NtFreeVirtualMemory (310) intercepted, method APICodeHijack.JmpTo[1002C486]
Function ntdll.dll:NtLoadDriver (335) intercepted, method APICodeHijack.JmpTo[1002CDD6]
Function ntdll.dll:NtMakeTemporaryObject (344) intercepted, method APICodeHijack.JmpTo[10023566]
Function ntdll.dll:NtOpenEvent (357) intercepted, method APICodeHijack.JmpTo[10020236]
Function ntdll.dll:NtOpenFile (359) intercepted, method APICodeHijack.JmpTo[1002CD96]
Function ntdll.dll:NtOpenMutant (367) intercepted, method APICodeHijack.JmpTo[10020286]
Function ntdll.dll:NtOpenSection (374) intercepted, method APICodeHijack.JmpTo[100230A6]
Function ntdll.dll:NtOpenSemaphore (375) intercepted, method APICodeHijack.JmpTo[100201E6]
Function ntdll.dll:NtProtectVirtualMemory (395) intercepted, method APICodeHijack.JmpTo[1002C436]
Function ntdll.dll:NtSetInformationProcess (513) intercepted, method APICodeHijack.JmpTo[1002CD56]
Function ntdll.dll:NtSetSystemInformation (530) intercepted, method APICodeHijack.JmpTo[100237A6]
Function ntdll.dll:NtShutdownSystem (540) intercepted, method APICodeHijack.JmpTo[10020956]
Function ntdll.dll:NtSystemDebugControl (548) intercepted, method APICodeHijack.JmpTo[10023366]
Function ntdll.dll:NtTerminateProcess (550) intercepted, method APICodeHijack.JmpTo[10023F66]
Function ntdll.dll:NtTerminateThread (551) intercepted, method APICodeHijack.JmpTo[10024186]
Function ntdll.dll:NtUnloadDriver (559) intercepted, method APICodeHijack.JmpTo[1002CD76]
Function ntdll.dll:NtWriteVirtualMemory (598) intercepted, method APICodeHijack.JmpTo[1002CE36]
Function ntdll.dll:RtlAllocateHeap (645) intercepted, method APICodeHijack.JmpTo[1002C4D6]
Function ntdll.dll:ZwAdjustPrivilegesToken (1441) intercepted, method APICodeHijack.JmpTo[100206A6]
Function ntdll.dll:ZwAllocateVirtualMemory (1448) intercepted, method APICodeHijack.JmpTo[1002CDF6]
Function ntdll.dll:ZwAlpcConnectPort (1451) intercepted, method APICodeHijack.JmpTo[100210C6]
Function ntdll.dll:ZwClose (1479) intercepted, method APICodeHijack.JmpTo[1001CD16]
Function ntdll.dll:ZwConnectPort (1488) intercepted, method APICodeHijack.JmpTo[10023BF6]
Function ntdll.dll:ZwCreateEvent (1493) intercepted, method APICodeHijack.JmpTo[10020256]
Function ntdll.dll:ZwCreateFile (1495) intercepted, method APICodeHijack.JmpTo[1002CDB6]
Function ntdll.dll:ZwCreateMutant (1503) intercepted, method APICodeHijack.JmpTo[100202A6]
Function ntdll.dll:ZwCreateProcess (1508) intercepted, method APICodeHijack.JmpTo[1002CE76]
Function ntdll.dll:ZwCreateProcessEx (1509) intercepted, method APICodeHijack.JmpTo[1002CE56]
Function ntdll.dll:ZwCreateSection (1513) intercepted, method APICodeHijack.JmpTo[10022A76]
Function ntdll.dll:ZwCreateSemaphore (1514) intercepted, method APICodeHijack.JmpTo[10020206]
Function ntdll.dll:ZwCreateSymbolicLinkObject (1515) intercepted, method APICodeHijack.JmpTo[100202C6]
Function ntdll.dll:ZwCreateThread (1516) intercepted, method APICodeHijack.JmpTo[100243C6]
Function ntdll.dll:ZwCreateThreadEx (1517) intercepted, method APICodeHijack.JmpTo[10020D26]
Function ntdll.dll:ZwDeleteFile (1531) intercepted, method APICodeHijack.JmpTo[1002CE16]
Function ntdll.dll:ZwFreeVirtualMemory (1560) intercepted, method APICodeHijack.JmpTo[1002C486]
Function ntdll.dll:ZwLoadDriver (1584) intercepted, method APICodeHijack.JmpTo[1002CDD6]
Function ntdll.dll:ZwMakeTemporaryObject (1593) intercepted, method APICodeHijack.JmpTo[10023566]
Function ntdll.dll:ZwOpenEvent (1606) intercepted, method APICodeHijack.JmpTo[10020236]
Function ntdll.dll:ZwOpenFile (1608) intercepted, method APICodeHijack.JmpTo[1002CD96]
Function ntdll.dll:ZwOpenMutant (1616) intercepted, method APICodeHijack.JmpTo[10020286]
Function ntdll.dll:ZwOpenSection (1623) intercepted, method APICodeHijack.JmpTo[100230A6]
Function ntdll.dll:ZwOpenSemaphore (1624) intercepted, method APICodeHijack.JmpTo[100201E6]
Function ntdll.dll:ZwProtectVirtualMemory (1644) intercepted, method APICodeHijack.JmpTo[1002C436]
Function ntdll.dll:ZwSetInformationProcess (1762) intercepted, method APICodeHijack.JmpTo[1002CD56]
Function ntdll.dll:ZwSetSystemInformation (1779) intercepted, method APICodeHijack.JmpTo[100237A6]
Function ntdll.dll:ZwShutdownSystem (1789) intercepted, method APICodeHijack.JmpTo[10020956]
Function ntdll.dll:ZwSystemDebugControl (1797) intercepted, method APICodeHijack.JmpTo[10023366]
Function ntdll.dll:ZwTerminateProcess (1799) intercepted, method APICodeHijack.JmpTo[10023F66]
Function ntdll.dll:ZwTerminateThread (1800) intercepted, method APICodeHijack.JmpTo[10024186]
Function ntdll.dll:ZwUnloadDriver (1808) intercepted, method APICodeHijack.JmpTo[1002CD76]
Function ntdll.dll:ZwWriteVirtualMemory (1847) intercepted, method APICodeHijack.JmpTo[1002CE36]
 Analysis: user32.dll, export table found in section .text
Function user32.dll:BlockInput (1517) intercepted, method APICodeHijack.JmpTo[10018176]
Function user32.dll:DefDlgProcA (1657) intercepted, method ProcAddressHijack.GetProcAddress ->767A5F5A->77028944
Function user32.dll:DefDlgProcW (1658) intercepted, method ProcAddressHijack.GetProcAddress ->767A5F75->77013F54
Function user32.dll:DefWindowProcA (1664) intercepted, method ProcAddressHijack.GetProcAddress ->767A5F90->76FF2893
Function user32.dll:DefWindowProcW (1665) intercepted, method ProcAddressHijack.GetProcAddress ->767A5FAB->76FE247D
Function user32.dll:EnableWindow (1725) intercepted, method APICodeHijack.JmpTo[10017A96]
Function user32.dll:EndTask (1730) intercepted, method APICodeHijack.JmpTo[1002E3B6]
Function user32.dll:ExitWindowsEx (1754) intercepted, method APICodeHijack.JmpTo[10017886]
Function user32.dll:GetAsyncKeyState (1772) intercepted, method APICodeHijack.JmpTo[10018D16]
Function user32.dll:GetClipboardData (1787) intercepted, method APICodeHijack.JmpTo[10017F66]
Function user32.dll:GetKeyState (1826) intercepted, method APICodeHijack.JmpTo[10018FC6]
Function user32.dll:GetKeyboardState (1831) intercepted, method APICodeHijack.JmpTo[10019276]
Function user32.dll:MoveWindow (2052) intercepted, method APICodeHijack.JmpTo[10018816]
Function user32.dll:PostMessageA (2078) intercepted, method APICodeHijack.JmpTo[1001BAB6]
Function user32.dll:PostMessageW (2079) intercepted, method APICodeHijack.JmpTo[1001B816]
Function user32.dll:PostThreadMessageA (2081) intercepted, method APICodeHijack.JmpTo[1001B576]
Function user32.dll:PostThreadMessageW (2082) intercepted, method APICodeHijack.JmpTo[1001B2D6]
Function user32.dll:RegisterHotKey (2111) intercepted, method APICodeHijack.JmpTo[10017D36]
Function user32.dll:RegisterRawInputDevices (2115) intercepted, method APICodeHijack.JmpTo[10018AF6]
Function user32.dll:SendDlgItemMessageA (2139) intercepted, method APICodeHijack.JmpTo[10019AA6]
Function user32.dll:SendDlgItemMessageW (2140) intercepted, method APICodeHijack.JmpTo[100197F6]
Function user32.dll:SendInput (2143) intercepted, method APICodeHijack.JmpTo[10019526]
Function user32.dll:SendMessageA (2144) intercepted, method APICodeHijack.JmpTo[1001B036]
Function user32.dll:SendMessageCallbackA (2145) intercepted, method APICodeHijack.JmpTo[1001A556]
Function user32.dll:SendMessageCallbackW (2146) intercepted, method APICodeHijack.JmpTo[1001A296]
Function user32.dll:SendMessageTimeoutA (2147) intercepted, method APICodeHijack.JmpTo[1001AAD6]
Function user32.dll:SendMessageTimeoutW (2148) intercepted, method APICodeHijack.JmpTo[1001A816]
Function user32.dll:SendMessageW (2149) intercepted, method APICodeHijack.JmpTo[1001AD96]
Function user32.dll:SendNotifyMessageA (2150) intercepted, method APICodeHijack.JmpTo[10019FF6]
Function user32.dll:SendNotifyMessageW (2151) intercepted, method APICodeHijack.JmpTo[10019D56]
Function user32.dll:SetClipboardViewer (2160) intercepted, method APICodeHijack.JmpTo[10018376]
Function user32.dll:SetParent (2191) intercepted, method APICodeHijack.JmpTo[10018576]
Function user32.dll:SetWinEventHook (2216) intercepted, method APICodeHijack.JmpTo[1001BD56]
Function user32.dll:SetWindowsHookExA (2231) intercepted, method APICodeHijack.JmpTo[1001C716]
Function user32.dll:SetWindowsHookExW (2232) intercepted, method APICodeHijack.JmpTo[1001C4A6]
Function user32.dll:SystemParametersInfoA (2260) intercepted, method APICodeHijack.JmpTo[1001C286]
Function user32.dll:SystemParametersInfoW (2261) intercepted, method APICodeHijack.JmpTo[1001C066]
Function user32.dll:keybd_event (2329) intercepted, method APICodeHijack.JmpTo[1002B966]
Function user32.dll:mouse_event (2330) intercepted, method APICodeHijack.JmpTo[1002B756]
 Analysis: advapi32.dll, export table found in section .text
Function advapi32.dll:AddMandatoryAce (1029) intercepted, method ProcAddressHijack.GetProcAddress ->764F24B5->765DC334
Function advapi32.dll:CreateProcessAsUserA (1125) intercepted, method APICodeHijack.JmpTo[10026BE6]
Function advapi32.dll:I_QueryTagInformation (1361) intercepted, method ProcAddressHijack.GetProcAddress ->764F2655->767772D8
Function advapi32.dll:I_ScIsSecurityProcess (1362) intercepted, method ProcAddressHijack.GetProcAddress ->764F268C->7677733F
Function advapi32.dll:I_ScPnPGetServiceName (1363) intercepted, method ProcAddressHijack.GetProcAddress ->764F26C3->76777C40
Function advapi32.dll:I_ScQueryServiceConfig (1364) intercepted, method ProcAddressHijack.GetProcAddress ->764F26FA->76775F8A
Function advapi32.dll:I_ScSendPnPMessage (1365) intercepted, method ProcAddressHijack.GetProcAddress ->764F2732->76775E7D
Function advapi32.dll:I_ScSendTSMessage (1366) intercepted, method ProcAddressHijack.GetProcAddress ->764F2766->767771C5
Function advapi32.dll:I_ScValidatePnPService (1369) intercepted, method ProcAddressHijack.GetProcAddress ->764F2799->76776B9D
Function advapi32.dll:IsValidRelativeSecurityDescriptor (1389) intercepted, method ProcAddressHijack.GetProcAddress ->764F27D1->765DC5DF
Function advapi32.dll:PerfCreateInstance (1515) intercepted, method ProcAddressHijack.GetProcAddress ->764F2858->6E702187
Function advapi32.dll:PerfDecrementULongCounterValue (1516) intercepted, method ProcAddressHijack.GetProcAddress ->764F2871->6E702A1D
Function advapi32.dll:PerfDecrementULongLongCounterValue (1517) intercepted, method ProcAddressHijack.GetProcAddress ->764F2896->6E702B3C
Function advapi32.dll:PerfDeleteInstance (1519) intercepted, method ProcAddressHijack.GetProcAddress ->764F28BF->6E702259
Function advapi32.dll:PerfIncrementULongCounterValue (1522) intercepted, method ProcAddressHijack.GetProcAddress ->764F28D8->6E7027B9
Function advapi32.dll:PerfIncrementULongLongCounterValue (1523) intercepted, method ProcAddressHijack.GetProcAddress ->764F28FD->6E7028D6
Function advapi32.dll:PerfQueryInstance (1528) intercepted, method ProcAddressHijack.GetProcAddress ->764F2926->6E702373
Function advapi32.dll:PerfSetCounterRefValue (1529) intercepted, method ProcAddressHijack.GetProcAddress ->764F293E->6E702447
Function advapi32.dll:PerfSetCounterSetInfo (1530) intercepted, method ProcAddressHijack.GetProcAddress ->764F295B->6E7020B0
Function advapi32.dll:PerfSetULongCounterValue (1531) intercepted, method ProcAddressHijack.GetProcAddress ->764F2977->6E702565
Function advapi32.dll:PerfSetULongLongCounterValue (1532) intercepted, method ProcAddressHijack.GetProcAddress ->764F2996->6E702680
Function advapi32.dll:PerfStartProvider (1533) intercepted, method ProcAddressHijack.GetProcAddress ->764F29B9->6E701FED
Function advapi32.dll:PerfStartProviderEx (1534) intercepted, method ProcAddressHijack.GetProcAddress ->764F29D1->6E701F34
Function advapi32.dll:PerfStopProvider (1535) intercepted, method ProcAddressHijack.GetProcAddress ->764F29EB->6E702026
Function advapi32.dll:SystemFunction035 (1753) intercepted, method ProcAddressHijack.GetProcAddress ->764F2A3C->730C3EA8
 Analysis: ws2_32.dll, export table found in section .text
Function ws2_32.dll:WSASocketA (99) intercepted, method APICodeHijack.JmpTo[1002C936]
 Analysis: wininet.dll, export table found in section .text
Function wininet.dll:InternetConnectA (231) intercepted, method APICodeHijack.JmpTo[1002C976]
Function wininet.dll:InternetConnectW (232) intercepted, method APICodeHijack.JmpTo[1002C956]
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
Function urlmon.dll:URLDownloadToCacheFileA (216) intercepted, method APICodeHijack.JmpTo[1002C8B6]
Function urlmon.dll:URLDownloadToCacheFileW (217) intercepted, method APICodeHijack.JmpTo[1002C896]
Function urlmon.dll:URLDownloadToFileA (218) intercepted, method APICodeHijack.JmpTo[1002C8F6]
Function urlmon.dll:URLDownloadToFileW (219) intercepted, method APICodeHijack.JmpTo[1002C8D6]
 Analysis: netapi32.dll, export table found in section .text
Function netapi32.dll:DavAddConnection (1) intercepted, method ProcAddressHijack.GetProcAddress ->72443B10->6E6F29DD
Function netapi32.dll:DavDeleteConnection (2) intercepted, method ProcAddressHijack.GetProcAddress ->72443B29->6E6F181B
Function netapi32.dll:DavFlushFile (3) intercepted, method ProcAddressHijack.GetProcAddress ->72443B45->6E6F1713
Function netapi32.dll:DavGetExtendedError (4) intercepted, method ProcAddressHijack.GetProcAddress ->72443B5A->6E6F2347
Function netapi32.dll:DavGetHTTPFromUNCPath (5) intercepted, method ProcAddressHijack.GetProcAddress ->72443B76->6E6F275B
Function netapi32.dll:DavGetUNCFromHTTPPath (6) intercepted, method ProcAddressHijack.GetProcAddress ->72443B94->6E6F257D
Function netapi32.dll:DsAddressToSiteNamesA (7) intercepted, method ProcAddressHijack.GetProcAddress ->72443BB2->6E6D4A4D
Function netapi32.dll:DsAddressToSiteNamesExA (8) intercepted, method ProcAddressHijack.GetProcAddress ->72443BD1->6E6D4D79
Function netapi32.dll:DsAddressToSiteNamesExW (9) intercepted, method ProcAddressHijack.GetProcAddress ->72443BF2->6E6D5049
Function netapi32.dll:DsAddressToSiteNamesW (10) intercepted, method ProcAddressHijack.GetProcAddress ->72443C13->6E6D4C29
Function netapi32.dll:DsDeregisterDnsHostRecordsA (11) intercepted, method ProcAddressHijack.GetProcAddress ->72443C32->6E6D6DD9
Function netapi32.dll:DsDeregisterDnsHostRecordsW (12) intercepted, method ProcAddressHijack.GetProcAddress ->72443C57->6E6D6D59
Function netapi32.dll:DsEnumerateDomainTrustsA (13) intercepted, method ProcAddressHijack.GetProcAddress ->72443C7C->6E6D6771
Function netapi32.dll:DsEnumerateDomainTrustsW (14) intercepted, method ProcAddressHijack.GetProcAddress ->72443C9E->6E6C60BC
Function netapi32.dll:DsGetDcCloseW (15) intercepted, method ProcAddressHijack.GetProcAddress ->72443CC0->6E6D495D
Function netapi32.dll:DsGetDcNameA (16) intercepted, method ProcAddressHijack.GetProcAddress ->72443CD7->6E6D5BB2
Function netapi32.dll:DsGetDcNameW (17) intercepted, method ProcAddressHijack.GetProcAddress ->72443CED->6E6C4CA8
Function netapi32.dll:DsGetDcNameWithAccountA (18) intercepted, method ProcAddressHijack.GetProcAddress ->72443D03->6E6D55E9
Function netapi32.dll:DsGetDcNameWithAccountW (19) intercepted, method ProcAddressHijack.GetProcAddress ->72443D24->6E6C4CD1
Function netapi32.dll:DsGetDcNextA (20) intercepted, method ProcAddressHijack.GetProcAddress ->72443D45->6E6D4896
Function netapi32.dll:DsGetDcNextW (21) intercepted, method ProcAddressHijack.GetProcAddress ->72443D5B->6E6D47ED
Function netapi32.dll:DsGetDcOpenA (22) intercepted, method ProcAddressHijack.GetProcAddress ->72443D71->6E6D473D
Function netapi32.dll:DsGetDcOpenW (23) intercepted, method ProcAddressHijack.GetProcAddress ->72443D87->6E6D46AB
Function netapi32.dll:DsGetDcSiteCoverageA (24) intercepted, method ProcAddressHijack.GetProcAddress ->72443D9D->6E6D5239
Function netapi32.dll:DsGetDcSiteCoverageW (25) intercepted, method ProcAddressHijack.GetProcAddress ->72443DBB->6E6D5409
Function netapi32.dll:DsGetForestTrustInformationW (26) intercepted, method ProcAddressHijack.GetProcAddress ->72443DD9->6E6D6E6F
Function netapi32.dll:DsGetSiteNameA (27) intercepted, method ProcAddressHijack.GetProcAddress ->72443DFF->6E6D5B39
Function netapi32.dll:DsGetSiteNameW (28) intercepted, method ProcAddressHijack.GetProcAddress ->72443E17->6E6C5F24
Function netapi32.dll:DsMergeForestTrustInformationW (29) intercepted, method ProcAddressHijack.GetProcAddress ->72443E2F->6E6D6F71
Function netapi32.dll:DsRoleAbortDownlevelServerUpgrade (30) intercepted, method ProcAddressHijack.GetProcAddress ->72443E57->6E6B4339
Function netapi32.dll:DsRoleCancel (31) intercepted, method ProcAddressHijack.GetProcAddress ->72443E80->6E6B34A9
Function netapi32.dll:DsRoleDcAsDc (32) intercepted, method ProcAddressHijack.GetProcAddress ->72443E94->6E6B3EAD
Function netapi32.dll:DsRoleDcAsReplica (33) intercepted, method ProcAddressHijack.GetProcAddress ->72443EA8->6E6B3F99
Function netapi32.dll:DsRoleDemoteDc (34) intercepted, method ProcAddressHijack.GetProcAddress ->72443EC1->6E6B4189
Function netapi32.dll:DsRoleDnsNameToFlatName (35) intercepted, method ProcAddressHijack.GetProcAddress ->72443ED7->6E6B32B5
Function netapi32.dll:DsRoleFreeMemory (36) intercepted, method ProcAddressHijack.GetProcAddress ->72443EF6->6E6B19A9
Function netapi32.dll:DsRoleGetDatabaseFacts (37) intercepted, method ProcAddressHijack.GetProcAddress ->72443F0E->6E6B3651
Function netapi32.dll:DsRoleGetDcOperationProgress (38) intercepted, method ProcAddressHijack.GetProcAddress ->72443F2C->6E6B3351
Function netapi32.dll:DsRoleGetDcOperationResults (39) intercepted, method ProcAddressHijack.GetProcAddress ->72443F50->6E6B3401
Function netapi32.dll:DsRoleGetPrimaryDomainInformation (40) intercepted, method ProcAddressHijack.GetProcAddress ->72443F73->6E6B1F3D
Function netapi32.dll:DsRoleIfmHandleFree (41) intercepted, method ProcAddressHijack.GetProcAddress ->72443F9C->6E6B3539
Function netapi32.dll:DsRoleServerSaveStateForUpgrade (42) intercepted, method ProcAddressHijack.GetProcAddress ->72443FB7->6E6B35C9
Function netapi32.dll:DsRoleUpgradeDownlevelServer (43) intercepted, method ProcAddressHijack.GetProcAddress ->72443FDE->6E6B4261
Function netapi32.dll:DsValidateSubnetNameA (44) intercepted, method ProcAddressHijack.GetProcAddress ->72444002->6E6D5AF9
Function netapi32.dll:DsValidateSubnetNameW (45) intercepted, method ProcAddressHijack.GetProcAddress ->72444021->6E6D49E1
Function netapi32.dll:I_BrowserDebugCall (46) intercepted, method ProcAddressHijack.GetProcAddress ->72444040->6E6A24A9
Function netapi32.dll:I_BrowserDebugTrace (47) intercepted, method ProcAddressHijack.GetProcAddress ->7244405B->6E6A2581
Function netapi32.dll:I_BrowserQueryEmulatedDomains (48) intercepted, method ProcAddressHijack.GetProcAddress ->72444077->6E6A29F9
Function netapi32.dll:I_BrowserQueryOtherDomains (49) intercepted, method ProcAddressHijack.GetProcAddress ->7244409D->6E6A22C1
Function netapi32.dll:I_BrowserQueryStatistics (50) intercepted, method ProcAddressHijack.GetProcAddress ->724440C0->6E6A2651
Function netapi32.dll:I_BrowserResetNetlogonState (51) intercepted, method ProcAddressHijack.GetProcAddress ->724440E1->6E6A23D1
Function netapi32.dll:I_BrowserResetStatistics (52) intercepted, method ProcAddressHijack.GetProcAddress ->72444105->6E6A2729
Function netapi32.dll:I_BrowserServerEnum (53) intercepted, method ProcAddressHijack.GetProcAddress ->72444126->6E6A20BF
Function netapi32.dll:I_BrowserSetNetlogonState (54) intercepted, method ProcAddressHijack.GetProcAddress ->72444142->6E6A2919
Function netapi32.dll:I_DsUpdateReadOnlyServerDnsRecords (55) intercepted, method ProcAddressHijack.GetProcAddress ->72444164->6E6D5569
Function netapi32.dll:I_NetAccountDeltas (56) intercepted, method ProcAddressHijack.GetProcAddress ->72444190->6E6D63AB
Function netapi32.dll:I_NetAccountSync (57) intercepted, method ProcAddressHijack.GetProcAddress ->724441AC->6E6D63AB
Function netapi32.dll:I_NetChainSetClientAttributes (59) intercepted, method ProcAddressHijack.GetProcAddress ->724441C6->6E6D6FA6
Function netapi32.dll:I_NetChainSetClientAttributes2 (58) intercepted, method ProcAddressHijack.GetProcAddress ->724441ED->6E6D7029
Function netapi32.dll:I_NetDatabaseDeltas (60) intercepted, method ProcAddressHijack.GetProcAddress ->72444215->6E6D6391
Function netapi32.dll:I_NetDatabaseRedo (61) intercepted, method ProcAddressHijack.GetProcAddress ->72444232->6E6D6521
Function netapi32.dll:I_NetDatabaseSync (63) intercepted, method ProcAddressHijack.GetProcAddress ->7244424D->6E6D6391
Function netapi32.dll:I_NetDatabaseSync2 (62) intercepted, method ProcAddressHijack.GetProcAddress ->72444268->6E6D639E
Function netapi32.dll:I_NetDfsGetVersion (64) intercepted, method ProcAddressHijack.GetProcAddress ->72444284->73107CA1
Function netapi32.dll:I_NetDfsIsThisADomainName (65) intercepted, method ProcAddressHijack.GetProcAddress ->7244429E->6E694E39
Function netapi32.dll:I_NetGetDCList (66) intercepted, method ProcAddressHijack.GetProcAddress ->724442BF->6E6D5D9C
Function netapi32.dll:I_NetGetForestTrustInformation (67) intercepted, method ProcAddressHijack.GetProcAddress ->724442D7->6E6D6EF1
Function netapi32.dll:I_NetLogonControl (69) intercepted, method ProcAddressHijack.GetProcAddress ->724442FF->6E6D63B8
Function netapi32.dll:I_NetLogonControl2 (68) intercepted, method ProcAddressHijack.GetProcAddress ->7244431A->6E6D6439
Function netapi32.dll:I_NetLogonGetDomainInfo (70) intercepted, method ProcAddressHijack.GetProcAddress ->72444336->6E6C64A4
Function netapi32.dll:I_NetLogonSamLogoff (71) intercepted, method ProcAddressHijack.GetProcAddress ->72444357->6E6D6091
Function netapi32.dll:I_NetLogonSamLogon (72) intercepted, method ProcAddressHijack.GetProcAddress ->72444374->6E6D5F39
Function netapi32.dll:I_NetLogonSamLogonEx (73) intercepted, method ProcAddressHijack.GetProcAddress ->72444390->6E6D5FE1
Function netapi32.dll:I_NetLogonSamLogonWithFlags (74) intercepted, method ProcAddressHijack.GetProcAddress ->724443AE->6E6CB22A
Function netapi32.dll:I_NetLogonSendToSam (75) intercepted, method ProcAddressHijack.GetProcAddress ->724443D3->6E6D6111
Function netapi32.dll:I_NetLogonUasLogoff (76) intercepted, method ProcAddressHijack.GetProcAddress ->724443F0->6E6D5EC9
Function netapi32.dll:I_NetLogonUasLogon (77) intercepted, method ProcAddressHijack.GetProcAddress ->7244440D->6E6D5E53
Function netapi32.dll:I_NetServerAuthenticate (80) intercepted, method ProcAddressHijack.GetProcAddress ->72444429->6E6D6191
Function netapi32.dll:I_NetServerAuthenticate2 (78) intercepted, method ProcAddressHijack.GetProcAddress ->7244444A->6E6D6211
Function netapi32.dll:I_NetServerAuthenticate3 (79) intercepted, method ProcAddressHijack.GetProcAddress ->7244446C->6E6C6393
Function netapi32.dll:I_NetServerGetTrustInfo (81) intercepted, method ProcAddressHijack.GetProcAddress ->7244448E->6E6D6C61
Function netapi32.dll:I_NetServerPasswordGet (82) intercepted, method ProcAddressHijack.GetProcAddress ->724444AF->6E6D6B61
Function netapi32.dll:I_NetServerPasswordSet (84) intercepted, method ProcAddressHijack.GetProcAddress ->724444CF->6E6D6291
Function netapi32.dll:I_NetServerPasswordSet2 (83) intercepted, method ProcAddressHijack.GetProcAddress ->724444EF->6E6D6311
Function netapi32.dll:I_NetServerReqChallenge (85) intercepted, method ProcAddressHijack.GetProcAddress ->72444510->6E6C6424
Function netapi32.dll:I_NetServerSetServiceBits (86) intercepted, method ProcAddressHijack.GetProcAddress ->72444531->7310426D
Function netapi32.dll:I_NetServerSetServiceBitsEx (87) intercepted, method ProcAddressHijack.GetProcAddress ->72444552->73106D11
Function netapi32.dll:I_NetServerTrustPasswordsGet (88) intercepted, method ProcAddressHijack.GetProcAddress ->72444575->6E6D6BE1
Function netapi32.dll:I_NetlogonComputeClientDigest (89) intercepted, method ProcAddressHijack.GetProcAddress ->7244459B->6E6C5C20
Function netapi32.dll:I_NetlogonComputeServerDigest (90) intercepted, method ProcAddressHijack.GetProcAddress ->724445C2->6E6D6AEC
Function netapi32.dll:NetAddAlternateComputerName (97) intercepted, method ProcAddressHijack.GetProcAddress ->724445E9->72425B21
Function netapi32.dll:NetAddServiceAccount (98) intercepted, method ProcAddressHijack.GetProcAddress ->7244460C->6E6D70B1
Function netapi32.dll:NetApiBufferAllocate (101) intercepted, method ProcAddressHijack.GetProcAddress ->7244462A->72431415
Function netapi32.dll:NetApiBufferFree (102) intercepted, method ProcAddressHijack.GetProcAddress ->72444648->724313D2
Function netapi32.dll:NetApiBufferReallocate (103) intercepted, method ProcAddressHijack.GetProcAddress ->72444662->72433729
Function netapi32.dll:NetApiBufferSize (104) intercepted, method ProcAddressHijack.GetProcAddress ->72444682->72433771
Function netapi32.dll:NetBrowserStatisticsGet (108) intercepted, method ProcAddressHijack.GetProcAddress ->7244469C->6E6A2801
Function netapi32.dll:NetConnectionEnum (112) intercepted, method ProcAddressHijack.GetProcAddress ->724446BC->73105521
Function netapi32.dll:NetDfsAdd (113) intercepted, method ProcAddressHijack.GetProcAddress ->724446D5->6E6978FD
Function netapi32.dll:NetDfsAddFtRoot (114) intercepted, method ProcAddressHijack.GetProcAddress ->724446E6->6E696859
Function netapi32.dll:NetDfsAddRootTarget (115) intercepted, method ProcAddressHijack.GetProcAddress ->724446FD->6E697401
Function netapi32.dll:NetDfsAddStdRoot (116) intercepted, method ProcAddressHijack.GetProcAddress ->72444718->6E692B1E
Function netapi32.dll:NetDfsAddStdRootForced (117) intercepted, method ProcAddressHijack.GetProcAddress ->72444730->6E692BB1
Function netapi32.dll:NetDfsEnum (118) intercepted, method ProcAddressHijack.GetProcAddress ->7244474E->6E6970F9
Function netapi32.dll:NetDfsGetClientInfo (119) intercepted, method ProcAddressHijack.GetProcAddress ->72444760->6E693F25
Function netapi32.dll:NetDfsGetDcAddress (120) intercepted, method ProcAddressHijack.GetProcAddress ->7244477B->6E692C51
Function netapi32.dll:NetDfsGetFtContainerSecurity (121) intercepted, method ProcAddressHijack.GetProcAddress ->72444795->6E695363
Function netapi32.dll:NetDfsGetInfo (122) intercepted, method ProcAddressHijack.GetProcAddress ->724447B9->6E692D69
Function netapi32.dll:NetDfsGetSecurity (123) intercepted, method ProcAddressHijack.GetProcAddress ->724447CE->6E697741
Function netapi32.dll:NetDfsGetStdContainerSecurity (124) intercepted, method ProcAddressHijack.GetProcAddress ->724447E7->6E693AD5
Function netapi32.dll:NetDfsGetSupportedNamespaceVersion (125) intercepted, method ProcAddressHijack.GetProcAddress ->7244480C->6E695C19
Function netapi32.dll:NetDfsManagerGetConfigInfo (126) intercepted, method ProcAddressHijack.GetProcAddress ->72444836->6E692E9C
Function netapi32.dll:NetDfsManagerInitialize (127) intercepted, method ProcAddressHijack.GetProcAddress ->72444858->6E692F91
Function netapi32.dll:NetDfsManagerSendSiteInfo (128) intercepted, method ProcAddressHijack.GetProcAddress ->72444877->6E6972C5
Function netapi32.dll:NetDfsMove (129) intercepted, method ProcAddressHijack.GetProcAddress ->72444898->6E695651
Function netapi32.dll:NetDfsRemove (130) intercepted, method ProcAddressHijack.GetProcAddress ->724448AA->6E697A19
Function netapi32.dll:NetDfsRemoveFtRoot (131) intercepted, method ProcAddressHijack.GetProcAddress ->724448BE->6E696A99
Function netapi32.dll:NetDfsRemoveFtRootForced (132) intercepted, method ProcAddressHijack.GetProcAddress ->724448D8->6E696BE5
Function netapi32.dll:NetDfsRemoveRootTarget (133) intercepted, method ProcAddressHijack.GetProcAddress ->724448F8->6E695879
Function netapi32.dll:NetDfsRemoveStdRoot (134) intercepted, method ProcAddressHijack.GetProcAddress ->72444916->6E692CE1
Function netapi32.dll:NetDfsRename (135) intercepted, method ProcAddressHijack.GetProcAddress ->72444931->6E692E91
Function netapi32.dll:NetDfsSetClientInfo (136) intercepted, method ProcAddressHijack.GetProcAddress ->72444945->6E694301
Function netapi32.dll:NetDfsSetFtContainerSecurity (137) intercepted, method ProcAddressHijack.GetProcAddress ->72444960->6E6953AF
Function netapi32.dll:NetDfsSetInfo (138) intercepted, method ProcAddressHijack.GetProcAddress ->72444984->6E696D8B
Function netapi32.dll:NetDfsSetSecurity (139) intercepted, method ProcAddressHijack.GetProcAddress ->72444999->6E697822
Function netapi32.dll:NetDfsSetStdContainerSecurity (140) intercepted, method ProcAddressHijack.GetProcAddress ->724449B2->6E693B24
Function netapi32.dll:NetEnumerateComputerNames (141) intercepted, method ProcAddressHijack.GetProcAddress ->724449D7->72425E39
Function netapi32.dll:NetEnumerateServiceAccounts (142) intercepted, method ProcAddressHijack.GetProcAddress ->724449F8->6E6D7199
Function netapi32.dll:NetEnumerateTrustedDomains (143) intercepted, method ProcAddressHijack.GetProcAddress ->72444A1D->6E6D652E
Function netapi32.dll:NetFileClose (147) intercepted, method ProcAddressHijack.GetProcAddress ->72444A41->73105659
Function netapi32.dll:NetFileEnum (148) intercepted, method ProcAddressHijack.GetProcAddress ->72444A55->73105729
Function netapi32.dll:NetFileGetInfo (149) intercepted, method ProcAddressHijack.GetProcAddress ->72444A68->73105859
Function netapi32.dll:NetGetAnyDCName (150) intercepted, method ProcAddressHijack.GetProcAddress ->72444A7E->6E6D496D
Function netapi32.dll:NetGetDCName (151) intercepted, method ProcAddressHijack.GetProcAddress ->72444A97->6E6D5913
Function netapi32.dll:NetGetDisplayInformationIndex (152) intercepted, method ProcAddressHijack.GetProcAddress ->72444AAD->72414117
Function netapi32.dll:NetGetJoinInformation (153) intercepted, method ProcAddressHijack.GetProcAddress ->72444AD2->72422DC7
Function netapi32.dll:NetGetJoinableOUs (154) intercepted, method ProcAddressHijack.GetProcAddress ->72444AEF->724259D1
Function netapi32.dll:NetGroupAdd (155) intercepted, method ProcAddressHijack.GetProcAddress ->72444B08->724171C3
Function netapi32.dll:NetGroupAddUser (156) intercepted, method ProcAddressHijack.GetProcAddress ->72444B1B->724173AD
Function netapi32.dll:NetGroupDel (157) intercepted, method ProcAddressHijack.GetProcAddress ->72444B32->724173CB
Function netapi32.dll:NetGroupDelUser (158) intercepted, method ProcAddressHijack.GetProcAddress ->72444B45->724173EB
Function netapi32.dll:NetGroupEnum (159) intercepted, method ProcAddressHijack.GetProcAddress ->72444B5C->72417409
Function netapi32.dll:NetGroupGetInfo (160) intercepted, method ProcAddressHijack.GetProcAddress ->72444B70->724178C8
Function netapi32.dll:NetGroupGetUsers (161) intercepted, method ProcAddressHijack.GetProcAddress ->72444B87->72417952
Function netapi32.dll:NetGroupSetInfo (162) intercepted, method ProcAddressHijack.GetProcAddress ->72444B9F->72417C02
Function netapi32.dll:NetGroupSetUsers (163) intercepted, method ProcAddressHijack.GetProcAddress ->72444BB6->72417DAE
Function netapi32.dll:NetIsServiceAccount (164) intercepted, method ProcAddressHijack.GetProcAddress ->72444BCE->6E6D72D9
Function netapi32.dll:NetJoinDomain (165) intercepted, method ProcAddressHijack.GetProcAddress ->72444BEB->724254B9
Function netapi32.dll:NetLocalGroupAdd (166) intercepted, method ProcAddressHijack.GetProcAddress ->72444C00->7241875A
Function netapi32.dll:NetLocalGroupAddMember (167) intercepted, method ProcAddressHijack.GetProcAddress ->72444C18->72418886
Function netapi32.dll:NetLocalGroupAddMembers (168) intercepted, method ProcAddressHijack.GetProcAddress ->72444C36->72418E99
Function netapi32.dll:NetLocalGroupDel (169) intercepted, method ProcAddressHijack.GetProcAddress ->72444C55->724188A4
Function netapi32.dll:NetLocalGroupDelMember (170) intercepted, method ProcAddressHijack.GetProcAddress ->72444C6D->72418928
Function netapi32.dll:NetLocalGroupDelMembers (171) intercepted, method ProcAddressHijack.GetProcAddress ->72444C8B->72418EBD
Function netapi32.dll:NetLocalGroupEnum (172) intercepted, method ProcAddressHijack.GetProcAddress ->72444CAA->72418946
Function netapi32.dll:NetLocalGroupGetInfo (173) intercepted, method ProcAddressHijack.GetProcAddress ->72444CC3->72418CE4
Function netapi32.dll:NetLocalGroupGetMembers (174) intercepted, method ProcAddressHijack.GetProcAddress ->72444CDF->72412265
Function netapi32.dll:NetLocalGroupSetInfo (175) intercepted, method ProcAddressHijack.GetProcAddress ->72444CFE->72418D57
Function netapi32.dll:NetLocalGroupSetMembers (176) intercepted, method ProcAddressHijack.GetProcAddress ->72444D1A->72418E75
Function netapi32.dll:NetLogonGetTimeServiceParentDomain (177) intercepted, method ProcAddressHijack.GetProcAddress ->72444D39->6E6D6CE9
Function netapi32.dll:NetLogonSetServiceBits (178) intercepted, method ProcAddressHijack.GetProcAddress ->72444D65->6E6C603C
Function netapi32.dll:NetProvisionComputerAccount (184) intercepted, method ProcAddressHijack.GetProcAddress ->72444D85->6E67F2D3
Function netapi32.dll:NetQueryDisplayInformation (185) intercepted, method ProcAddressHijack.GetProcAddress ->72444DA9->72413D87
Function netapi32.dll:NetQueryServiceAccount (186) intercepted, method ProcAddressHijack.GetProcAddress ->72444DCB->6E6D7249
Function netapi32.dll:NetRemoteComputerSupports (188) intercepted, method ProcAddressHijack.GetProcAddress ->72444DEB->72432160
Function netapi32.dll:NetRemoteTOD (189) intercepted, method ProcAddressHijack.GetProcAddress ->72444E0E->73106C11
Function netapi32.dll:NetRemoveAlternateComputerName (190) intercepted, method ProcAddressHijack.GetProcAddress ->72444E22->72425C29
Function netapi32.dll:NetRemoveServiceAccount (191) intercepted, method ProcAddressHijack.GetProcAddress ->72444E48->6E6D7129
Function netapi32.dll:NetRenameMachineInDomain (192) intercepted, method ProcAddressHijack.GetProcAddress ->72444E69->72425751
Function netapi32.dll:NetRequestOfflineDomainJoin (208) intercepted, method ProcAddressHijack.GetProcAddress ->72444E89->6E67B52F
Function netapi32.dll:NetScheduleJobAdd (209) intercepted, method ProcAddressHijack.GetProcAddress ->72444EAD->6E6519D1
Function netapi32.dll:NetScheduleJobDel (210) intercepted, method ProcAddressHijack.GetProcAddress ->72444EC8->6E651AC9
Function netapi32.dll:NetScheduleJobEnum (211) intercepted, method ProcAddressHijack.GetProcAddress ->72444EE3->6E651BC1
Function netapi32.dll:NetScheduleJobGetInfo (212) intercepted, method ProcAddressHijack.GetProcAddress ->72444EFF->6E651CE1
Function netapi32.dll:NetServerAliasAdd (213) intercepted, method ProcAddressHijack.GetProcAddress ->72444F1E->73107843
Function netapi32.dll:NetServerAliasDel (214) intercepted, method ProcAddressHijack.GetProcAddress ->72444F37->73107A79
Function netapi32.dll:NetServerAliasEnum (215) intercepted, method ProcAddressHijack.GetProcAddress ->72444F50->73107931
Function netapi32.dll:NetServerComputerNameAdd (216) intercepted, method ProcAddressHijack.GetProcAddress ->72444F6A->73107411
Function netapi32.dll:NetServerComputerNameDel (217) intercepted, method ProcAddressHijack.GetProcAddress ->72444F8A->731076FB
Function netapi32.dll:NetServerDiskEnum (218) intercepted, method ProcAddressHijack.GetProcAddress ->72444FAA->73106559
Function netapi32.dll:NetServerEnum (219) intercepted, method ProcAddressHijack.GetProcAddress ->72444FC3->6E6A2F61
Function netapi32.dll:NetServerEnumEx (220) intercepted, method ProcAddressHijack.GetProcAddress ->72444FD9->6E6A2C5F
Function netapi32.dll:NetServerGetInfo (221) intercepted, method ProcAddressHijack.GetProcAddress ->72444FF1->73103CFA
Function netapi32.dll:NetServerSetInfo (222) intercepted, method ProcAddressHijack.GetProcAddress ->72445009->73106681
Function netapi32.dll:NetServerTransportAdd (223) intercepted, method ProcAddressHijack.GetProcAddress ->72445021->73106851
Function netapi32.dll:NetServerTransportAddEx (224) intercepted, method ProcAddressHijack.GetProcAddress ->7244503E->73107329
Function netapi32.dll:NetServerTransportDel (225) intercepted, method ProcAddressHijack.GetProcAddress ->7244505D->73106A01
Function netapi32.dll:NetServerTransportEnum (226) intercepted, method ProcAddressHijack.GetProcAddress ->7244507A->73106AD9
Function netapi32.dll:NetSessionDel (231) intercepted, method ProcAddressHijack.GetProcAddress ->72445098->73105941
Function netapi32.dll:NetSessionEnum (232) intercepted, method ProcAddressHijack.GetProcAddress ->724450AD->73105A11
Function netapi32.dll:NetSessionGetInfo (233) intercepted, method ProcAddressHijack.GetProcAddress ->724450C3->73105B41
Function netapi32.dll:NetSetPrimaryComputerName (234) intercepted, method ProcAddressHijack.GetProcAddress ->724450DC->72425D31
Function netapi32.dll:NetShareAdd (235) intercepted, method ProcAddressHijack.GetProcAddress ->724450FD->73105C81
Function netapi32.dll:NetShareCheck (236) intercepted, method ProcAddressHijack.GetProcAddress ->72445110->73105E91
Function netapi32.dll:NetShareDel (237) intercepted, method ProcAddressHijack.GetProcAddress ->72445125->73105F81
Function netapi32.dll:NetShareDelEx (238) intercepted, method ProcAddressHijack.GetProcAddress ->72445138->73107B61
Function netapi32.dll:NetShareDelSticky (239) intercepted, method ProcAddressHijack.GetProcAddress ->7244514D->731060D1
Function netapi32.dll:NetShareEnum (240) intercepted, method ProcAddressHijack.GetProcAddress ->72445166->73103F91
Function netapi32.dll:NetShareEnumSticky (241) intercepted, method ProcAddressHijack.GetProcAddress ->7244517A->731061C9
Function netapi32.dll:NetShareGetInfo (242) intercepted, method ProcAddressHijack.GetProcAddress ->72445194->7310433F
Function netapi32.dll:NetShareSetInfo (243) intercepted, method ProcAddressHijack.GetProcAddress ->724451AB->73106341
Function netapi32.dll:NetUnjoinDomain (245) intercepted, method ProcAddressHijack.GetProcAddress ->724451C2->72425641
Function netapi32.dll:NetUseAdd (247) intercepted, method ProcAddressHijack.GetProcAddress ->724451D9->72423693
Function netapi32.dll:NetUseDel (248) intercepted, method ProcAddressHijack.GetProcAddress ->724451EA->72425FA9
Function netapi32.dll:NetUseEnum (249) intercepted, method ProcAddressHijack.GetProcAddress ->724451FB->72423184
Function netapi32.dll:NetUseGetInfo (250) intercepted, method ProcAddressHijack.GetProcAddress ->7244520D->72426039
Function netapi32.dll:NetUserAdd (251) intercepted, method ProcAddressHijack.GetProcAddress ->72445222->7241464F
Function netapi32.dll:NetUserChangePassword (252) intercepted, method ProcAddressHijack.GetProcAddress ->72445234->72415A06
Function netapi32.dll:NetUserDel (253) intercepted, method ProcAddressHijack.GetProcAddress ->72445251->72414826
Function netapi32.dll:NetUserEnum (254) intercepted, method ProcAddressHijack.GetProcAddress ->72445263->724149D6
Function netapi32.dll:NetUserGetGroups (255) intercepted, method ProcAddressHijack.GetProcAddress ->72445276->72414E01
Function netapi32.dll:NetUserGetInfo (256) intercepted, method ProcAddressHijack.GetProcAddress ->7244528E->72411C60
Function netapi32.dll:NetUserGetLocalGroups (257) intercepted, method ProcAddressHijack.GetProcAddress ->724452A4->72412875
Function netapi32.dll:NetUserModalsGet (258) intercepted, method ProcAddressHijack.GetProcAddress ->724452C1->7241206B
Function netapi32.dll:NetUserModalsSet (259) intercepted, method ProcAddressHijack.GetProcAddress ->724452D9->724154AA
Function netapi32.dll:NetUserSetGroups (260) intercepted, method ProcAddressHijack.GetProcAddress ->724452F1->72415095
Function netapi32.dll:NetUserSetInfo (261) intercepted, method ProcAddressHijack.GetProcAddress ->72445309->72414D1D
Function netapi32.dll:NetValidateName (262) intercepted, method ProcAddressHijack.GetProcAddress ->7244531F->72425859
Function netapi32.dll:NetValidatePasswordPolicy (263) intercepted, method ProcAddressHijack.GetProcAddress ->72445336->72419967
Function netapi32.dll:NetValidatePasswordPolicyFree (264) intercepted, method ProcAddressHijack.GetProcAddress ->72445357->72419B6B
Function netapi32.dll:NetWkstaTransportAdd (267) intercepted, method ProcAddressHijack.GetProcAddress ->7244537C->72424E45
Function netapi32.dll:NetWkstaTransportDel (268) intercepted, method ProcAddressHijack.GetProcAddress ->72445398->72424F21
Function netapi32.dll:NetWkstaTransportEnum (269) intercepted, method ProcAddressHijack.GetProcAddress ->724453B4->72424CF9
Function netapi32.dll:NetWkstaUserEnum (270) intercepted, method ProcAddressHijack.GetProcAddress ->724453D1->72424AD1
Function netapi32.dll:NetWkstaUserGetInfo (271) intercepted, method ProcAddressHijack.GetProcAddress ->724453E9->72423280
Function netapi32.dll:NetWkstaUserSetInfo (272) intercepted, method ProcAddressHijack.GetProcAddress ->72445404->72424C15
Function netapi32.dll:NetapipBufferAllocate (273) intercepted, method ProcAddressHijack.GetProcAddress ->7244541F->724337AA
Function netapi32.dll:NetpIsRemote (289) intercepted, method ProcAddressHijack.GetProcAddress ->7244543E->7243382D
Function netapi32.dll:NetpwNameCanonicalize (296) intercepted, method ProcAddressHijack.GetProcAddress ->72445454->72431C30
Function netapi32.dll:NetpwNameCompare (297) intercepted, method ProcAddressHijack.GetProcAddress ->72445473->72431F2E
Function netapi32.dll:NetpwNameValidate (298) intercepted, method ProcAddressHijack.GetProcAddress ->7244548D->72431990
Function netapi32.dll:NetpwPathCanonicalize (299) intercepted, method ProcAddressHijack.GetProcAddress ->724454A8->7243275D
Function netapi32.dll:NetpwPathCompare (300) intercepted, method ProcAddressHijack.GetProcAddress ->724454C7->72434086
Function netapi32.dll:NetpwPathType (301) intercepted, method ProcAddressHijack.GetProcAddress ->724454E1->72432533
Function netapi32.dll:NlBindingAddServerToCache (302) intercepted, method ProcAddressHijack.GetProcAddress ->724454F8->6E6C61F8
Function netapi32.dll:NlBindingRemoveServerFromCache (303) intercepted, method ProcAddressHijack.GetProcAddress ->7244551B->6E6C5D67
Function netapi32.dll:NlBindingSetAuthInfo (304) intercepted, method ProcAddressHijack.GetProcAddress ->72445543->6E6C6198
    PLEASE, please please please, do not reply with suggestions for tools to scan with, what programs to run, ect. I'm just trying to figure out what these hooks are, why they are there, and what put them there.

    See, this is a brand new fresh installation of windows enterprise that I downloaded directly from microsoft.com (It's a 90 day trial of the enterprise version) and installed from a wiped HD.

    So either these hooks are already created from the Windows Enterprise version of Windows 7 from Microsoft (Highly unlikely. It shouldn't have ANY hooks AT ALL, EVER, on a fresh install.)

    ...or, abootkit/rootkit is creating these hooks as windows installs, after windows installs, or shortly after I boot into the new fresh install of windows.

    (I installed this windows after wiping my whole HD. The hooks are still there.) AVZ4 supports 64 bit and enterprise versions of windows.


    There is one way to find out for sure, and that's if someone downloads the 90 day trial of Windows Enterprise from microsoft.com, installs it, and then scans with AVZ4 from Kaspersky to see if they have the same hooks show up in the logs. If they do, then that means the hooks are legit and come from windows. If they don't show up in the logs, then that means my machine is compromised.

    I don't think it's Windows thats creating the hooks...there is no reason to hook internet-related functions like that....



    Anyone care to analyze the hooks and tell me what the heck they're doing?
     
    agiantt, Dec 28, 2010
    #1
  2. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    your answer
     
    Meriadoc, Dec 28, 2010
    #2
  3. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,963
    Location:
    Somethingshire
    Cudni, Dec 28, 2010
    #3
  4. agiantt

    agiantt Registered Member

    Joined:
    Dec 28, 2010
    Posts:
    2
    Windows doesn't have hooks unless a program installs them. For example, when I scan a fresh install of Windows Vista with the AVZ4 utility there are no hooks found.

    That's a lot of hooks on multiple files...has to be a reason why.

    I googled "Windows Enterprise hooks" and some other keywords, but nothing.
     
    agiantt, Dec 28, 2010
    #4
  5. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,795
    If it's a fresh install and you're using AVZ to scan for rootkits (I wonder why), then have you considered a possibility of these hooks coming from AVZ itself seeing that you are seemingly running this on a 64-bit system where there exists PatchGuard? I'm making a wild guess here...
     
    safeguy, Dec 28, 2010
    #5
  6. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    You should try other tools.
    Kernel Detective is very good for what you want. Even has its own debugger so you can see the assembly code of the hooks and follow the jumps.

    Meriadoc is one of those plugged in types, when Meriadoc makes a statement take the time to understand it or ask for clarification.

    As for Microsoft, wouldn't that be for the purpose of gathering usage statistics from those who download the trial OS?
     
    Searching_ _ _, Dec 28, 2010
    #6
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...