Things that Rootkit Unhooker veils

Discussion in 'other anti-malware software' started by SystemJunkie, Apr 27, 2007.

Thread Status:
Not open for further replies.
  1. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    RkUnhooker has become a appreciated anti-rootkit tool, but you will see
    that RkU does not tell you the whole story, this is a lack that should be improved, I guess we all appreciate to see the whole truth and not 50%,70% or only 80%. Check this screen to see what RkU still not wants or still not is able to detect:

    http://i14.tinypic.com/2u40npe.png
     
  2. greencoconut

    greencoconut Registered Member

    Joined:
    Jan 9, 2007
    Posts:
    38
    what tool is that youre using? rku has been under pretty constant development for a while, and is always improving. but its best to always double check with different tools to be sure one tool doesnt miss anything
     
  3. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Indeed, they got a lot of glory for this tool, but it´s important to see that this creation is extreme far away from being the all in one solution against rootkits and/or especially code hook detection, also it is a warning for other users or developers to stay very very watchful.
     
  4. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Rootkit Unhooker check only system dll's (ntdll.dll, kernel32.dll, user32.dll, gdi32.dll and some others). It doesn't check any available dlls (objects.dll, rtl60.bpl as on screenshot) in the system since this is simple idiocy.

    KeDelayExecutionThread is our hook.
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    BTW systemJunkie, what is the other tool in snapshot?
     
  6. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    @aigle: Gmer and Spybro.

    But if this is idiocy why are these hooks in existence?
    And second would it not be useful to unhook them?
    Should it not be useful to be able to unhook everything, e.g. to build an extended option in RkU for this case.

    Beside the device scanner in Gmer is very progressive, it reveals starforce rootkit, with RkU you don´t see directly starforce, you can find it via driver detection, but it would be easier to build a device scan option, I mean it´s also okay to focus on essential but some add-on options would be cool too.
     
  7. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    They do not affect on system in any way, so showing modifications in third-party nonsystem and non-critical files is idiocy. What is the purpose of such scan? I imagine, that hundreds of rootkits hooks rtl60.bpl (delphi runtime library) to stealth their files/reg keys - nonsense and impossible thing.

    The answer on this question is above. No sense in unhooking these hooks. They can't affect on system and consequently on application.

    Hidden Drivers Detector, -> "References". I don't like how GMER shows IRP states. In first it list everything in the system and gives hundred of suspicios (as it think) entries, excuse me, for what?
     
  8. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    To simplify the process of finding suspicious things (saves time, no manual search via driver detector necessary), especially starforce rootkit, with in fact is not harmful but represents rootkit technique.
    [this was only related to Gmers device scanning engine]

    And what about IceSwords capabilities? The red line looks wicked. Seems only IceSword was able to take notice of this.

    http://i14.tinypic.com/2iu3ls4.png

    China one leap ahead?
     
    Last edited: Apr 28, 2007
  9. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    It is not a detection part of IceSword, it is different startup/closeup monitoring.
     
  10. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    If I am not totally confused I guess that Red means bad/infected, right?

    Only Rootkit that comes in my mind showing this behaviour is vanquish, but it´s method is very old and normally easy to detect.
     
  11. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Spybro was the reason, it´s nearly sure. Damn this crazy app makes one paranoid, I quit using it. Sorry for inconvenience. Horrible lawenforcer.dll digs deep into system.
     
    Last edited: Apr 29, 2007
  12. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Unfortunatelly, since IceSword do not have any kind of documentation we can only guess what does these colors means. Definitelly it is not a detection part of IceSword, it is startup monitoring, but what means these colors is a big mystery to everyone except PJF.
     
  13. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    As far as I noticed red colored activities of IceSword, that happens mostly then when one app starts that uses lots of Api Hooks.
     
  14. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    csrss?
     
  15. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Yesterday tested just for fun Norton2007 while scanning it passed a exe file with chinese letters on c:\. But this exe is not existent nowhere, only when norton passed during scanning procedure, here a nice screen about lots of false positives :)D)

    During one scan yesterday RkU 3.31 found once this Inline Relative Jump, today nothing more.

    The pic above is a collection of several anomalies during this and last year.
     
    Last edited: May 1, 2007
  16. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Bugs and false positives generated by your software in a whole, I guess. Nice screens :)
     
  17. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Yes, hehe, I guess too, mostly false positives..

    I double checked this spybro nonsense on another computer, the same red emptiness..
    it´s wicked the more tools you use the more nonsense and confusion is produced.

    The non existence sh*t must come from a firewall hook I guess.

    Beside Gmer detects this:

    SSDT \WINDOWS\system32\ntkrnlpa.exe ZwSuspendProcess

    Rku nothing. Probably not important but I see that first time.
     
    Last edited: May 1, 2007
  18. EASTER.2010

    EASTER.2010 Guest

    I absolutely have to inject my own opinion into this Topic. EP_X0ff and his team mate (MP_Art) in my opinion have made history thanks to their offer with a great ARK as RKUnhooker. Apps like this are very rare and it's usefullness help more than users could ever expect. I could go on all day long over all the benefits RKU provides users. One thing i see is that if they still had control of it the app would advanced further and in a manner unmatched by any others commercial or freelance developer. IMO it;s a one of a kind and is great with what it does accomplish.
     
  19. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Thanks EASTER.

    SystemJunkie, can you show screen of that invisible SSDT hook? Screen with GMER? Probably another GMER bug is discovered :)
     
  20. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Yes, it´s a great tool, actually unmatched related to massive unhooking capabilities. (except Nortons cruel SPBBC..exe and Dynamic Security Agent hooks, they resist the unhook procedure as far as I have tested)

    Yes.

    http://i11.tinypic.com/66ell46.png

    Another fp, with high probability:

    File C:\Programme\Gemeinsame Dateien\aol\1161085309\ee\services\widgetsapp\ver0_9_10_1\
    ---- EOF - GMER 1.0.12 ----
     
  21. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    LOL, what will be if you press Restore SSDT?
     
  22. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Nothing special, it simulates the restoring. :D :D :D

    http://i15.tinypic.com/6czidsy.png

    That´s what Rku shows today. I guess this happens mostly then when I unhook ieframe.
     
  23. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    I can't agree with that. Because IE7 frame hook is in user mode, ntkrnlpa+blabla in kernel mode, they can't be dependent.

    I can give you advice. If you really want to know what is it -> dump A534F74E address by using RkU dump memory region feature. Set size of dump to 1000. This is value in hex, in bytes it will be 4Kb. After that upload this dump somewhere where I can access and take a look.
     
  24. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Okay I will do so, if this event occurs again on my very volatile windows environment, actually it doesn´t, but maybe after 2 or more reboots it may reappear.
     
  25. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I made exactly what you said, I dumped A534F74E, but the memory.dmp file is totally empty.

    So I have 4 kb of emptiness. Beside the entry in rku never changes,
    it always stays at A534F74E unknown code page.
     
Loading...
Similar Threads
  1. majorpain
    Replies:
    21
    Views:
    1,480
Thread Status:
Not open for further replies.