|
Donation/Premium |
|
 |
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
fatdcuk
MIRT Hunter
Premium Member
Joined: Oct 31, 2006
Posts: 2986
Location: Uk
|
 Posted: Wed Aug 29, 2007 4:48 pm Post subject: [tool update]RootKit Unhooker LE build 3.7.300/506 |
|
|
Download for advanced ARK forensic tool.
http://rkunhooker1.narod.ru/
**Please unless you are 100% fammiliar with this tool only use under guidance.It can do some very neat tricks but can also to serious system damage if misused  **
_________________________________________
Congrats to EP_X0FF & team 
Glad to see your tool keeping pace with malware rootkits being seen in the wild at the moment 
Loaded up my poor victim/research pc with a good collection of recent rootkit trojans to see what your ARK could uncover and as with previous versions the results are unparralled
Malware rootkit/trojan samples used-
1)Rustock B(Lzx32.sys)
2)Wincom32(wincom32.sys)
3)Trojan injector aka All-In-One(VideoAti0.dll,VideoAti0.exe,VideoAti0.sys)
4)Cutwail/Bulknet+Pandex(Runtime.sys,Runtime2.sys,smtpdrv.sys)
5)Haxdoor+ Wopla (ntio256.sys,protector.exe)
and finally the current and most advanced rootkit trojan:blink:
http://www.symantec.com/enterprise/security_response/weblog/2007/07/spam_from_the_kernel_fullkerne.html
6)Srizbi (Mni41.sys)
Here's the the output log generated by RKU scan.I have edited out all legitmate objects/data to leave only malware related entries/data:)
| Code: | RkUnhooker report generator v0.7
==============================================
Rootkit Unhooker kernel version: 3.7.300.506
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
>SSDT State
NtClose
Actual Address 0xF94D44D8
Hooked by: C:\WINDOWS\system32\drivers\runtime2.sys
NtEnumerateKey
Actual Address 0xF94D400A
Hooked by: C:\WINDOWS\system32\drivers\runtime2.sys
NtEnumerateValueKey
Actual Address 0xF94D41CA
Hooked by: C:\WINDOWS\system32\drivers\runtime2.sys
NtFsControlFile
Actual Address 0xF94D3F5A
Hooked by: C:\WINDOWS\system32\drivers\runtime2.sys
NtOpenSection
Actual Address 0xF0993546
Hooked by: C:\WINDOWS\System32\wincom32.sys
NtReadVirtualMemory
Actual Address 0xF94D438A
Hooked by: C:\WINDOWS\system32\drivers\runtime2.sys
NtSuspendProcess
==============================================
>Processes
!!!!!!!!!!!Hidden process: C:\WINDOWS\system32\protector.exe
Process Id: 168
EPROCESS Address: 0xFF10E8A8
==============================================
>Drivers
Driver: Mni41.sys
Address: 0xF9218000
Size: 167936 bytes
!!!!!!!!!!!Hidden driver: C:\WINDOWS\System32:lzx32.sys
Address: 0xF0C3C000
Size: 73728 bytes
Driver: C:\WINDOWS\System32\wincom32.sys
Address: 0xF0993000
Size: 49152 bytes
!!!!!!!!!!!Hidden driver: C:\WINDOWS\system32\drivers\runtime2.sys
Address: 0xF94D2000
Size: 36864 bytes
!!!!!!!!!!!Hidden driver: ntio256.sys
Loaded from:
Address: 0xF9622000
Size: 20480 bytes
Driver: C:\WINDOWS\System32\DRIVERS\smtpdrv.sys
Address: 0xF95BA000
Size: 20480 bytes
!!!!!!!!!!!Hidden driver: VideoAti0.sys
Loaded from:
Address: 0xF9582000
Size: 20480 bytes
Driver: C:\WINDOWS\System32\drivers\runtime.sys
Address: 0xF9794000
Size: 8192 bytes
==============================================
>Stealth
Unknown page with executable code
Address: 0xFF7DAB85
Size: 1147
Unknown page with executable code
Address: 0xFF7EDA1B
Size: 1509
Unknown page with executable code
Address: 0xFF7D6F30
Size: 208
Unknown page with executable code
Address: 0xFF7EB55E
Size: 2722
Unknown page with executable code
Address: 0xFF7D5517
Size: 2793
Unknown page with executable code
Address: 0xFF7DB14A
Size: 3766
Unknown page with executable code
Address: 0xFF7DC121
Size: 3807
Unknown page with executable code
Address: 0xFF7F3CBE
Size: 834
==============================================
>Files
Suspect File: C:\WINDOWS\system32:lzx32.sys:$DATA Status: Hidden
Suspect File: C:\WINDOWS\system32\drivers\Mni41.sys Status: Hidden
Suspect File: C:\WINDOWS\system32\drivers\runtime2.sys Status: Hidden
Suspect File: C:\WINDOWS\system32\drivers\runtime2.sy_ Status: Hidden
Suspect File: C:\WINDOWS\system32\drivers\VideoAti0.sys Status: Hidden
Suspect File: C:\WINDOWS\system32\ntio256.sys Status: Hidden
Suspect File: C:\WINDOWS\system32\protector.exe Status: Hidden
Suspect File: C:\WINDOWS\system32\VideoAti0.dll Status: Hidden
Suspect File: C:\WINDOWS\system32\VideoAti0.exe Status: Hidden
Suspect File: C:\WINDOWS\system32\wincom32.ini Status: Hidden
Suspect File: C:\WINDOWS\system32\wincom32.sys Status: Hidden
==============================================
>Hooks
ntoskrnl.exe-->IofCallDriver, Type: Address change at address 0x80544480 hook handler located in [lzx32.sys]
ntoskrnl.exe-->NtEnumerateKey, Type: Inline - RelativeJump at address 0x8057D323 hook handler located in [Mni41.sys]
ntoskrnl.exe-->NtOpenKey, Type: Inline - RelativeJump at address 0x8058272F hook handler located in [Mni41.sys]
SYSENTER/Int 2E, Type: System Call & Inline at address 0x804DA04F hook handler located in [lzx32.sys]
tcpip.sys+0x000036A2, Type: Inline - RelativeCall at address 0xF0BAF6A2 hook handler located in [lzx32.sys]
tcpip.sys+0x0000D0C2, Type: Inline - RelativeCall at address 0xF0BB90C2 hook handler located in [lzx32.sys]
tcpip.sys+0x0001786C, Type: Inline - RelativeCall at address 0xF0BC386C hook handler located in [lzx32.sys]
tcpip.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification at address 0xF0BE5A04 hook handler located in [lzx32.sys]
tcpip.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification at address 0xF0BE5A10 hook handler located in [lzx32.sys]
tcpip.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification at address 0xF0BE5A0C hook handler located in [smtpdrv.sys]
wanarp.sys+0x000050C1, Type: Inline - RelativeCall at address 0xF94B70C1 hook handler located in [lzx32.sys]
wanarp.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification at address 0xF94B77CC hook handler located in [smtpdrv.sys]
wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification at address 0xF94B779C hook handler located in [smtpdrv.sys]
wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification at address 0xF94B77BC hook handler located in [smtpdrv.sys]
wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification at address 0xF94B77A8 hook handler located in [smtpdrv.sys] |
Just a subnote to say thanks again for a forensic ark tool that has greatly assisted me in my malware hunting/infection recovery missions.The wipe/copy file tool is the bomb 
Screenshots attached
| Description: |
|
| Filesize: |
114.12 KB |
| Viewed: |
170 Time(s) |
|
| Description: |
|
| Filesize: |
86.04 KB |
| Viewed: |
135 Time(s) |
|
| Description: |
|
| Filesize: |
46.97 KB |
| Viewed: |
122 Time(s) |
|
_________________
Malware hunter....Got Bot ?
http://www.castlecops.com/f269-Malware_Listserv.html
|
|
| Back to top |
|
 |
negster22
Security Expert
Premium Member
Joined: Mar 10, 2004
Posts: 5394
|
| Posted: Wed Aug 29, 2007 11:55 pm Post subject: |
|
|
Thank you - fatdcuk for posting such a complete update complete with logs.
I have not been able to get a conclusive answer on whether RKU is Vista compatible.
If it is, what program features are supported - and which are not?
_________________
Negster22 - MS MVP - Consumer Security 2006-2008 
|
|
| Back to top |
|
|
fatdcuk
MIRT Hunter
Premium Member
Joined: Oct 31, 2006
Posts: 2986
Location: Uk
|
|
| Back to top |
|
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum
|
Powered by phpBB © 2001 phpBB Group
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
