the case of inline hook by RkU

One day RkU showed an inline hook:

RkUnhooker report generator v0.7
==============================================
Rootkit Unhooker kernel version: 3.8.380.580
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
 ntkrnlpa.exe+0x0006ECBE, Type: Inline - RelativeJump 0x80545CBE [ntkrnlpa.exe]


I've decided to investigate what the real problem was.
First thing I did was checking nt image loaded into memory:

kd>  !chkimg -d nt
 80537028-8053702c 5 bytes - nt!ExAllocatePool (+0x3c7ae )
 also here were about 4 hooks with 5 bytes each ....



Here we can see that real address of nt!ExAllocatePool  (0x8053702c) is changed to 0x80537028

I viewed disassembling of the real 0x8053702c address

0: kd> u 8053702c
nt!ExAllocatePool+0x4:
8053702c 39684e cmp dword ptr [eax+4Eh],
ebp
8053702f 6f outs dx,dword ptr [esi]
80537030 6e outs dx,byte ptr [esi]
80537031 65ff750c push dword ptr gs:[ebp+0Ch]
80537035 ff7508 push dword ptr [ebp+8]
80537038 e82b490100 call nt!ExAllocatePoolWithTag (8054b968)
8053703d 5d pop ebp
8053703e c20800 ret 8

Then I wanted to see what code has been at 0x80537028 address:

0: kd> u 80537028
nt!ExAllocatePool:
*** ERROR: Module load completed but symbols could not be loaded for svenbowm.SYS
80537028 e90c98e939 jmp svenbowm+0x839 (ba3d0839)
8053702d 684e6f6e65 push 656E6F4Eh
80537032 ff750c push dword ptr [ebp+0Ch]
80537035 ff7508 push dword ptr [ebp+8]
80537038 e82b490100 call nt!ExAllocatePoolWithTag (8054b968)
8053703d 5d pop ebp
8053703e c20800 ret 8
80537041 cc int 3

So here's an answer: the module svenbown made inline hook at address 0x80537028 .
This module <svenbown> refers to RkU driver.
So I had no fear that my system had been infected by some malicious software. It was only RkU's inline hook :-) which had been set as soon as RkU's driver had been loaded .

windbg: view IAT table of kernel modules

This time we'll be looking for functions and their addresses in IAT (Import Address Table)  in one of kernel modules, e.g. Ntfs.sys

First you need to do in windbg is to view file headers of module and get IAT address :


0: kd> !dh -f ntfs
File Type: EXECUTABLE IMAGE 
FILE HEADER VALUES
       0  DLL characteristics
       0 [       0] address [size] of Export Directory
   86674 [      50] address [size] of Import Directory
   17B80 [     51C] address [size] of Import Address Table Directory
............................................................................


Then you need to find out module's start address:


0: kd> lm m ntfs
start    end        module name
b9e35000 b9ec1600   Ntfs       (deferred)


And now when you know IAT directory address and module's start address you can look whole list of functions in IAT of Ntfs module



0: kd> dds b9e35000+17b80
b9e4cb80  806e69f0 hal!KeAcquireInStackQueuedSpinLock
b9e4cb84  806e6940 hal!ExAcquireFastMutex
b9e4cb88  806e6aa8 hal!KeReleaseQueuedSpinLock
b9e4cb8c  806e6a4c hal!KeAcquireQueuedSpinLock
b9e4cb90  806e6900 hal!KfReleaseSpinLock
b9e4cb94  806e699c hal!ExTryToAcquireFastMutex
b9e4cb98  806e6974 hal!ExReleaseFastMutex
b9e4cb9c  806e6aa0 hal!KeReleaseInStackQueuedSpinLock
b9e4cba0  806e6830 hal!KfAcquireSpinLock
b9e4cba4  00000000
b9e4cba8  b9ec3022 KSecDD!GenerateSessionKey
b9e4cbac  b9ec2fdc KSecDD!EfsGenerateKey
b9e4cbb0  b9ec3002 KSecDD!GenerateDirEfs
b9e4cbb4  b9ec28f4 KSecDD!InitSecurityInterfaceW
b9e4cbb8  b9ec3012 KSecDD!EfsDecryptFek
b9e4cbbc  00000000
b9e4cbc0  8054705c nt!ExRaiseStatus
b9e4cbc4  804ec29a nt!FsRtlNormalizeNtstatus
b9e4cbc8  804e41b4 nt!CcFlushCache
b9e4cbcc  80535b9e nt!ExIsResourceAcquiredExclusiveLite
b9e4cbd0  8052e79c nt!RtlInitUnicodeString
b9e4cbd4  80546168 nt!InterlockedPopEntrySList
b9e4cbd8  8054618c nt!RtlpInterlockedPushEntrySList
b9e4cbdc  804f7e92 nt!KeQuerySystemTime
b9e4cbe0  80546210 nt!RtlCompareMemory
b9e4cbe4  8056d1b6 nt!FsRtlAreNamesEqual
b9e4cbe8  804eb004 nt!FsRtlCheckLockForWriteAccess




As yu may noticed, it lists not only functions regarding to ntoskrnl.exe , so it seems like Ntfs module contains exports to a few modules like hal.dll , KSecDD and ntoskrnl.exe. To ensure, we may use PEtools utility ( see screen below):

By the way, if you are too lazy to use windbg :-) you can use PEtools.

использование более чем 4Гб физической памяти на 32х битной системе

Physical Address Extantion aka PAE.
Этот режим позволяет использовать боле 4Гбайт физической памяти ПК.
Однако стоить помнить что приложения могут адресовать макс 4Гб памяти виртуального адресного пространства.
Подробнее можете прочесть на официальном сайте Microsoft

Тут же поговорим как включить режим РАЕ .

• XP, windows 2000: дописать в boot.ini: /pae
• 2003 server - PAE включен по умолчанию :-)
• Vista, Win7:   bcdedit  /set {ID} pae ForceEnable