RkUnhooker report generator v0.7
==============================================
Rootkit Unhooker kernel version: 3.8.380.580
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
ntkrnlpa.exe+0x0006ECBE, Type: Inline - RelativeJump 0x80545CBE [ntkrnlpa.exe]
I've decided to investigate what the real problem was.
First thing I did was checking nt image loaded into memory:
kd> !chkimg -d nt
80537028-8053702c 5 bytes - nt!ExAllocatePool (+0x3c7ae )
also here were about 4 hooks with 5 bytes each ....
Here we can see that real address of nt!ExAllocatePool (0x8053702c) is changed to 0x80537028
I viewed disassembling of the real 0x8053702c address
0: kd> u 8053702c
nt!ExAllocatePool+0x4:
8053702c 39684e cmp dword ptr [eax+4Eh],
ebp
8053702f 6f outs dx,dword ptr [esi]
80537030 6e outs dx,byte ptr [esi]
80537031 65ff750c push dword ptr gs:[ebp+0Ch]
80537035 ff7508 push dword ptr [ebp+8]
80537038 e82b490100 call nt!ExAllocatePoolWithTag (8054b968)
8053703d 5d pop ebp
8053703e c20800 ret 8
Then I wanted to see what code has been at 0x80537028 address:
0: kd> u 80537028
nt!ExAllocatePool:
*** ERROR: Module load completed but symbols could not be loaded for svenbowm.SYS
80537028 e90c98e939 jmp svenbowm+0x839 (ba3d0839)
8053702d 684e6f6e65 push 656E6F4Eh
80537032 ff750c push dword ptr [ebp+0Ch]
80537035 ff7508 push dword ptr [ebp+8]
80537038 e82b490100 call nt!ExAllocatePoolWithTag (8054b968)
8053703d 5d pop ebp
8053703e c20800 ret 8
80537041 cc int 3
So here's an answer: the module svenbown made inline hook at address 0x80537028 .
This module <svenbown> refers to RkU driver.
So I had no fear that my system had been infected by some malicious software. It was only RkU's inline hook :-) which had been set as soon as RkU's driver had been loaded .
Комментариев нет:
Отправить комментарий