Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
Protecting processes from injection via SetWindowsHookEx() ?
Message
<blockquote data-quote="Mecanik" data-source="post: 730946" data-attributes="member: 71056"><p>I managed to break this malware's sel protection and monitor API calls. The malware has inline hooks besides the winlicense to prevent debugging.</p><p></p><p>I have found these inline hooks:</p><p></p><p>[ICODE]len(1) ntdll.dll->DbgBreakPoint 0x00000000777E0B00->_ inline C3 CC</p><p>len(5) ntdll.dll->DbgUiRemoteBreakin 0x000000007781A640->_ inline E9 EB D1 F8 FF 6A 08 68 C8 FE</p><p>len(6) ntdll.dll->LdrLoadDll 0x00000000777BE860->_ inline 68 7C 15 5B 00 C3 8B FF 55 8B EC 83[/ICODE]</p><p></p><p>After removing them with a tool, I was able to inject it and monitor API calls. The ntdll.dll->LdrLoadDll hook is interesting, because I have something similar ( lol ).</p><p></p><p>For the above, I want to ask you [USER=65228]@Opcode[/USER] if you got any idea/example how to remove these automatically hooks via code and not manually with tools ?</p><p></p><p>Continuing to monitor API calls, what I see very often called is:</p><p></p><p>[ICODE]NtQueryInformationProcess (GetCurrentProcess(), ProcessMitigationPolicy, 0x0019f7d8, 8, NULL )[/ICODE]</p><p></p><p>And when the "action" starts is here, right when the process is found:</p><p></p><p>[ICODE]RtlReAllocateHeap ( 0x03100000, HEAP_CREATE_ENABLE_EXECUTE | HEAP_NO_SERIALIZE | HEAP_ZERO_MEMORY | 1048576, 0x031fafa8, 72 )</p><p>NtOpenSection ( 0x0019f058, SECTION_MAP_READ, 0x0019f070 )</p><p>NtMapViewOfSection ( 0x0000057c, GetCurrentProcess(), 0x0019f080, 0, 0, 0x0019f074, 0x0019f07c, ViewShare, 0, PAGE_READONLY )</p><p>NtClose ( 0x0000057c )[/ICODE]</p><p></p><p>And now, the most funny part ( because why would you do this anyway!? ) </p><p></p><p>Starts calling:</p><p></p><p>[ICODE]NtReadVirtualMemory ( GetCurrentProcess(), 0x0024400c, 0x0019efb4, 4, 0x0019ef58 )[/ICODE]</p><p></p><p>More than 5000+ times on different addresses, until it finds what it wants... I'm not joking, over 5000 times.</p><p></p><p>Anyway, it stops and starts the even more interesting part ( at least for me ):</p><p></p><p>[ICODE]KERNELBASE.dll RtlInitAnsiStringEx ( 0x0019f17c, "Project1.dll" ) STATUS_SUCCESS 0.0000003</p><p>KERNELBASE.dll LdrGetDllHandle ( NULL, NULL, 0x0019f174, 0x0019f18c ) STATUS_DLL_NOT_FOUND 0xc0000135 = The code execution cannot proceed because %hs was not found. Reinstalling the program may fix this problem. 0.0000048</p><p>KERNELBASE.dll RtlNtStatusToDosError ( STATUS_DLL_NOT_FOUND ) ERROR_MOD_NOT_FOUND 0.0000005</p><p>KERNELBASE.dll RtlInitAnsiStringEx ( 0x0019f17c, "Project2.dll" ) STATUS_SUCCESS 0.0000003</p><p>KERNELBASE.dll LdrGetDllHandle ( NULL, NULL, 0x0019f174, 0x0019f18c ) STATUS_DLL_NOT_FOUND 0xc0000135 = The code execution cannot proceed because %hs was not found. Reinstalling the program may fix this problem. 0.0000015</p><p>KERNELBASE.dll RtlNtStatusToDosError ( STATUS_DLL_NOT_FOUND ) ERROR_MOD_NOT_FOUND 0.0000003</p><p>KERNELBASE.dll RtlInitAnsiStringEx ( 0x0019f17c, "Project3.dll" ) STATUS_SUCCESS 0.0000000</p><p>KERNELBASE.dll LdrGetDllHandle ( NULL, NULL, 0x0019f174, 0x0019f18c ) STATUS_DLL_NOT_FOUND 0xc0000135 = The code execution cannot proceed because %hs was not found. Reinstalling the program may fix this problem. 0.0000015</p><p>KERNELBASE.dll RtlNtStatusToDosError ( STATUS_DLL_NOT_FOUND ) ERROR_MOD_NOT_FOUND 0.0000003</p><p>KERNELBASE.dll RtlInitAnsiStringEx ( 0x0019f17c, "WriteProcessMemory_Hook.dll" ) STATUS_SUCCESS 0.0000003</p><p>KERNELBASE.dll LdrGetDllHandle ( NULL, NULL, 0x0019f174, 0x0019f18c ) STATUS_DLL_NOT_FOUND 0xc0000135 = The code execution cannot proceed because %hs was not found. Reinstalling the program may fix this problem. 0.0000015</p><p>KERNELBASE.dll RtlNtStatusToDosError ( STATUS_DLL_NOT_FOUND ) ERROR_MOD_NOT_FOUND 0.0000003</p><p>KERNELBASE.dll RtlInitAnsiStringEx ( 0x0019f17c, "WriteProcessMemory_Hook64.dll" ) STATUS_SUCCESS 0.0000003</p><p>KERNELBASE.dll LdrGetDllHandle ( NULL, NULL, 0x0019f174, 0x0019f18c ) STATUS_DLL_NOT_FOUND 0xc0000135 = The code execution cannot proceed because %hs was not found. Reinstalling the program may fix this problem. 0.0000015</p><p>KERNELBASE.dll RtlNtStatusToDosError ( STATUS_DLL_NOT_FOUND ) ERROR_MOD_NOT_FOUND 0.0000003</p><p>KERNELBASE.dll RtlInitAnsiStringEx ( 0x0019ebb8, "WS2_32.DLL" ) STATUS_SUCCESS 0.0000003</p><p>KERNELBASE.dll RtlInitUnicodeStringEx ( 0x0019ebb0, "WS2_32.DLL" ) STATUS_SUCCESS 0.0000003 </p><p>KERNELBASE.dll LdrLoadDll ( 0x0001, 0x0019eba0, 0x0019ebb0, 0x0019eba4 ) STATUS_SUCCESS 0.0009120</p><p>KERNELBASE.dll RtlRunOnceExecuteOnce ( 0x762f0770, 0x7626db70, NULL, NULL ) STATUS_SUCCESS 0.0000003</p><p>KERNEL32.DLL LdrResFindResourceDirectory ( 0x77700000, 0x00000018, 0x00000002, 0x0019e778, NULL, NULL, 0x00000010 ) STATUS_RESOURCE_TYPE_NOT_FOUND 0xc000008a = Indicates the specified resource type cannot be found in the image file. 0.0000041</p><p>apphelp.dll LdrGetDllHandle ( NULL, NULL, 0x0019e558, 0x0019e564 ) STATUS_DLL_NOT_FOUND 0xc0000135 = The code execution cannot proceed because %hs was not found. Reinstalling the program may fix this problem. 0.0000015</p><p>apphelp.dll RtlDosPathNameToNtPathName_U ( "C:\WINDOWS\System32\WS2_32.DLL", 0x0019e760, NULL, NULL ) TRUE 0.0000038</p><p>apphelp.dll NtOpenFile ( 0x0019e770, READ_CONTROL, 0x0019e740, 0x0019e758, FILE_SHARE_DELETE | FILE_SHARE_READ, 0x00000000 ) STATUS_SUCCESS 0.0000892</p><p>apphelp.dll NtQuerySecurityObject ( 0x0000057c, OWNER_SECURITY_INFORMATION, NULL, 0x00000000, 0x0019e76c ) STATUS_BUFFER_TOO_SMALL 0xc0000023 = {Buffer Too Small} The buffer is too small to contain the entry. No information has been written to the buffer. 0.0000102</p><p>apphelp.dll NtQuerySecurityObject ( 0x0000057c, OWNER_SECURITY_INFORMATION, 0x0314cdb8, 0x00000034, 0x0019e76c ) STATUS_SUCCESS 0.0000041</p><p>apphelp.dll RtlGetOwnerSecurityDescriptor ( 0x0314cdb8, 0x0019e768, 0x0019e777 ) STATUS_SUCCESS 0.0000005</p><p>apphelp.dll RtlEqualSid ( 0x0314cdcc, 0x03105138 ) TRUE 0.0000005</p><p>apphelp.dll NtClose ( 0x0000057c ) STATUS_SUCCESS 0.0000375</p><p>apphelp.dll LdrFindEntryForAddress ( 0x77700000, 0x0019e7bc ) STATUS_SUCCESS 0.0000005</p><p>apphelp.dll LdrFindEntryForAddress ( 0x77700000, 0x0019e7bc ) STATUS_SUCCESS 0.0000003</p><p>apphelp.dll LdrFindEntryForAddress ( 0x77700000, 0x0019e7bc ) STATUS_SUCCESS 0.0000003</p><p>apphelp.dll RtlImageDirectoryEntryToData ( 0x77700000, TRUE, 0x000c, 0x0019e704 ) 0x7774c000 0.0000000</p><p>apphelp.dll NtProtectVirtualMemory ( GetCurrentProcess(), 0x0019e798, 0x0019e79c, PAGE_EXECUTE_READWRITE, 0x0019e7a0 ) STATUS_SUCCESS 0.0000048</p><p>apphelp.dll LdrFindEntryForAddress ( 0x77700000, 0x0019e7bc ) STATUS_SUCCESS 0.0000003</p><p>apphelp.dll NtProtectVirtualMemory ( GetCurrentProcess(), 0x0019e798, 0x0019e79c, PAGE_READONLY, 0x0019e7a0 ) STATUS_SUCCESS 0.0000046</p><p>KERNELBASE.dll RtlEncodePointer ( 0x7774b4c4 ) 0x2ec11f68 0.0000018</p><p>KERNELBASE.dll RtlEncodePointer ( 0x7771b400 ) 0x2ed51c78 0.0000005</p><p>KERNELBASE.dll RtlEncodePointer ( 0x7774b4c8 ) 0x2ec11f58 0.0000005</p><p>KERNELBASE.dll RtlAcquirePebLock ( ) 0.0000005</p><p>KERNELBASE.dll RtlFindClearBitsAndSet ( 0x77887c38, 0x00000001, 0x00000000 ) 0x00000032 0.0000010</p><p>KERNELBASE.dll RtlReleasePebLock ( ) 0.0000000</p><p>KERNELBASE.dll RtlInitString ( 0x0019ebdc, "WSAStartup" ) 0.0000003</p><p>apphelp.dll RtlCaptureStackBackTrace ( 0x00000000, 0x00000010, 0x0019e9dc, NULL ) 0x0002 0.0000005</p><p>KERNELBASE.dll NtOpenProcessToken ( GetCurrentProcess(), TOKEN_QUERY, 0x0019e8e4 ) STATUS_SUCCESS 0.0000043</p><p>KERNELBASE.dll NtQueryInformationToken ( 0x00000584, TokenIsAppContainer, 0x0019e8e8, 0x00000004, 0x0019e8e0 ) STATUS_SUCCESS 0.0000015</p><p>KERNELBASE.dll NtClose ( 0x00000584 ) STATUS_SUCCESS 0.0000010</p><p>KERNELBASE.dll RtlGetCurrentTransaction ( ) NULL 0.0000000</p><p>KERNELBASE.dll RtlSetCurrentTransaction ( NULL ) TRUE 0.0000000</p><p>KERNELBASE.dll RtlSetCurrentTransaction ( NULL ) TRUE 0.0000003</p><p>KERNELBASE.dll RtlInitUnicodeStringEx ( 0x0019e878, "System\CurrentControlSet\Services\WinSock2\Parameters" ) STATUS_SUCCESS 0.0000003</p><p>KERNELBASE.dll NtOpenKeyEx ( 0x0019e918, KEY_ALL_ACCESS, 0x0019e7c8, 0x00000000 ) STATUS_SUCCESS 0.0000433</p><p>KERNELBASE.dll RtlNtStatusToDosError ( STATUS_SUCCESS ) ERROR_SUCCESS 0.0000003</p><p>KERNELBASE.dll RtlInitAnsiStringEx ( 0x0019e874, "WinSock_Registry_Version" ) STATUS_SUCCESS 0.0000003</p><p>KERNELBASE.dll NtQueryValueKey ( 0x00000584, 0x0019e87c, KeyValuePartialInformation, 0x0019e7b4, 0x00000090, 0x0019e790 ) STATUS_SUCCESS 0.0000046[/ICODE]</p><p></p><p>And the list goes on, but among others interesting calls are:</p><p></p><p>[ICODE]RPCRT4.dll NtOpenThreadToken ( GetCurrentThread(), TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY, TRUE, 0x0019db14 ) STATUS_NO_TOKEN 0xc000007c = An attempt was made to reference a token that doesn't exist. This is typically done by referencing the token associated with a thread when the thread is not impersonating a client. 0.0000005</p><p>RPCRT4.dll NtOpenThreadToken ( GetCurrentThread(), TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY, TRUE, 0x0019db10 ) STATUS_NO_TOKEN 0xc000007c = An attempt was made to reference a token that doesn't exist. This is typically done by referencing the token associated with a thread when the thread is not impersonating a client. 0.0000008</p><p>RPCRT4.dll NtOpenThreadToken ( GetCurrentThread(), TOKEN_IMPERSONATE | TOKEN_QUERY, TRUE, 0x0019dd2c ) STATUS_NO_TOKEN 0xc000007c = An attempt was made to reference a token that doesn't exist. This is typically done by referencing the token associated with a thread when the thread is not impersonating a client. 0.0000025</p><p>RPCRT4.dll NtSetInformationThread ( GetCurrentThread(), ThreadImpersonationToken, 0x0019dd24, 0x00000004 ) STATUS_SUCCESS 0.0000010</p><p>RPCRT4.dll NtSetInformationThread ( GetCurrentThread(), ThreadImpersonationToken, 0x0019dd28, 0x00000004 ) STATUS_SUCCESS 0.0000010 [/ICODE]</p><p></p><p>And this right at the "end" of all this after the process is opened:</p><p></p><p>[ICODE]KERNELBASE.dll NtOpenSection ( 0x0019f030, SECTION_MAP_READ, 0x0019f048 ) STATUS_SUCCESS 0.0000196</p><p>KERNELBASE.dll NtMapViewOfSection ( 0x00000990, GetCurrentProcess(), 0x0019f058, 0x00000000, 0x00000000, 0x0019f04c, 0x0019f054, ViewShare, 0x00000000, PAGE_READONLY ) STATUS_SUCCESS 0.0000066</p><p>KERNELBASE.dll NtClose ( 0x00000990 ) STATUS_SUCCESS 0.0000028 [/ICODE]</p><p></p><p>I also found the driver, it's actually just a few lines of code... and also decompiled it. The driver is nothing to worry about, the worry part is how does the malware get the handle if my process is protected.</p></blockquote><p></p>
[QUOTE="Mecanik, post: 730946, member: 71056"] I managed to break this malware's sel protection and monitor API calls. The malware has inline hooks besides the winlicense to prevent debugging. I have found these inline hooks: [ICODE]len(1) ntdll.dll->DbgBreakPoint 0x00000000777E0B00->_ inline C3 CC len(5) ntdll.dll->DbgUiRemoteBreakin 0x000000007781A640->_ inline E9 EB D1 F8 FF 6A 08 68 C8 FE len(6) ntdll.dll->LdrLoadDll 0x00000000777BE860->_ inline 68 7C 15 5B 00 C3 8B FF 55 8B EC 83[/ICODE] After removing them with a tool, I was able to inject it and monitor API calls. The ntdll.dll->LdrLoadDll hook is interesting, because I have something similar ( lol ). For the above, I want to ask you [USER=65228]@Opcode[/USER] if you got any idea/example how to remove these automatically hooks via code and not manually with tools ? Continuing to monitor API calls, what I see very often called is: [ICODE]NtQueryInformationProcess (GetCurrentProcess(), ProcessMitigationPolicy, 0x0019f7d8, 8, NULL )[/ICODE] And when the "action" starts is here, right when the process is found: [ICODE]RtlReAllocateHeap ( 0x03100000, HEAP_CREATE_ENABLE_EXECUTE | HEAP_NO_SERIALIZE | HEAP_ZERO_MEMORY | 1048576, 0x031fafa8, 72 ) NtOpenSection ( 0x0019f058, SECTION_MAP_READ, 0x0019f070 ) NtMapViewOfSection ( 0x0000057c, GetCurrentProcess(), 0x0019f080, 0, 0, 0x0019f074, 0x0019f07c, ViewShare, 0, PAGE_READONLY ) NtClose ( 0x0000057c )[/ICODE] And now, the most funny part ( because why would you do this anyway!? ) Starts calling: [ICODE]NtReadVirtualMemory ( GetCurrentProcess(), 0x0024400c, 0x0019efb4, 4, 0x0019ef58 )[/ICODE] More than 5000+ times on different addresses, until it finds what it wants... I'm not joking, over 5000 times. Anyway, it stops and starts the even more interesting part ( at least for me ): [ICODE]KERNELBASE.dll RtlInitAnsiStringEx ( 0x0019f17c, "Project1.dll" ) STATUS_SUCCESS 0.0000003 KERNELBASE.dll LdrGetDllHandle ( NULL, NULL, 0x0019f174, 0x0019f18c ) STATUS_DLL_NOT_FOUND 0xc0000135 = The code execution cannot proceed because %hs was not found. Reinstalling the program may fix this problem. 0.0000048 KERNELBASE.dll RtlNtStatusToDosError ( STATUS_DLL_NOT_FOUND ) ERROR_MOD_NOT_FOUND 0.0000005 KERNELBASE.dll RtlInitAnsiStringEx ( 0x0019f17c, "Project2.dll" ) STATUS_SUCCESS 0.0000003 KERNELBASE.dll LdrGetDllHandle ( NULL, NULL, 0x0019f174, 0x0019f18c ) STATUS_DLL_NOT_FOUND 0xc0000135 = The code execution cannot proceed because %hs was not found. Reinstalling the program may fix this problem. 0.0000015 KERNELBASE.dll RtlNtStatusToDosError ( STATUS_DLL_NOT_FOUND ) ERROR_MOD_NOT_FOUND 0.0000003 KERNELBASE.dll RtlInitAnsiStringEx ( 0x0019f17c, "Project3.dll" ) STATUS_SUCCESS 0.0000000 KERNELBASE.dll LdrGetDllHandle ( NULL, NULL, 0x0019f174, 0x0019f18c ) STATUS_DLL_NOT_FOUND 0xc0000135 = The code execution cannot proceed because %hs was not found. Reinstalling the program may fix this problem. 0.0000015 KERNELBASE.dll RtlNtStatusToDosError ( STATUS_DLL_NOT_FOUND ) ERROR_MOD_NOT_FOUND 0.0000003 KERNELBASE.dll RtlInitAnsiStringEx ( 0x0019f17c, "WriteProcessMemory_Hook.dll" ) STATUS_SUCCESS 0.0000003 KERNELBASE.dll LdrGetDllHandle ( NULL, NULL, 0x0019f174, 0x0019f18c ) STATUS_DLL_NOT_FOUND 0xc0000135 = The code execution cannot proceed because %hs was not found. Reinstalling the program may fix this problem. 0.0000015 KERNELBASE.dll RtlNtStatusToDosError ( STATUS_DLL_NOT_FOUND ) ERROR_MOD_NOT_FOUND 0.0000003 KERNELBASE.dll RtlInitAnsiStringEx ( 0x0019f17c, "WriteProcessMemory_Hook64.dll" ) STATUS_SUCCESS 0.0000003 KERNELBASE.dll LdrGetDllHandle ( NULL, NULL, 0x0019f174, 0x0019f18c ) STATUS_DLL_NOT_FOUND 0xc0000135 = The code execution cannot proceed because %hs was not found. Reinstalling the program may fix this problem. 0.0000015 KERNELBASE.dll RtlNtStatusToDosError ( STATUS_DLL_NOT_FOUND ) ERROR_MOD_NOT_FOUND 0.0000003 KERNELBASE.dll RtlInitAnsiStringEx ( 0x0019ebb8, "WS2_32.DLL" ) STATUS_SUCCESS 0.0000003 KERNELBASE.dll RtlInitUnicodeStringEx ( 0x0019ebb0, "WS2_32.DLL" ) STATUS_SUCCESS 0.0000003 KERNELBASE.dll LdrLoadDll ( 0x0001, 0x0019eba0, 0x0019ebb0, 0x0019eba4 ) STATUS_SUCCESS 0.0009120 KERNELBASE.dll RtlRunOnceExecuteOnce ( 0x762f0770, 0x7626db70, NULL, NULL ) STATUS_SUCCESS 0.0000003 KERNEL32.DLL LdrResFindResourceDirectory ( 0x77700000, 0x00000018, 0x00000002, 0x0019e778, NULL, NULL, 0x00000010 ) STATUS_RESOURCE_TYPE_NOT_FOUND 0xc000008a = Indicates the specified resource type cannot be found in the image file. 0.0000041 apphelp.dll LdrGetDllHandle ( NULL, NULL, 0x0019e558, 0x0019e564 ) STATUS_DLL_NOT_FOUND 0xc0000135 = The code execution cannot proceed because %hs was not found. Reinstalling the program may fix this problem. 0.0000015 apphelp.dll RtlDosPathNameToNtPathName_U ( "C:\WINDOWS\System32\WS2_32.DLL", 0x0019e760, NULL, NULL ) TRUE 0.0000038 apphelp.dll NtOpenFile ( 0x0019e770, READ_CONTROL, 0x0019e740, 0x0019e758, FILE_SHARE_DELETE | FILE_SHARE_READ, 0x00000000 ) STATUS_SUCCESS 0.0000892 apphelp.dll NtQuerySecurityObject ( 0x0000057c, OWNER_SECURITY_INFORMATION, NULL, 0x00000000, 0x0019e76c ) STATUS_BUFFER_TOO_SMALL 0xc0000023 = {Buffer Too Small} The buffer is too small to contain the entry. No information has been written to the buffer. 0.0000102 apphelp.dll NtQuerySecurityObject ( 0x0000057c, OWNER_SECURITY_INFORMATION, 0x0314cdb8, 0x00000034, 0x0019e76c ) STATUS_SUCCESS 0.0000041 apphelp.dll RtlGetOwnerSecurityDescriptor ( 0x0314cdb8, 0x0019e768, 0x0019e777 ) STATUS_SUCCESS 0.0000005 apphelp.dll RtlEqualSid ( 0x0314cdcc, 0x03105138 ) TRUE 0.0000005 apphelp.dll NtClose ( 0x0000057c ) STATUS_SUCCESS 0.0000375 apphelp.dll LdrFindEntryForAddress ( 0x77700000, 0x0019e7bc ) STATUS_SUCCESS 0.0000005 apphelp.dll LdrFindEntryForAddress ( 0x77700000, 0x0019e7bc ) STATUS_SUCCESS 0.0000003 apphelp.dll LdrFindEntryForAddress ( 0x77700000, 0x0019e7bc ) STATUS_SUCCESS 0.0000003 apphelp.dll RtlImageDirectoryEntryToData ( 0x77700000, TRUE, 0x000c, 0x0019e704 ) 0x7774c000 0.0000000 apphelp.dll NtProtectVirtualMemory ( GetCurrentProcess(), 0x0019e798, 0x0019e79c, PAGE_EXECUTE_READWRITE, 0x0019e7a0 ) STATUS_SUCCESS 0.0000048 apphelp.dll LdrFindEntryForAddress ( 0x77700000, 0x0019e7bc ) STATUS_SUCCESS 0.0000003 apphelp.dll NtProtectVirtualMemory ( GetCurrentProcess(), 0x0019e798, 0x0019e79c, PAGE_READONLY, 0x0019e7a0 ) STATUS_SUCCESS 0.0000046 KERNELBASE.dll RtlEncodePointer ( 0x7774b4c4 ) 0x2ec11f68 0.0000018 KERNELBASE.dll RtlEncodePointer ( 0x7771b400 ) 0x2ed51c78 0.0000005 KERNELBASE.dll RtlEncodePointer ( 0x7774b4c8 ) 0x2ec11f58 0.0000005 KERNELBASE.dll RtlAcquirePebLock ( ) 0.0000005 KERNELBASE.dll RtlFindClearBitsAndSet ( 0x77887c38, 0x00000001, 0x00000000 ) 0x00000032 0.0000010 KERNELBASE.dll RtlReleasePebLock ( ) 0.0000000 KERNELBASE.dll RtlInitString ( 0x0019ebdc, "WSAStartup" ) 0.0000003 apphelp.dll RtlCaptureStackBackTrace ( 0x00000000, 0x00000010, 0x0019e9dc, NULL ) 0x0002 0.0000005 KERNELBASE.dll NtOpenProcessToken ( GetCurrentProcess(), TOKEN_QUERY, 0x0019e8e4 ) STATUS_SUCCESS 0.0000043 KERNELBASE.dll NtQueryInformationToken ( 0x00000584, TokenIsAppContainer, 0x0019e8e8, 0x00000004, 0x0019e8e0 ) STATUS_SUCCESS 0.0000015 KERNELBASE.dll NtClose ( 0x00000584 ) STATUS_SUCCESS 0.0000010 KERNELBASE.dll RtlGetCurrentTransaction ( ) NULL 0.0000000 KERNELBASE.dll RtlSetCurrentTransaction ( NULL ) TRUE 0.0000000 KERNELBASE.dll RtlSetCurrentTransaction ( NULL ) TRUE 0.0000003 KERNELBASE.dll RtlInitUnicodeStringEx ( 0x0019e878, "System\CurrentControlSet\Services\WinSock2\Parameters" ) STATUS_SUCCESS 0.0000003 KERNELBASE.dll NtOpenKeyEx ( 0x0019e918, KEY_ALL_ACCESS, 0x0019e7c8, 0x00000000 ) STATUS_SUCCESS 0.0000433 KERNELBASE.dll RtlNtStatusToDosError ( STATUS_SUCCESS ) ERROR_SUCCESS 0.0000003 KERNELBASE.dll RtlInitAnsiStringEx ( 0x0019e874, "WinSock_Registry_Version" ) STATUS_SUCCESS 0.0000003 KERNELBASE.dll NtQueryValueKey ( 0x00000584, 0x0019e87c, KeyValuePartialInformation, 0x0019e7b4, 0x00000090, 0x0019e790 ) STATUS_SUCCESS 0.0000046[/ICODE] And the list goes on, but among others interesting calls are: [ICODE]RPCRT4.dll NtOpenThreadToken ( GetCurrentThread(), TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY, TRUE, 0x0019db14 ) STATUS_NO_TOKEN 0xc000007c = An attempt was made to reference a token that doesn't exist. This is typically done by referencing the token associated with a thread when the thread is not impersonating a client. 0.0000005 RPCRT4.dll NtOpenThreadToken ( GetCurrentThread(), TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY, TRUE, 0x0019db10 ) STATUS_NO_TOKEN 0xc000007c = An attempt was made to reference a token that doesn't exist. This is typically done by referencing the token associated with a thread when the thread is not impersonating a client. 0.0000008 RPCRT4.dll NtOpenThreadToken ( GetCurrentThread(), TOKEN_IMPERSONATE | TOKEN_QUERY, TRUE, 0x0019dd2c ) STATUS_NO_TOKEN 0xc000007c = An attempt was made to reference a token that doesn't exist. This is typically done by referencing the token associated with a thread when the thread is not impersonating a client. 0.0000025 RPCRT4.dll NtSetInformationThread ( GetCurrentThread(), ThreadImpersonationToken, 0x0019dd24, 0x00000004 ) STATUS_SUCCESS 0.0000010 RPCRT4.dll NtSetInformationThread ( GetCurrentThread(), ThreadImpersonationToken, 0x0019dd28, 0x00000004 ) STATUS_SUCCESS 0.0000010 [/ICODE] And this right at the "end" of all this after the process is opened: [ICODE]KERNELBASE.dll NtOpenSection ( 0x0019f030, SECTION_MAP_READ, 0x0019f048 ) STATUS_SUCCESS 0.0000196 KERNELBASE.dll NtMapViewOfSection ( 0x00000990, GetCurrentProcess(), 0x0019f058, 0x00000000, 0x00000000, 0x0019f04c, 0x0019f054, ViewShare, 0x00000000, PAGE_READONLY ) STATUS_SUCCESS 0.0000066 KERNELBASE.dll NtClose ( 0x00000990 ) STATUS_SUCCESS 0.0000028 [/ICODE] I also found the driver, it's actually just a few lines of code... and also decompiled it. The driver is nothing to worry about, the worry part is how does the malware get the handle if my process is protected. [/QUOTE]
Insert quotes…
Verification
Post reply
Top