RootRepeal (old name: DriverDetect)

Message Topic Search Topic Options Post Reply Create New Topic Printable Version

Results from a old machine:

Program Version:        Version 1.1.0.0
Windows Version:        Windows XP SP2
==================================================

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\Internet Logs\tvDebug.log
Status: Size mismatch (API: 5552686, Raw: 5530115)

Path: C:\Dokumente und Einstellungen\NetworkService\ntuser.dat.LOG
Status: Allocation size mismatch (API: 32768, Raw: 16384)

Path: C:\Dokumente und Einstellungen\SYS\ntuser.dat.LOG
Status: Size mismatch (API: 1024, Raw: 16384)

Path: C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
Status: Allocation size mismatch (API: 1835008, Raw: 16384)

Path: C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
Status: Allocation size mismatch (API: 81920, Raw: 16384)

Path: C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
Status: Size mismatch (API: 1024, Raw: 12288)

I recently checked ntuser.dat.log on another system, there were really strange strings in it, fortunecity?!??

Edited by SystemPro - 04 September 2008 at 12:47am

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version
SystemPro Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 26 April 2007 Location: Germany Online Status: Offline Posts: 465	Quote Reply Topic: RootRepeal (old name: DriverDetect) Posted: 04 September 2008 at 12:45am
	Results from a old machine: Program Version: Version 1.1.0.0 Windows Version: Windows XP SP2 ================================================== Hidden/Locked Files ------------------- Path: C:\WINDOWS\Internet Logs\tvDebug.log Status: Size mismatch (API: 5552686, Raw: 5530115) Path: C:\Dokumente und Einstellungen\NetworkService\ntuser.dat.LOG Status: Allocation size mismatch (API: 32768, Raw: 16384) Path: C:\Dokumente und Einstellungen\SYS\ntuser.dat.LOG Status: Size mismatch (API: 1024, Raw: 16384) Path: C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Status: Allocation size mismatch (API: 1835008, Raw: 16384) Path: C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Status: Allocation size mismatch (API: 81920, Raw: 16384) Path: C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Status: Size mismatch (API: 1024, Raw: 12288) I recently checked ntuser.dat.log on another system, there were really strange strings in it, fortunecity?!?? Edited by SystemPro - 04 September 2008 at 12:47am
	When a true genius appears, you can know him by this sign: that all the dunces are in a confederacy against him.

GamingMasteR Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 10 August 2008 Online Status: Offline Posts: 171	Quote Reply Posted: 04 September 2008 at 11:53am
	False-positive i think ! ntuser.dat is used to save some user's settings.

Vetinari Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 20 July 2008 Online Status: Offline Posts: 11	Quote Reply Posted: 04 September 2008 at 10:28pm
	I just grabbed 1.1.1 - before that, I was using 1.0.2 - and with the new version, two strange effects began appearing: - on start, RR informs me: "Could not find kernel file on disk!" (From RR's drivers scan: Name: ntoskrnl.exe / Image Path: C:\WINDOWS\system32\ntoskrnl.exe / Address: 0x804D7000 / Size: 2269184 File Visible: - Status: -". FWIW, when dumped with RR, the file is indeed 2269184 bytes long. However, the file size of my C:\WINDOWS\system32\ntoskrnl.exe is listed as 2149888 bytes when I view the system32 directory. - any attempt to start the SSDT scan crashes RR immediately: "AppName: rootrepeal.exe / AppVer: 1.1.1.0 / ModName: rootrepeal.exe / ModVer: 1.1.1.0 / Offset: 0001e7ab" Edited by Vetinari - 04 September 2008 at 10:34pm

Russell Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 20 June 2007 Online Status: Offline Posts: 58	Quote Reply Posted: 05 September 2008 at 4:21am
	Exact same problem on my system as well. Windows XP SP3 P4 3.4ghz Northwood. Ran the program in Virtual PC 2007 on the same machine and it worked fine. OS used in Virtual PC was Windows XP SP2. Attempt to start the SSDT scan results in this: Microsoft (R) Windows Debugger Version 6.9.0003.113 X86 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp] User Mini Dump File: Only registers, stack and portions of memory are available Comment: 'Dr. Watson generated MiniDump' Symbol search path is: srvc:\symbolshttp://msdl.microsoft.com/download/symbols Executable search path is: Windows XP Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible Product: WinNt, suite: SingleUserTS Debug session time: Thu Sep 4 22:13:42.000 2008 (GMT-5) System Uptime: not available Process Uptime: 0 days 0:00:06.000 .................. This dump file has an exception of interest stored in it. The stored exception information can be accessed via .ecxr. (6ec.6cc): Access violation - code c0000005 (first/second chance not available) eax=0037b708 ebx=00000001 ecx=00000000 edx=7c90e4f4 esi=00a8aa70 edi=00000000 eip=0041e7ab esp=0012f114 ebp=0000000a iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216 * ERROR: Module load completed but symbols could not be loaded for RootRepeal.exe RootRepeal+0x1e7ab: 0041e7ab 8b4708 mov eax,dword ptr [edi+8] ds:0023:00000008=???????? 0:000> !analyze -v ***************************************************************************** * * * Exception Analysis * * * ******************************************************************************* FAULTING_IP: RootRepeal+1e7ab 0041e7ab 8b4708 mov eax,dword ptr [edi+8] EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 0041e7ab (RootRepeal+0x0001e7ab) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00000008 Attempt to read from address 00000008 DEFAULT_BUCKET_ID: STATUS_ACCESS_VIOLATION PROCESS_NAME: RootRepeal.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". READ_ADDRESS: 00000008 FAULTING_THREAD: 000006cc PRIMARY_PROBLEM_CLASS: STATUS_ACCESS_VIOLATION BUGCHECK_STR: APPLICATION_FAULT_STATUS_ACCESS_VIOLATION LAST_CONTROL_TRANSFER: from 7e4188d1 to 0041e7ab STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0012f164 7e4188d1 007b4458 00000000 7e4188da RootRepeal+0x1e7ab 0012f19c 004200c5 ffffffff 0012f2cc 00a83748 user32!GetWindowLongW+0x27 00000000 00000000 00000000 00000000 00000000 RootRepeal+0x200c5 STACK_COMMAND: ~0s; .ecxr ; kb FOLLOWUP_IP: RootRepeal+1e7ab 0041e7ab 8b4708 mov eax,dword ptr [edi+8] SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: RootRepeal+1e7ab FOLLOWUP_NAME: MachineOwner MODULE_NAME: RootRepeal IMAGE_NAME: RootRepeal.exe DEBUG_FLR_IMAGE_TIMESTAMP: 48bea37a FAILURE_BUCKET_ID: STATUS_ACCESS_VIOLATION_c0000005_RootRepeal.exe!Unknown BUCKET_ID: APPLICATION_FAULT_STATUS_ACCESS_VIOLATION_RootRepeal+1e7ab Followup: MachineOwner Edited by Russell - 05 September 2008 at 4:23am

GamingMasteR Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 10 August 2008 Online Status: Offline Posts: 171	Quote Reply Posted: 05 September 2008 at 5:17am
	Here's some feedbacks : 1- Some mistakes in NtXxx service names on vista ... last 3 ones are "UnknownFunctionName". 2- Service #386(NtWorkerFactoryWorkerReady) has an empty name on vista. 3- Can't get non-hooked service module on xp sp2 . I'm sure all the previous is GUI related problems. Your tool is great, keep up the good work ;)

a_d_13 Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 08 September 2007 Online Status: Offline Posts: 260	Quote Reply Posted: 05 September 2008 at 5:42am
	Hello, Thank you everyone for the feedback! I have solved the crash on SSDT scan bug now. However, I'll be contacting some of you to help me solve the "Can't find kernel file on-disk" error. @GamingMasteR - Is this Vista SP1, or SP0 (no service pack)? Thanks, --AD

GamingMasteR Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 10 August 2008 Online Status: Offline Posts: 171	Quote Reply Posted: 05 September 2008 at 6:14am
	Vista build 6000 no sp, and check your inbox plz . GM

Russell Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 20 June 2007 Online Status: Offline Posts: 58	Quote Reply Posted: 05 September 2008 at 8:10am
	"Could not find kernel file on disk!" Here is a Profile from Dependecy Walker. Starting profile on 9/5/2008 at 1:27:35 AM Operating System: Microsoft Windows XP Professional (32-bit), version 5.01.2600 Service Pack 3 Program Executable: c:\rootrepeal_1.1.1\ROOTREPEAL.EXE Program Arguments: Starting Directory: C:\RootRepeal_1.1.1\ Search Path: C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem Options Selected: Simulate ShellExecute by inserting any App Paths directories into the PATH environment variable. Log DllMain calls for process attach and process detach messages. Log DllMain calls for all other messages, including thread attach and thread detach. Hook the process to gather more detailed dependency information. Log LoadLibrary function calls. Log GetProcAddress function calls. Log thread information. Use simple thread numbers instead of actual thread IDs. Log first chance exceptions. Log debug output messages. Use full paths when logging file names. Log a time stamp with each line of log. Automatically open and profile child processes. -------------------------------------------------------------------------------- 00:00:00.000: Started "c:\rootrepeal_1.1.1\ROOTREPEAL.EXE" (process 0x29C) at address 0x00400000 by thread 1. Successfully hooked module. 00:00:00.000: Loaded "c:\windows\system32\NTDLL.DLL" at address 0x7C900000 by thread 1. Successfully hooked module. 00:00:00.016: Loaded "c:\windows\system32\KERNEL32.DLL" at address 0x7C800000 by thread 1. Successfully hooked module. 00:00:00.016: DllMain(0x7C900000, DLL_PROCESS_ATTACH, 0x00000000) in "c:\windows\system32\NTDLL.DLL" called by thread 1. 00:00:00.016: DllMain(0x7C900000, DLL_PROCESS_ATTACH, 0x00000000) in "c:\windows\system32\NTDLL.DLL" returned 1 (0x1) by thread 1. 00:00:00.016: DllMain(0x7C800000, DLL_PROCESS_ATTACH, 0x00000000) in "c:\windows\system32\KERNEL32.DLL" called by thread 1. 00:00:00.016: DllMain(0x7C800000, DLL_PROCESS_ATTACH, 0x00000000) in "c:\windows\system32\KERNEL32.DLL" returned 1 (0x1) by thread 1. 00:00:00.031: Injected "c:\depends\DEPENDS.DLL" at address 0x08370000 by thread 1. 00:00:00.047: DllMain(0x08370000, DLL_PROCESS_ATTACH, 0x00000000) in "c:\depends\DEPENDS.DLL" called by thread 1. 00:00:00.047: DllMain(0x08370000, DLL_PROCESS_ATTACH, 0x00000000) in "c:\depends\DEPENDS.DLL" returned 1 (0x1) by thread 1. 00:00:00.047: First chance exception 0xC0000005 (Access Violation) occurred in "c:\windows\system32\NTDLL.DLL" at address 0x7C917C11 by thread 1. 00:00:11.031: First chance exception 0xC0000005 (Access Violation) occurred in "c:\windows\system32\NTDLL.DLL" at address 0x7C96478E by thread 1. 00:00:11.031: Second chance exception 0xC0000005 (Access Violation) occurred in "c:\windows\system32\NTDLL.DLL" at address 0x7C96478E by thread 1. 00:00:11.031: Exited "c:\rootrepeal_1.1.1\ROOTREPEAL.EXE" (process 0x29C) with code -1073741819 (0xC0000005) by thread 1. Edited by Russell - 05 September 2008 at 8:10am

SystemPro Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 26 April 2007 Location: Germany Online Status: Offline Posts: 465	Quote Reply Posted: 05 September 2008 at 9:04am
	Everything fine in my actual tests I will soon test on another machine including some virtual machines. Some results from 2008 server: ROOTREPEAL (c) AD, 2007-2008 ================================================== Scan Time: 2008/09/05 09:53 Program Version: Version 1.1.1.0 Windows Version: Windows Server 2008 SP1 ================================================== Hidden/Locked Files ------------------- Path: C:\Windows\WindowsUpdate.log Status: Allocation size mismatch (API: 180224, Raw: 172032) Path: C:\Windows\winsxs\poqexec.log Status: Allocation size mismatch (API: 88, Raw: 0) Path: C:\Users\Administrator\DoctorWeb\CureIt.log Status: Allocation size mismatch (API: 262144, Raw: 102400) Path: C:\Windows\Logs\CBS\CBS.log Status: Allocation size mismatch (API: 4845568, Raw: 4841472) Path: C:\Windows\System32\spool\SpoolerETW.etl Status: Allocation size mismatch (API: 4096, Raw: 0) Path: C:\Windows\System32\wfp\wfpdiag.etl Status: Allocation size mismatch (API: 16384, Raw: 0) Path: C:\Windows\System32\LogFiles\Scm\SCM.EVM Status: Allocation size mismatch (API: 491520, Raw: 0) Path: C:\Windows\System32\Msdtc\Trace\dtctrace.log Status: Allocation size mismatch (API: 16384, Raw: 0) Path: C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.001 Status: Allocation size mismatch (API: 49152, Raw: 0) Path: C:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.002 Status: Allocation size mismatch (API: 49152, Raw: 0) Path: C:\Users\Administrator\AppData\Local\Temp\etherXXXXa03552 Status: Allocation size mismatch (API: 131072, Raw: 24) Path: C:\Windows\assembly\GAC_32 \Policy.1.0.Microsoft.Ink\6.0.0.0__31bf3856ad364e35\Policy.1.0.Microsoft.Ink.config Status: Allocation size mismatch (API: 4096, Raw: 448) Path: C:\Windows\assembly\GAC_32 \Policy.1.7.Microsoft.Ink\6.0.0.0__31bf3856ad364e35\Policy.1.7.Microsoft.Ink.config Status: Allocation size mismatch (API: 4096, Raw: 448) Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Status: Allocation size mismatch (API: 4096, Raw: 0) Path: C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Status: Allocation size mismatch (API: 4096, Raw: 0) Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl Status: Locked to the Windows API! Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl Status: Locked to the Windows API! Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl Status: Locked to the Windows API! Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl Status: Locked to the Windows API! Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl Status: Locked to the Windows API! Path: C:\Users\Administrator\AppData\Roaming\K-Meleon\fuiobvuq.default\history.dat Status: Allocation size mismatch (API: 45056, Raw: 40960) Path: C:\Users\Administrator\AppData\Local\K- Meleon\fuiobvuq.default\Cache\_CACHE_001_ Status: Allocation size mismatch (API: 442368, Raw: 425984) Path: C:\Users\Administrator\AppData\Local\K- Meleon\fuiobvuq.default\Cache\_CACHE_002_ Status: Allocation size mismatch (API: 393216, Raw: 380928) Path: C:\Users\Administrator\AppData\Local\K- Meleon\fuiobvuq.default\Cache\_CACHE_003_ Status: Allocation size mismatch (API: 950272, Raw: 724992)
	When a true genius appears, you can know him by this sign: that all the dunces are in a confederacy against him.

SystemPro Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 26 April 2007 Location: Germany Online Status: Offline Posts: 465	Quote Reply Posted: 06 September 2008 at 5:32am
	Program Version: Version 1.1.1.0 Windows Version: Windows XP SP2 ================================================== Hidden/Locked Files ------------------- Path: C:\WINDOWS\SchedLgU.Txt Status: Allocation size mismatch (API: 672, Raw: 568) Path: C:\Dokumente und Einstellungen\SYS\NTUSER.DAT.LOG Status: Size mismatch (API: 1024, Raw: 73728) Path: C:\WINDOWS\system32\dllcache\fp4autl.dll Status: Allocation size mismatch (API: 454656, Raw: 655360) TrID..: File type identification Unknown!
	When a true genius appears, you can know him by this sign: that all the dunces are in a confederacy against him.