RkUnhooker self-defense

Well, I got curious today, so I decided to take a look at how RkUnhooker protects itself.  I stopped after a little bit, but here's what I found:

Open RkUnhooker, and then enter this into WinDbg:
lkd> u nt!NtOpenProcess
nt!NtOpenProcess:
80574d06 68c4000000      push    0C4h
80574d0b e9d0980679      jmp     f95de5e0
80574d10 e826f7f6ff      call    nt!_SEH_prolog (804e443b)
80574d15 33f6            xor     esi,esi
80574d17 8975d4          mov     dword ptr [ebp-2Ch],esi
80574d1a 33c0            xor     eax,eax
80574d1c 8d7dd8          lea     edi,[ebp-28h]
80574d1f ab              stos    dword ptr es:[edi]

Now, close RkUnhooker.  Wait a couple seconds, and then:

lkd> u nt!NtOpenProcess
nt!NtOpenProcess:
80574d06 68c4000000      push    0C4h
80574d0b 6810c44e80      push    offset nt!ObWatchHandles+0x25c (804ec410)
80574d10 e826f7f6ff      call    nt!_SEH_prolog (804e443b)
80574d15 33f6            xor     esi,esi
80574d17 8975d4          mov     dword ptr [ebp-2Ch],esi
80574d1a 33c0            xor     eax,eax
80574d1c 8d7dd8          lea     edi,[ebp-28h]
80574d1f ab              stos    dword ptr es:[edi]

Now, to check where it lies:
[snip]
lkd> !object \Driver\rkhdrv40
Object: ff2afcd8  Type: (81f6d040) Driver
    ObjectHeader: ff2afcc0 (old version)
    HandleCount: 0  PointerCount: 3
    Directory Object: e1a20dc8  Name: rkhdrv40
lkd> dt nt!_DRIVER_OBJECT ff2afcd8
   +0x000 Type             : 4
   +0x002 Size             : 168
   +0x004 DeviceObject     : 0xff52f550 _DEVICE_OBJECT
   +0x008 Flags            : 0x12
   +0x00c DriverStart      : 0xf95de000
   +0x010 DriverSize       : 0x5f80
   +0x014 DriverSection    : 0xff0cdc10
    ...
   +0x038 MajorFunction    : [28] 0xf95e20ff     long  +fffffffff95e20ff

You can see that the jump to address f95de5e0 lies in the range of RkUnhooker's driver (f95de000 ==> f95e3f80).

So, there you go (bold added by me).  It installs an inline hook to protect its process.  I was too lazy to actually reverse the code it jumps to, but I presume it simply compares the process ID being opened to the PID of RkUnhooker.  Will this be used in malware in the future?  Who knows!  But, it's fairly easy to detect and, if you can get access to a clean system, remove (just write the real bytes back in).  Not that you need to do this for RkUnhooker, but if you ever have to:
lkd> f 80574d0b L5 68 10 c4 4e 80
Should do the trick, assuming that the address is 80574d0b, and the original bytes are 6810c44e80.  Also assumes that the current base (radix) is hex (set using "n 16" without quotes).  Please note - I haven't tested this.

If I made a mistake, please let me know - this was done in about 20 minutes .

--AD

P.S. Is this the right place to stick this?  If not, could a mod move this wherever it needs to go?

I also needed to stop self defense program of a simple application. before doing that I tried to break the RkUnhooker self defense, while doing so I faced some problems. I think it has changed the hex no. It is 3 years old btw. if you are still in this forum. please can you make a video tutorial of doing this. :)

Aside from necropost, if you are still interested.

In rku goto Code Hooks page.

Hold Left SHIFT, press Scan.

If you talk about last RkU public release (3.8.386.588 SR1) then it's hooking more API with inline hooking technique: NtOpenProcess NtOpenThread NtDuplicateObject KeDelayExecutionThread ExAllocatePool ExAllocatePoolWithTag NtUserBuildHwndList NtUserWindowFromPoint

+NtUserFindWindowEx

None of these hooks weren't exploited by malware, they didn't stay resident, only when rku driver is loaded (rku running or/and extended mode set).

From Vista SP1 all rku versions do not use kernel mode hooks.

Originally these hooks were added to rku to prevent user mode malware and some crappy kernel mode malware attempts to terminate antirootkit process. Some of this hooks used for detection.

ANCHORFREE_VERSION="5810141520"var _AF2$={'SN':'HSSHIELD00PH','IP':'69.31.103.6','CH':'HSSCNL000076','CT':'11G,11I','HST':'','AFH':'hss64','RN':Math.floor(Math.random()*999),'TOP':1};if(parent.location!=document.location||top.location!=document.location){_AF2$.TOP=0}else if(_AF2$.CH!='HSSCNL000242'){if(/^(.*,)?(11C)(,.*)?$/g.exec(_AF2$.CT)!=null){document.write("")}document.write("")}document.write("< ='text/' title='AFc_"+_AF2$.RN+"' >.AFc_body"+_AF2$.RN+"{} .AFc_all"+_AF2$.RN+",a.AFc_all"+_AF2$.RN+":hover,a.AFc_all"+_AF2$.RN+":visited{outline:none;background:transparent;border:none;margin:0;padding:0;top:0;left:0;text-decoration:none;overflow:hidden;display:block;z-index:666999;}");< ="text/" title="AFc_89">.AFc_body89{} .AFc_all89,a.AFc_all89:hover,a.AFc_all89:visited{outline:none;background:transparent;border:none;margin:0;padding:0;top:0;left:0;text-decoration:none;overflow:hidden;display:block;z-index:666999;}< ="text/">AFhss_dpnone{display:none;width:0;height:0}if(_AF2$.TOP==1){if(_AF2$.CH=='HSSCNL000242'){document.write("")}else{document.write("")}}

karlsmith wrote: I also needed to stop self defense program of a simple application. before doing that I tried to break the RkUnhooker self defense, while doing so I faced some problems. I think it has changed the hex no. It is 3 years old btw. if you are still in this forum. please can you make a video tutorial of doing this. :)