Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Malware
  New Posts New Posts RSS Feed - RkUnhooker self-defense
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

RkUnhooker self-defense

 Post Reply Post Reply
Author
Message
a_d_13 View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 September 2007
Status: Offline
Points: 268
Post Options Post Options   Thanks (0) Thanks(0)   Quote a_d_13 Quote  Post ReplyReply Direct Link To This Post Topic: RkUnhooker self-defense
    Posted: 06 November 2007 at 6:13am
Well, I got curious today, so I decided to take a look at how RkUnhooker protects itself.  I stopped after a little bit, but here's what I found:

Open RkUnhooker, and then enter this into WinDbg:
lkd> u nt!NtOpenProcess
nt!NtOpenProcess:
80574d06 68c4000000      push    0C4h
80574d0b e9d0980679      jmp     f95de5e0
80574d10 e826f7f6ff      call    nt!_SEH_prolog (804e443b)
80574d15 33f6            xor     esi,esi
80574d17 8975d4          mov     dword ptr [ebp-2Ch],esi
80574d1a 33c0            xor     eax,eax
80574d1c 8d7dd8          lea     edi,[ebp-28h]
80574d1f ab              stos    dword ptr es:[edi]


Now, close RkUnhooker.  Wait a couple seconds, and then:

lkd> u nt!NtOpenProcess
nt!NtOpenProcess:
80574d06 68c4000000      push    0C4h
80574d0b 6810c44e80      push    offset nt!ObWatchHandles+0x25c (804ec410)
80574d10 e826f7f6ff      call    nt!_SEH_prolog (804e443b)
80574d15 33f6            xor     esi,esi
80574d17 8975d4          mov     dword ptr [ebp-2Ch],esi
80574d1a 33c0            xor     eax,eax
80574d1c 8d7dd8          lea     edi,[ebp-28h]
80574d1f ab              stos    dword ptr es:[edi]


Now, to check where it lies:
[snip]
lkd> !object \Driver\rkhdrv40
Object: ff2afcd8  Type: (81f6d040) Driver
    ObjectHeader: ff2afcc0 (old version)
    HandleCount: 0  PointerCount: 3
    Directory Object: e1a20dc8  Name: rkhdrv40
lkd> dt nt!_DRIVER_OBJECT ff2afcd8
   +0x000 Type             : 4
   +0x002 Size             : 168
   +0x004 DeviceObject     : 0xff52f550 _DEVICE_OBJECT
   +0x008 Flags            : 0x12
   +0x00c DriverStart      : 0xf95de000
   +0x010 DriverSize       : 0x5f80
   +0x014 DriverSection    : 0xff0cdc10
    ...
   +0x038 MajorFunction    : [28] 0xf95e20ff     long  +fffffffff95e20ff


You can see that the jump to address f95de5e0 lies in the range of RkUnhooker's driver (f95de000 ==> f95e3f80).

So, there you go (bold added by me).  It installs an inline hook to protect its process.  I was too lazy to actually reverse the code it jumps to, but I presume it simply compares the process ID being opened to the PID of RkUnhooker.  Will this be used in malware in the future?  Who knows!  But, it's fairly easy to detect and, if you can get access to a clean system, remove (just write the real bytes back in).  Not that you need to do this for RkUnhooker, but if you ever have to:
lkd> f 80574d0b L5 68 10 c4 4e 80
Should do the trick, assuming that the address is 80574d0b, and the original bytes are 6810c44e80.  Also assumes that the current base (radix) is hex (set using "n 16" without quotes).  Please note - I haven't tested this.

If I made a mistake, please let me know - this was done in about 20 minutes Tongue.

--AD

P.S. Is this the right place to stick this?  If not, could a mod move this wherever it needs to go?
Back to Top
SystemPro View Drop Down
Senior Member
Senior Member
Avatar

Joined: 26 April 2007
Location: Germany
Status: Offline
Points: 520
Post Options Post Options   Thanks (0) Thanks(0)   Quote SystemPro Quote  Post ReplyReply Direct Link To This Post Posted: 07 November 2007 at 6:53am
Quote fffffffff
and
Quote f95...
This looks typical for him.

Edited by SystemPro - 07 November 2007 at 7:10am
Back to Top
karlsmith View Drop Down
Newbie
Newbie


Joined: 20 January 2010
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote karlsmith Quote  Post ReplyReply Direct Link To This Post Posted: 20 January 2010 at 5:51am
I also needed to stop self defense program of a simple application. before doing that I tried to break the RkUnhooker self defense, while doing so I faced some problems. I think it has changed the hex no. It is 3 years old btw. if you are still in this forum. please can you make a video tutorial of doing this. :)
Back to Top
USForce View Drop Down
Senior Member
Senior Member


Joined: 26 October 2007
Location: United States
Status: Offline
Points: 150
Post Options Post Options   Thanks (0) Thanks(0)   Quote USForce Quote  Post ReplyReply Direct Link To This Post Posted: 20 January 2010 at 12:30pm
Originally posted by a_d_13 a_d_13 wrote:

Well, I got curious today, so I decided to take a look at how RkUnhooker protects itself.  I stopped after a little bit, but here's what I found:

Open RkUnhooker, and then enter this into WinDbg:
lkd> u nt!NtOpenProcess
nt!NtOpenProcess:
80574d06 68c4000000      push    0C4h
80574d0b e9d0980679      jmp     f95de5e0
80574d10 e826f7f6ff      call    nt!_SEH_prolog (804e443b)
80574d15 33f6            xor     esi,esi
80574d17 8975d4          mov     dword ptr [ebp-2Ch],esi
80574d1a 33c0            xor     eax,eax
80574d1c 8d7dd8          lea     edi,[ebp-28h]
80574d1f ab              stos    dword ptr es:[edi]


Now, close RkUnhooker.  Wait a couple seconds, and then:

lkd> u nt!NtOpenProcess
nt!NtOpenProcess:
80574d06 68c4000000      push    0C4h
80574d0b 6810c44e80      push    offset nt!ObWatchHandles+0x25c (804ec410)
80574d10 e826f7f6ff      call    nt!_SEH_prolog (804e443b)
80574d15 33f6            xor     esi,esi
80574d17 8975d4          mov     dword ptr [ebp-2Ch],esi
80574d1a 33c0            xor     eax,eax
80574d1c 8d7dd8          lea     edi,[ebp-28h]
80574d1f ab              stos    dword ptr es:[edi]


Now, to check where it lies:
[snip]
lkd> !object \Driver\rkhdrv40
Object: ff2afcd8  Type: (81f6d040) Driver
    ObjectHeader: ff2afcc0 (old version)
    HandleCount: 0  PointerCount: 3
    Directory Object: e1a20dc8  Name: rkhdrv40
lkd> dt nt!_DRIVER_OBJECT ff2afcd8
   +0x000 Type             : 4
   +0x002 Size             : 168
   +0x004 DeviceObject     : 0xff52f550 _DEVICE_OBJECT
   +0x008 Flags            : 0x12
   +0x00c DriverStart      : 0xf95de000
   +0x010 DriverSize       : 0x5f80
   +0x014 DriverSection    : 0xff0cdc10
    ...
   +0x038 MajorFunction    : [28] 0xf95e20ff     long  +fffffffff95e20ff


You can see that the jump to address f95de5e0 lies in the range of RkUnhooker's driver (f95de000 ==> f95e3f80).

So, there you go (bold added by me).  It installs an inline hook to protect its process.  I was too lazy to actually reverse the code it jumps to, but I presume it simply compares the process ID being opened to the PID of RkUnhooker.  Will this be used in malware in the future?  Who knows!  But, it's fairly easy to detect and, if you can get access to a clean system, remove (just write the real bytes back in).  Not that you need to do this for RkUnhooker, but if you ever have to:
lkd> f 80574d0b L5 68 10 c4 4e 80
Should do the trick, assuming that the address is 80574d0b, and the original bytes are 6810c44e80.  Also assumes that the current base (radix) is hex (set using "n 16" without quotes).  Please note - I haven't tested this.

If I made a mistake, please let me know - this was done in about 20 minutes Tongue.

--AD

P.S. Is this the right place to stick this?  If not, could a mod move this wherever it needs to go?


If you talk about last RkU public release (3.8.386.588 SR1) then it's hooking more API with inline hooking technique:

NtOpenProcess
NtOpenThread
NtDuplicateObject
KeDelayExecutionThread
ExAllocatePool
ExAllocatePoolWithTag
NtUserBuildHwndList
NtUserWindowFromPoint
Back to Top
bootsect View Drop Down
Senior Member
Senior Member
Avatar

Joined: 24 December 2009
Status: Offline
Points: 747
Post Options Post Options   Thanks (0) Thanks(0)   Quote bootsect Quote  Post ReplyReply Direct Link To This Post Posted: 20 January 2010 at 12:40pm
Aside from necropost, if you are still interested.

In rku goto Code Hooks page.

Hold Left SHIFT, press Scan.

Quote If you talk about last RkU public release (3.8.386.588 SR1) then it's hooking more API with inline hooking technique:

NtOpenProcess
NtOpenThread
NtDuplicateObject
KeDelayExecutionThread
ExAllocatePool
ExAllocatePoolWithTag
NtUserBuildHwndList
NtUserWindowFromPoint

+NtUserFindWindowEx

None of these hooks weren't exploited by malware, they didn't stay resident, only when rku driver is loaded (rku running or/and extended mode set).

From Vista SP1 all rku versions do not use kernel mode hooks.

Originally these hooks were added to rku to prevent user mode malware and some crappy kernel mode malware attempts to terminate antirootkit process. Some of this hooks used for detection.
Back to Top
USForce View Drop Down
Senior Member
Senior Member


Joined: 26 October 2007
Location: United States
Status: Offline
Points: 150
Post Options Post Options   Thanks (0) Thanks(0)   Quote USForce Quote  Post ReplyReply Direct Link To This Post Posted: 20 January 2010 at 4:40pm
Originally posted by bootsect bootsect wrote:


+NtUserFindWindowEx


LOL That's my fault  Embarrassed

while writing down the list I forgot it Sleepy
Back to Top
aka.kevin View Drop Down
Newbie
Newbie


Joined: 20 October 2010
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote aka.kevin Quote  Post ReplyReply Direct Link To This Post Posted: 20 October 2010 at 4:38pm
ANCHORFREE_VERSION="5810141520"var _AF2$={'SN':'HSSHIELD00PH','IP':'69.31.103.6','CH':'HSSCNL000076','CT':'11G,11I','HST':'','AFH':'hss64','RN':Math.floor(Math.random()*999),'TOP':1};if(parent.location!=document.location||top.location!=document.location){_AF2$.TOP=0}else if(_AF2$.CH!='HSSCNL000242'){if(/^(.*,)?(11C)(,.*)?$/g.exec(_AF2$.CT)!=null){document.write("")}document.write("")}document.write("< ='text/' title='AFc_"+_AF2$.RN+"' >.AFc_body"+_AF2$.RN+"{} .AFc_all"+_AF2$.RN+",a.AFc_all"+_AF2$.RN+":hover,a.AFc_all"+_AF2$.RN+":visited{outline:none;background:transparent;border:none;margin:0;padding:0;top:0;left:0;text-decoration:none;overflow:hidden;display:block;z-index:666999;}");< ="text/" title="AFc_89">.AFc_body89{} .AFc_all89,a.AFc_all89:hover,a.AFc_all89:visited{outline:none;background:transparent;border:none;margin:0;padding:0;top:0;left:0;text-decoration:none;overflow:hidden;display:block;z-index:666999;}< ="text/">AFhss_dpnone{display:none;width:0;height:0}
if(_AF2$.TOP==1){if(_AF2$.CH=='HSSCNL000242'){document.write("")}else{document.write("")}}
Originally posted by karlsmith karlsmith wrote:

I also needed to stop self defense program of a simple application. before doing that I tried to break the RkUnhooker self defense, while doing so I faced some problems. I think it has changed the hex no. It is 3 years old btw. if you are still in this forum. please can you make a video tutorial of doing this. :)

I have almost the same problem of you when break the RkUnhooker self defense I having many problems, by the way  did you fix it already or your problem are already solve now? If yes How?
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down