Различные руткит детекторы (Rootkit Unhooker, GMER) палят такое необычное явление:
-- Rootkit Unhooker --
Код:
ntkrnlpa.exe+0x0002CD1C, Type: Inline - RelativeCall at address 0x80503D1C hook handler located in [unknown_code_page]
ntkrnlpa.exe+0x0006DEBE, Type: Inline - RelativeJump at address 0x80544EBE hook handler located in [ntkrnlpa.exe]
[920]winlogon.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump at address 0x7C802332 hook handler located in [unknown_code_page]
[920]winlogon.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump at address 0x71A9406A hook handler located in [unknown_code_page]
[920]winlogon.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71A9615A hook handler located in [unknown_code_page]
[920]winlogon.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71A9428A hook handler located in [unknown_code_page]
[920]winlogon.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71A94318 hook handler located in [unknown_code_page]
[920]winlogon.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump at address 0x71A96233 hook handler located in [unknown_code_page]
[976]lsass.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump at address 0x7C802332 hook handler located in [unknown_code_page]
[976]lsass.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump at address 0x71A9406A hook handler located in [unknown_code_page]
[976]lsass.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71A9615A hook handler located in [unknown_code_page]
[976]lsass.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71A9428A hook handler located in [unknown_code_page]
[976]lsass.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71A94318 hook handler located in [unknown_code_page]
[976]lsass.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump at address 0x71A96233 hook handler located in [unknown_code_page]
[2596]infium.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump at address 0x71A9406A hook handler located in [unknown_code_page]
[2596]infium.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71A9615A hook handler located in [unknown_code_page]
[2596]infium.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71A9428A hook handler located in [unknown_code_page]
[2596]infium.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71A94318 hook handler located in [unknown_code_page]
[2596]infium.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump at address 0x71A96233 hook handler located in [unknown_code_page]
[1380]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump at address 0x7C802332 hook handler located in [unknown_code_page]
[1380]svchost.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump at address 0x71A9406A hook handler located in [unknown_code_page]
[1380]svchost.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71A9615A hook handler located in [unknown_code_page]
[1380]svchost.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71A9428A hook handler located in [unknown_code_page]
[1380]svchost.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71A94318 hook handler located in [unknown_code_page]
[1380]svchost.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump at address 0x71A96233 hook handler located in [unknown_code_page]
У процесса avp.exe (KAV7) хуков побольше:
Код:
[3908]avp.exe-->kernel32.dll+0x000027CC, Type: Inline - RelativeJump at address 0x7C8027CC hook handler located in [kernel32.dll]
[3908]avp.exe-->kernel32.dll+0x000027DC, Type: Inline - RelativeJump at address 0x7C8027DC hook handler located in [kernel32.dll]
[3908]avp.exe-->kernel32.dll+0x00002C10, Type: Inline - RelativeJump at address 0x7C802C10 hook handler located in [kernel32.dll]
[3908]avp.exe-->kernel32.dll+0x00002F48, Type: Inline - RelativeJump at address 0x7C802F48 hook handler located in [kernel32.dll]
[3908]avp.exe-->kernel32.dll-->CreateProcessA, Type: IAT modification at address 0x00423170 hook handler located in [unknown_code_page]
[3908]avp.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump at address 0x7C802332 hook handler located in [unknown_code_page]
[3908]avp.exe-->kernel32.dll-->FreeLibrary, Type: IAT modification at address 0x00423218 hook handler located in [unknown_code_page]
[3908]avp.exe-->kernel32.dll-->GetModuleFileNameA, Type: IAT modification at address 0x004230EC hook handler located in [unknown_code_page]
[3908]avp.exe-->kernel32.dll-->GetModuleFileNameW, Type: IAT modification at address 0x004230E0 hook handler located in [unknown_code_page]
[3908]avp.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x00423214 hook handler located in [unknown_code_page]
[3908]avp.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x00423210 hook handler located in [unknown_code_page]
[3908]avp.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x004230B4 hook handler located in [unknown_code_page]
[3908]avp.exe-->kernel32.dll-->SetErrorMode, Type: IAT modification at address 0x00423138 hook handler located in [unknown_code_page]
[3908]avp.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification at address 0x004231F0 hook handler located in [unknown_code_page]
[3908]avp.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump at address 0x71A9406A hook handler located in [unknown_code_page]
[3908]avp.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71A9615A hook handler located in [unknown_code_page]
[3908]avp.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71A9428A hook handler located in [unknown_code_page]
[3908]avp.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71A94318 hook handler located in [unknown_code_page]
[3908]avp.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump at address 0x71A96233 hook handler located in [unknown_code_page]
[796]avp.exe-->kernel32.dll-->CreateProcessA, Type: IAT modification at address 0x00423170 hook handler located in [unknown_code_page]
[796]avp.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump at address 0x7C802332 hook handler located in [unknown_code_page]
[796]avp.exe-->kernel32.dll-->FreeLibrary, Type: IAT modification at address 0x00423218 hook handler located in [unknown_code_page]
[796]avp.exe-->kernel32.dll-->GetModuleFileNameA, Type: IAT modification at address 0x004230EC hook handler located in [unknown_code_page]
[796]avp.exe-->kernel32.dll-->GetModuleFileNameW, Type: IAT modification at address 0x004230E0 hook handler located in [unknown_code_page]
[796]avp.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x00423214 hook handler located in [unknown_code_page]
[796]avp.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x00423210 hook handler located in [unknown_code_page]
[796]avp.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x004230B4 hook handler located in [unknown_code_page]
[796]avp.exe-->kernel32.dll-->SetErrorMode, Type: IAT modification at address 0x00423138 hook handler located in [unknown_code_page]
[796]avp.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification at address 0x004231F0 hook handler located in [unknown_code_page]
[796]avp.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump at address 0x71A9406A hook handler located in [unknown_code_page]
[796]avp.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71A9615A hook handler located in [unknown_code_page]
[796]avp.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71A9428A hook handler located in [unknown_code_page]
[796]avp.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump at address 0x71A94318 hook handler located in [unknown_code_page]
[796]avp.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump at address 0x71A96233 hook handler located in [unknown_code_page]
-- GMER --
Код:
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100033D8
.text C:\WINDOWS\system32\svchost.exe[1184] ws2_32.dll!connect 71A94A07 5 Bytes JMP 10003320
.text C:\WINDOWS\system32\svchost.exe[1184] ws2_32.dll!send 71A94C27 5 Bytes JMP 10002C04
.text C:\WINDOWS\system32\svchost.exe[1184] ws2_32.dll!WSARecv 71A94CB5 5 Bytes JMP 10002438
.text C:\WINDOWS\system32\svchost.exe[1184] ws2_32.dll!recv 71A9676F 5 Bytes JMP 100023BC
.text C:\WINDOWS\system32\svchost.exe[1184] ws2_32.dll!WSASend
.text C:\WINDOWS\system32\lsass.exe[1496] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100033D8
.text C:\WINDOWS\system32\lsass.exe[1496] WS2_32.dll!connect 71A94A07 5 Bytes JMP 10003320
.text C:\WINDOWS\system32\lsass.exe[1496] WS2_32.dll!send 71A94C27 5 Bytes JMP 10002C04
.text C:\WINDOWS\system32\lsass.exe[1496] WS2_32.dll!WSARecv 71A94CB5 5 Bytes JMP 10002438
.text C:\WINDOWS\system32\lsass.exe[1496] WS2_32.dll!recv 71A9676F 5 Bytes JMP 100023BC
.text C:\WINDOWS\system32\lsass.exe[1496] WS2_32.dll!WSASend
.text C:\Program Files\Miranda new\miranda32.exe[3684] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100C33D8
.text C:\Program Files\Miranda new\miranda32.exe[3684] WS2_32.dll!connect 71A94A07 5 Bytes JMP 100C3320
.text C:\Program Files\Miranda new\miranda32.exe[3684] WS2_32.dll!send 71A94C27 5 Bytes JMP 100C2C04
.text C:\Program Files\Miranda new\miranda32.exe[3684] WS2_32.dll!WSARecv 71A94CB5 5 Bytes JMP 100C2438
.text C:\Program Files\Miranda new\miranda32.exe[3684] WS2_32.dll!recv 71A9676F 5 Bytes JMP 100C23BC
.text C:\Program Files\Miranda new\miranda32.exe[3684] WS2_32.dll!WSASend 71A968FA 5 Bytes JMP 100C32D4
Перехваченные функции из ws2_32.dll есть почти у всех процессов.
В процессах, службах и драйверах ничего необычного.
AVZ палит только хвосты от Outpost'а (sandbox.sys + afwcore.sys) и некоторые тривиальные вещи:
Код:
1.1 Поиск перехватчиков API, работающих в UserMode
Анализ kernel32.dll, таблица экспорта найдена в секции .text
Детектирована модификация IAT: LoadLibraryA - 6603EE88<>7C801D7B
Анализ ntdll.dll, таблица экспорта найдена в секции .text
Анализ user32.dll, таблица экспорта найдена в секции .text
Анализ advapi32.dll, таблица экспорта найдена в секции .text
Анализ ws2_32.dll, таблица экспорта найдена в секции .text
Анализ wininet.dll, таблица экспорта найдена в секции .text
Анализ rasapi32.dll, таблица экспорта найдена в секции .text
Анализ urlmon.dll, таблица экспорта найдена в секции .text
Анализ netapi32.dll, таблица экспорта найдена в секции .text
Сканирование KAV7 и Dr.Web CureIt с LiveCD - ничего.