Main script of analysis
Windows version: Microsoft Windows XP, Build=2600, SP="Service Pack 3"
System Restore: enabled
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
IAT modification detected: CreateProcessA - 00BC0010<>7C80236B
IAT modification detected: GetModuleFileNameA - 00BC0080<>7C80B56F
IAT modification detected: GetModuleFileNameW - 00BC00F0<>7C80B475
IAT modification detected: CreateProcessW - 00BC0160<>7C802336
IAT modification detected: LoadLibraryW - 00BC0240<>7C80AEEB
IAT modification detected: LoadLibraryA - 00BC0320<>7C801D7B
IAT modification detected: GetProcAddress - 00BC0390<>7C80AE40
IAT modification detected: FreeLibrary - 00BC0400<>7C80AC7E
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=085700)
Kernel ntkrnlpa.exe found in memory at address 804D7000
SDT = 8055C700
KiST = 80504480 (284)
Function NtCreateFile (25) - machine code modification Method of JmpTo. jmp B9DC51CCmfehidk.sys, driver recognized as trusted
Function NtCreateKey (29) - machine code modification Method of JmpTo. jmp B9DC508Amfehidk.sys, driver recognized as trusted
Function NtCreateProcess (2F) - machine code modification Method of JmpTo. jmp B9DC5024mfehidk.sys, driver recognized as trusted
Function NtCreateProcessEx (30) - machine code modification Method of JmpTo. jmp B9DC5038mfehidk.sys, driver recognized as trusted
Function NtDeleteKey (3F) - machine code modification Method of JmpTo. jmp B9DC509Emfehidk.sys, driver recognized as trusted
Function NtDeleteValueKey (41) - machine code modification Method of JmpTo. jmp B9DC50CAmfehidk.sys, driver recognized as trusted
Function NtEnumerateKey (47) - machine code modification Method of JmpTo. jmp B9DC5138mfehidk.sys, driver recognized as trusted
Function NtEnumerateValueKey (49) - machine code modification Method of JmpTo. jmp B9DC5122mfehidk.sys, driver recognized as trusted
Function NtLoadKey2 (63) - machine code modification Method of JmpTo. jmp B9DC514Emfehidk.sys, driver recognized as trusted
Function NtMapViewOfSection (6C) - machine code modification Method of JmpTo. jmp B9DC520Cmfehidk.sys, driver recognized as trusted
Function NtNotifyChangeKey (6F) - machine code modification Method of JmpTo. jmp B9DC517Amfehidk.sys, driver recognized as trusted
Function NtOpenKey (77) - machine code modification Method of JmpTo. jmp B9DC5076mfehidk.sys, driver recognized as trusted
Function NtOpenProcess (7A) - machine code modification Method of JmpTo. jmp B9DC4FE8mfehidk.sys, driver recognized as trusted
Function NtOpenThread (80) - machine code modification Method of JmpTo. jmp B9DC4FFCmfehidk.sys, driver recognized as trusted
Function NtProtectVirtualMemory (89) - machine code modification Method of JmpTo. jmp B9DC51E0mfehidk.sys, driver recognized as trusted
Function NtQueryKey (A0) - machine code modification Method of JmpTo. jmp B9DC51B6mfehidk.sys, driver recognized as trusted
Function NtQueryMultipleValueKey (A1) - machine code modification Method of JmpTo. jmp B9DC510Cmfehidk.sys, driver recognized as trusted
Function NtQueryValueKey (B1) - machine code modification Method of JmpTo. jmp B9DC50F6mfehidk.sys, driver recognized as trusted
Function NtRenameKey (C0) - machine code modification Method of JmpTo. jmp B9DC50B4mfehidk.sys, driver recognized as trusted
Function NtReplaceKey (C1) - machine code modification Method of JmpTo. jmp B9DC51A2mfehidk.sys, driver recognized as trusted
Function NtRestoreKey (CC) - machine code modification Method of JmpTo. jmp B9DC518Emfehidk.sys, driver recognized as trusted
Function NtSetContextThread (D5) - machine code modification Method of JmpTo. jmp B9DC5062mfehidk.sys, driver recognized as trusted
Function NtSetInformationProcess (E4) - machine code modification Method of JmpTo. jmp B9DC504Emfehidk.sys, driver recognized as trusted
Function NtSetValueKey (F7) - machine code modification Method of JmpTo. jmp B9DC50E0mfehidk.sys, driver recognized as trusted
Function NtTerminateProcess (101) - machine code modification Method of JmpTo. jmp B9DC523Bmfehidk.sys, driver recognized as trusted
Function NtUnloadKey (107) - machine code modification Method of JmpTo. jmp B9DC5164mfehidk.sys, driver recognized as trusted
Function NtUnmapViewOfSection (10B) - machine code modification Method of JmpTo. jmp B9DC5222mfehidk.sys, driver recognized as trusted
Function NtYieldExecution (116) - machine code modification Method of JmpTo. jmp B9DC51F6mfehidk.sys, driver recognized as trusted
Function NtCreateFile (80579084) - machine code modification Method of JmpTo. jmp B9DC51CC mfehidk.sys, driver recognized as trusted
Function NtMapViewOfSection (805B1FE6) - machine code modification Method of JmpTo. jmp B9DC520C mfehidk.sys, driver recognized as trusted
Function NtOpenProcess (805CB3FA) - machine code modification Method of JmpTo. jmp B9DC4FE8 mfehidk.sys, driver recognized as trusted
Function NtOpenThread (805CB686) - machine code modification Method of JmpTo. jmp B9DC4FFC mfehidk.sys, driver recognized as trusted
Function NtSetInformationProcess (805CDE44) - machine code modification Method of JmpTo. jmp B9DC504E mfehidk.sys, driver recognized as trusted
Functions checked: 284, intercepted: 0, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
>>> Danger - possible CPU address substitution[1].IDT[06] = [B4C2316D] C:\WINDOWS\system32\drivers\Haspnt.sys, driver recognized as trusted
>>> Danger - possible CPU address substitution[1].IDT[0E] = [B4C22FC2] C:\WINDOWS\system32\drivers\Haspnt.sys, driver recognized as trusted
Analysis for CPU 2
>>> Danger - possible CPU address substitution[2].IDT[06] = [B4C2316D] C:\WINDOWS\system32\drivers\Haspnt.sys, driver recognized as trusted
>>> Danger - possible CPU address substitution[2].IDT[0E] = [B4C22FC2] C:\WINDOWS\system32\drivers\Haspnt.sys, driver recognized as trusted
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking of IRP handlers
Checking - complete
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote Registry)
>> Services: potentially dangerous service allowed: TermService (Terminal Services)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed: Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting Remote Desktop Sharing)
>> Services: potentially dangerous service allowed: RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
>> Disable HDD autorun
>> Disable autorun from network drives
>> Disable CD/DVD autorun
>> Disable removable media autorun
System Analysis in progress
System Analysis - complete
Ответить с цитированием
