Sign in to follow this  
Followers 0
x42x4b

unhooking ntdll.dll and kernel32.dll

6 posts in this topic

#1 ·  Posted (edited)

Hello,

i've spent 10h on "search form" and i didn't find solution.

This is anti-rootkit thing, yeah, yeah... why create new one when we have IceSword :-)...

I'm making removing tool for malware (free for all, that's why I am AutoITing It :-) ). This damn malware hooked my ntdll.dll (OpenProcess, FindFile..., Reg...). I can't lock PID and handles for malware-process. I think there are two ways to unhook it...

1) http://www.stanford.edu/~stinson/misc/curr...ating_hooks.txt

- "repair" hooked func

- take down mal-process

- repair regs, del files

2) http://***.org/

- "break" hooked func (change protected filenames, regkeys, procnames)

- take down mal-process

- repair regs, del files

I know, there are people on this forum, who are able to help. I know about anti-public politic in such a funcs in AutoIT. Well, what can I say... If someone needs gov-aprovement = PM :-).

Once more time, please help me.

Regards.

Edit: Removed URL for hooks library :-)

Edited by x42x4b

1. RTFM | /dev/LOL2. RTFS | /dev/OMG3. FGI | /dev/WTF4. /dev/BBQ :)

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

Well i tricked rootkit process...

I'm deleting his file before it starts.

Thx for help :-).

Edited by x42x4b

1. RTFM | /dev/LOL2. RTFS | /dev/OMG3. FGI | /dev/WTF4. /dev/BBQ :)

Share this post


Link to post
Share on other sites

I'm sorry, I'm having a blonde moment. I read your two posts twice and still can't make any sense out of what you started out to achieve, what you wanted, and whether you finally got it.

:):nuke::P

Share this post


Link to post
Share on other sites

I'm sorry, I'm having a blonde moment. I read your two posts twice and still can't make any sense out of what you started out to achieve, what you wanted, and whether you finally got it.

:):nuke::P

:D

malware replaces (place hook) functions in ntdll.dll which are for getting process ID. For example:

malware process name is klopok.exe :-), when any process asks ntdll.dll for pid of klopok.exe receives nothing :-).

I'd like to replace hooked function by correct one, which shows me pid of klopok.exe. Just simple and maybe stupid example but I think you should get a point (if you know what hooking funcs in win is)


1. RTFM | /dev/LOL2. RTFS | /dev/OMG3. FGI | /dev/WTF4. /dev/BBQ :)

Share this post


Link to post
Share on other sites

1) http://www.stanford.edu/~stinson/misc/curr...ating_hooks.txt

- "repair" hooked func

- take down mal-process

- repair regs, del files

2) http://***.org/

- "break" hooked func (change protected filenames, regkeys, procnames)

- take down mal-process

- repair regs, del files

If you want to unlock the dll file, maybe you could try this

- Unlocker

- Direct download

It can unlock the process which hooked the file, then you can delete the mal-process.

Sorry for my english, I'm Taiwanese.

And if I misunderstand your problem please forgive me. :)

Share this post


Link to post
Share on other sites

If you want to unlock the dll file, maybe you could try this

- Unlocker

- Direct download

It can unlock the process which hooked the file, then you can delete the mal-process.

Sorry for my english, I'm Taiwanese.

And if I misunderstand your problem please forgive me. ;)

Thanks for answer but I'm not looking for a tool for unlocking dlls or apps. When process is a rootkit (in ring3) you need to unhook APIs...

This topic is still active... :-).

Regards...


1. RTFM | /dev/LOL2. RTFS | /dev/OMG3. FGI | /dev/WTF4. /dev/BBQ :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0