Adlice forum
Software feedback => RogueKiller => Topic started by: LearnerDriver on October 06, 2015, 12:21:21 AM
-
I've just started to dip my toe into the water. After running RogueKiller the log file lists results under Antirootkit like the following:
[IAT:Inl(Hook.IEAT)] (firefox.exe @ KERNEL32.dll) ntdll.dll - NtMapViewOfSection : Unknown @ 0x719f0022 (jmp 0xfa470392|jmp dword [0x719f001e]|jmp 0x10)
[IAT:Inl(Hook.IEAT)] (firefox.exe @ rooksbas.dll) USER32.dll - PeekMessageW : Unknown @ 0x719b0022 (ret|jmp dword [0x719b001e]|jmp 0x10)
I'm trying to figure out what this means. Taking the first entry, does it mean something along the lines of the call to NtMapViewOfSection (which is in Kernel32.dll) is being redirected to 0x719f0022 in Unknown? And why is ntdll.dll also listed.
Sorry for looking dumb, but I'm a newbie just starting out on this adventure....
Thanks
-
Hi LearnerDriver,
Welcome to Adlice.com Forum.
Those hooks are legit.
It's difficult to easily explain it since its involve advanced knowledge of Windows OS, but I will do my best to explain it.
The first line shows that the function NtMapViewOfSection (defined in the ntdll.dll library) is present in the Import Adress Table (IAT) of KERNEL32.dll library loaded by the process firefox.exe and hooked by the call stack 0xfa470392|jmp dword [0x719f001e]|jmp 0x10 and redirected to the adress 0x719f0022 with matches with no known module (shellcode).
For more information, I suggest you the following reading : Userland rootkits: Part 1, IAT hooks (http://www.adlice.com/userland-rootkits-part-1-iat-hooks/).
Regards.
-
Curson, Thank you very much!
LearnerDriver
-
Hi LearnerDriver,
You are very welcome. :)
Regards.