Adlice forum

Software feedback => RogueKiller => Topic started by: Luc on November 21, 2015, 03:59:44 PM

Title: IAT hook detection or is it a false positive?
Post by: Luc on November 21, 2015, 03:59:44 PM

Hello,



The scan with Roguekiller show me  a problem of rootkit :

[Filter(Kernel.Filter)] \Driver\atapi @ \Device\Ide\IdeDeviceP1T0L0-1 : \Driver\PxHlpa64 @ Unknown (\SystemRoot\system32\Drivers\SEP\0C011010\103C.105\x64\SYMEFA64.SYS)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtTerminateProcess : C:\WINDOWS\System32\sysfer.dll @ 0x74a79e19 (jmp 0xfffffffffda6c1a9)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtMapViewOfSection : C:\WINDOWS\System32\sysfer.dll @ 0x74a79c39 (jmp 0xfffffffffda6c009)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtDeleteValueKey : C:\WINDOWS\System32\sysfer.dll @ 0x74a79bfd (jmp 0xfffffffffda6b6bd)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateKey : C:\WINDOWS\System32\sysfer.dll @ 0x74a79b49 (jmp 0xfffffffffda6bfc9)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtSetValueKey : C:\WINDOWS\System32\sysfer.dll @ 0x74a79ddd (jmp 0xfffffffffda6be2d)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtOpenKey : C:\WINDOWS\System32\sysfer.dll @ 0x74a79cb1 (jmp 0xfffffffffda6c1e1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtSetInformationFile : C:\WINDOWS\System32\sysfer.dll @ 0x74a79da1 (jmp 0xfffffffffda6c181)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateFile : C:\WINDOWS\System32\sysfer.dll @ 0x74a79b0d (jmp 0xfffffffffda6bc0d)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtOpenFile : C:\WINDOWS\System32\sysfer.dll @ 0x74a79c75 (jmp 0xfffffffffda6bf95)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateUserProcess : C:\WINDOWS\System32\sysfer.dll @ 0x74a79b85 (jmp 0xfffffffffda6b705)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtDeleteKey : C:\WINDOWS\System32\sysfer.dll @ 0x74a79d29 (jmp 0xfffffffffda6b819)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtOpenKeyEx : C:\WINDOWS\System32\sysfer.dll @ 0x74a79ced (jmp 0xfffffffffda6b3ed)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtTerminateThread : C:\WINDOWS\System32\sysfer.dll @ 0x74a79e55 (jmp 0xfffffffffda6bf75)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ advapi32.dll) ntdll!NtRenameKey : C:\WINDOWS\System32\sysfer.dll @ 0x74a79d65 (jmp 0xfffffffffda6afd5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ apphelp.dll) ntdll!NtDeleteFile : C:\WINDOWS\System32\sysfer.dll @ 0x74a79bc1 (jmp 0xfffffffffda6b6c1)

Is it a rootkit or a false positive ?

In the report (joined) their also suspicious paths but I think it's may be false positives with Trusteer ...

Thank You for any help you can give

Luc

Title: Re: IAT hook detection or is it a false positive?
Post by: Curson on November 21, 2015, 06:59:56 PM

Hi Luc,

Welcome to Adlice.com Forum.
These hooks are legit and related to Symantec CMC Firewall.

Quote from: Luc

In the report (joined) their also suspicious paths but I think it's may be false positives with Trusteer ...

These are indeed false positives. This will be fixed in RogueKiller next release.

Regards.

Note : This thread has been moved to the "RogueKiller" section for clarity.