Adlice forum

Software feedback => RogueKiller => Topic started by: Temium on November 28, 2015, 02:11:44 PM

Title: Hook IEAT need help
Post by: Temium on November 28, 2015, 02:11:44 PM

Hi, just installed RK and got a report which I don't know how to read... specialy this :

¤¤¤ Antirootkit : 1 (Driver: Chargé) ¤¤¤
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!LdrLoadDll : Unknown @ 0x7ff90cab0430 (jmp 0xffffffffff895540|call rbx|jmp 0x102)

is it a false positive ? Can someone help.
full report attached.

Title: Re: Hook IEAT need help
Post by: Curson on November 29, 2015, 11:06:49 PM

Hi Temium,

Welcome to Adlice.com Forum.
Could you please attach RogueKiller JSON report in your next reply ?

Regards.

Title: Re: Hook IEAT need help
Post by: Temium on November 30, 2015, 03:55:24 PM

Hi Curson,

Thanks for your replying.

I Had to run RK again (and to redownload it ) to get the report in .JSON format.

And a lot of new IEAT HOOK came up !

see attached file...  :-\

Title: Re: Hook IEAT need help
Post by: Curson on November 30, 2015, 04:22:33 PM

Hi Temium,

We are going to perform an extended analysis on the hooks.
Please follow the following process :

• Download Process Explorer (http://live.sysinternals.com/procexp.exe) and save it to your desktop.
  
• Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  
• Locate the process named explorer.exe, do a right click on it and select Create Dump > Create Full Dump...
  
• Save the dump on your desktop and compress it.
• Go to Adlice Software upload form (https://upload.adlice.com/), select the dumps as files to be uploaded and copy/paste a link to this thread in the "Comment" section.
  

Regards.

Title: Re: Hook IEAT need help
Post by: Temium on December 02, 2015, 06:47:04 PM

Hi Curson,

I uploaded the dump file (zipped)
and put the link to your message as a comment of my upload, that is :

http://forum.adlice.com/index.php?topic=609.msg3424#msg3424

I hope everything went all right... I'm not very familiar with forum uses.

Title: Re: Hook IEAT need help
Post by: Curson on December 03, 2015, 03:19:54 PM

Hi Temium,

I haven't received anything.
Could you please host the dump on DropBox/Onedrive and share the link here ?

Regards.

Title: Re: Hook IEAT need help
Post by: Temium on December 03, 2015, 05:18:35 PM

Hi Curson,

Here's a link to my Dropbox :

https://www.dropbox.com/sh/e0wrzybrywjqa1z/AADSSDNwnHRX74t4fKws-qUMa?dl=0

You can upload either .dum ou .zip file.

Title: Re: Hook IEAT need help
Post by: Curson on December 04, 2015, 02:10:32 PM

Hi Temium,

The dump your provided will be analysed as soon as possible.
Thanks for your patience.

Regards.

Title: Re: Hook IEAT need help
Post by: Temium on December 04, 2015, 03:07:28 PM

Thanks for your message, Curson.

Title: Re: Hook IEAT need help
Post by: Curson on December 04, 2015, 03:24:45 PM

Hi Temium,

You are welcome.

Regards.

Title: Re: Hook IEAT need help
Post by: Temium on December 22, 2015, 02:11:54 PM

Hi Curson,

I haven't heard from you for a while now...
Could it be that you have forgotten to send me my analysis ?
Or is it Christmas rush ?

season's greatings
Temium

Title: Re: Hook IEAT need help
Post by: Curson on December 22, 2015, 09:08:10 PM

Hi Temium,

I'm really sorry but we have not yet had time to process your dump.

Regards.

Title: Re: Hook IEAT need help
Post by: Curson on December 28, 2015, 12:15:31 PM

Hi Temium,

The hooks are legit.
We will whitelist them as soon as possible.

Regards.

Title: Re: Hook IEAT need help
Post by: Temium on January 27, 2016, 12:46:55 AM

Thanks a lot.
And pardon me for not thanking you before... I think I missed the notification of your post.

Title: Re: Hook IEAT need help
Post by: Curson on January 27, 2016, 02:13:43 PM

Hi Temium,

You are very welcome.

Regards.