Adlice forum

Software feedback => RogueKiller => Topic started by: Tigzy on October 01, 2015, 01:38:03 pm

Title: RogueKiller 11 beta
Post by: Tigzy on October 01, 2015, 01:38:03 pm
Hello,

RogueKiller 11 is right behind the door :)
We need you to test it before it replaces the official version (currently 10.X.X).

It's quite critical because the only major change is about the Kernel Driver. We have re-coded all the driver from scratch, following best practices to ensure it's compatible with all operating systems (from Windows XP to Windows 10, 32 and 64 bits) and with all environments.

Why is it critical? Because a bug in the Kernel Driver means Blue Screen Of Death, which is not particularly a good thing. Yeah, that's annoying.
So we need as much tests as possible to ensure no bug is left before it's moved in production.




You will find the binaries here:




What's new?


No big change in the flow, nor in the UI.
The most important occurs while Antirootkit scan => SSDT, Shadow SSDT, IRPs, Filters. IAT scan isn't affected.

I have a BSOD, what do I do?


Thanks for your help  8)
Title: Re: RogueKiller 11 beta
Post by: greysmouth on October 01, 2015, 09:31:09 pm
Hi Boss. It doesn't the matter if my PC crashes. Nothing compared to more than ten BSODs after installing Win 10 Pro: that's why it's free! My best regards, greysmouth BO IT.
Title: Re: RogueKiller 11 beta
Post by: firefoxthebomb on October 05, 2015, 08:43:17 pm
Thanks for the opportunity to test this beta out.

I have ran it on a Windows 10 64bit VM not much installed on it.  Any who it did cause an issue where the computer rebooted.  I have attached the minidump file for your review.
Title: Re: RogueKiller 11 beta
Post by: Tigzy on October 05, 2015, 09:40:26 pm
Thanks! :)
Title: Re: RogueKiller 11 beta
Post by: Tigzy on October 06, 2015, 11:30:24 am
Thanks for the opportunity to test this beta out.

I have ran it on a Windows 10 64bit VM not much installed on it.  Any who it did cause an issue where the computer rebooted.  I have attached the minidump file for your review.

Hey, I'm loaded the minidump but it doesn't contain much information.
Do you have an idea where it BSoD during the scan?
Title: Re: RogueKiller 11 beta
Post by: Roger on October 06, 2015, 01:39:35 pm
Hi

Thanks for letting us testing RogueKiller 11 beta, but unfortunately my HP Laptop with Windows 10 installed crashed with.

Attached is the minidump as requested. Renamed from dmp to txt.
Title: Re: RogueKiller 11 beta
Post by: Curson on October 06, 2015, 04:10:14 pm
Hi Roger,

Thanks for the feedback. :)

Regards.
Title: Re: RogueKiller 11 beta
Post by: Tigzy on October 06, 2015, 04:14:45 pm
Thanks all,
Minidumps were all on same bug: Reading kernel memory in a bad way.

A beta 3 will come soon, I'll keep you informed.
Title: Re: RogueKiller 11 beta
Post by: Tigzy on October 07, 2015, 09:17:19 am
Hello,
beta 3 is online (same link, replaces old version)

firefoxthebomb and Roger Schwarz may I ask you to tell me if it crashes again?
Thanks a lot!
Title: Re: RogueKiller 11 beta
Post by: Roger on October 08, 2015, 02:15:35 am
Hi

This time with new version 3 it worked without crash, great! The results I have uploaded to your upload directory for review.

Thank you again.
Roger
Title: Re: RogueKiller 11 beta
Post by: Tigzy on October 08, 2015, 07:37:59 am
Thanks :)
Received your email, IAT hooks are another problem (code is common with version 10) and are fixed on in a different way.
If you can reproduce the Chrome hooks, then it'd be great if you can send a full memory dump of Chrome process (with Process Explorer / Process Hacker)
Title: Re: RogueKiller 11 beta
Post by: greysmouth on October 08, 2015, 12:01:00 pm
Hi. here the last log file running beta 3. Actually, I never had any BSODs since running RK beta in Win 10 Pro enviroment. Regards, greysmouth BO IT.
Title: Re: RogueKiller 11 beta
Post by: Curson on October 08, 2015, 01:40:39 pm
Hi greysmouth,

Thanks.
Could you please attach the JSON version of the log in your next reply ?

Regards.
Title: Re: RogueKiller 11 beta
Post by: greysmouth on October 08, 2015, 05:47:58 pm
Hi greysmouth,

Thanks.
Could you please attach the JSON version of the log in your next reply ?

Regards.
I'm not allowed..greysmouth BO IT.
Title: Re: RogueKiller 11 beta
Post by: Curson on October 08, 2015, 06:33:40 pm
Hi greysmouth,

Coud you try to rename the .json file to .txt ?

EDIT : You will now normally be able to upload .json files as well.

Regards.
Title: Re: RogueKiller 11 beta
Post by: greysmouth on October 08, 2015, 07:23:23 pm
Hi greysmouth,

Coud you try to rename the .json file to .txt ?

EDIT : You will now normally be able to upload .json files as well.

Regards.
Hello!
Here we go!
greysmouth BO IT.
Title: Re: RogueKiller 11 beta
Post by: Curson on October 08, 2015, 07:35:20 pm
Hi greysmouth,

Many thanks. :)

Regards.
Title: Re: RogueKiller 11 beta
Post by: greysmouth on October 09, 2015, 08:38:38 pm
Hello! More reports running beta 3 on Win 10 Pro; enjoy!  Best regards, greysmouth BO IT
Title: Re: RogueKiller 11 beta
Post by: Curson on October 10, 2015, 01:42:58 am
Hi greysmouth,

Thanks. :)

Regards.
Title: Re: RogueKiller 11 beta
Post by: Tigzy on October 13, 2015, 05:29:51 pm
RogueKiller 11 beta 4 is out!
Title: Re: RogueKiller 11 beta
Post by: greysmouth on October 14, 2015, 08:33:02 am
Hi. Here attached the beta 3s last two reports under the new fresh Win 10 Build 10565. Enjoy! best regards, greysmouth BO IT.
Title: Re: RogueKiller 11 beta
Post by: greysmouth on October 14, 2015, 09:09:06 am
Hi. Here attached is the first new beta 4 report under Win 10 Pro Build 10565 OS. Regards, greysmouth BO IT.
Title: Re: RogueKiller 11 beta
Post by: Tigzy on October 14, 2015, 01:24:49 pm
RogueKiller 11 beta 5 is uploading, will be online in a couple minutes :)
Filesystem scan will be much much faster!

greysmouth could you uncheck "Display legit hooks" ? makes our life easier when reading reports :)
Title: Re: RogueKiller 11 beta
Post by: greysmouth on October 14, 2015, 05:58:48 pm
Sure I will. Regards, greysmouth BO IT.
Title: Re: RogueKiller 11 beta
Post by: greysmouth on October 14, 2015, 06:33:00 pm
RogueKiller 11 beta 5 is uploading, will be online in a couple minutes :)
Filesystem scan will be much much faster!

greysmouth could you uncheck "Display legit hooks" ? make our like easier when reading reports :)
Hi. Done! Here are new reports running Beta 5 trough Win 10 Pro Build 10565. Regards, greysmouth BO IT
Title: Re: RogueKiller 11 beta
Post by: Tigzy on October 15, 2015, 06:02:42 pm
Perfect :)
Title: Re: RogueKiller 11 beta
Post by: greysmouth on October 21, 2015, 12:49:02 am
Hi. One more beta 5 report. Regards, greysmouth BO IT.
Title: Re: RogueKiller 11 beta
Post by: Tigzy on October 21, 2015, 01:47:01 pm
Beta 7 is online!
Soon we will publish a blog post regarding incoming changes.
Title: Re: RogueKiller 11 beta
Post by: Tigzy on October 23, 2015, 10:24:46 am
Beta 8 is online!
Title: Re: RogueKiller 11 beta
Post by: ssybesma on October 26, 2015, 01:26:47 am
I'm trying RogueKiller 11.0.0.0 beta 8 on a Windows 7 64-bit Professional, Dell Latitude E6400 laptop w/ 500GB SSD & 8GB RAM.
I'm using Comodo antivirus.

At first I got an error about an unsigned driver (specifically TrueSight.sys).

I used an app called Driver Signature Enforcement Overrider to force that file to sign...upon rebooting it puts Windows into Test Mode.

Now when starting RK I get "Antirootkit driver failed to load with error [3221226536]. Please contact us for more information."

So, here I am.

Thanks,

Steve Sybesma
Title: Re: RogueKiller 11 beta
Post by: Curson on October 26, 2015, 02:23:35 pm
Hi Steve,

Welcome to Adlice.com Forum.

RogueKiller driver, TrueSight.sys, is digitally signed.
When using Driver Signature Enforcement Overrider, you corrupt the signature and thus, make it impossible to load.

Regards.
Title: Re: RogueKiller 11 beta
Post by: greysmouth on October 26, 2015, 06:05:36 pm
Hello. Here attached is the last RK beta 8 report.Enjoy!Regards, greysmouth BO It
Title: Re: RogueKiller 11 beta
Post by: firefoxthebomb on October 27, 2015, 10:32:19 pm
Sorry Tigzy I got busy and just now was able to test it. 

I downloaded and ran version 11 beta 8 with no issues this time around.
Title: Re: RogueKiller 11 beta
Post by: Curson on November 29, 2015, 11:08:11 pm
Hi firefoxthebomb,

Thanks for your review. :)
RogueKiller version 11 will hopefully be released tomorrow as stable.

Regards.
Title: Re: RogueKiller 11 beta
Post by: greysmouth on December 02, 2015, 03:43:00 pm
Hello. Here attached is the last RK beta 8 report.Enjoy!Regards, greysmouth BO It
Hello guys! Please, have a look at my attached report. It seems RK has found something weird. Thanks and regards, greysmouth BO IT.
Title: Re: RogueKiller 11 beta
Post by: Curson on December 03, 2015, 03:21:16 pm
Hi greysmouth,

RogueKiller 11 is now released as stable.
Could you please download  latest version, redo a scan and post the report in your next reply ?

Regards.
Title: Re: RogueKiller 11 beta
Post by: greysmouth on December 03, 2015, 03:44:12 pm
Yes, Sir!
Will you excuse me, where's the RK Premium stable version's download? Thanks and regards,greysmouth BO IT.
Title: Re: RogueKiller 11 beta
Post by: Curson on December 04, 2015, 01:52:31 pm
Hi greysmouth,

You just have to download and install the full version (http://download.adlice.com/RogueKiller/setup.exe) and register it with your licence key. :)

Regards.
Title: Re: RogueKiller 11 beta
Post by: ronster1269 on December 04, 2015, 04:32:28 pm
Anyone get this and is it positive or false positive?
RogueKiller V11.0.0.0 beta 9 (x64) [Nov 18 2015] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Michael [Administrator]
Started from : C:\Users\Michael\Desktop\RogueKillerX64_beta.exe
Mode : Scan -- Date : 12/03/2015 16:00:01

Processes : 0

Registry : 0

Tasks : 0

Files : 0

Hosts File : 0

Antirootkit : 30 (Driver: Loaded)
[IAT:Inl(Hook.IEAT)] (explorer.exe) ntdll!NtSetSystemInformation : Unknown @ 0x76ef01e0 (jmp 0x161140|jmp 0xfffffffffffffe19|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtWriteVirtualMemory : Unknown @ 0x76ef03a0 (jmp 0x162650|jmp 0xfffffffffffffc59|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtDuplicateObject : Unknown @ 0x76ef0380 (jmp 0x162610|jmp 0xfffffffffffffc79|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateEvent : Unknown @ 0x76ef02c0 (jmp 0x162490|jmp 0xfffffffffffffd39|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtNotifyChangeKey : Unknown @ 0x76ef0480 (jmp 0x161bf0|jmp 0xfffffffffffffb79|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtTerminateProcess : Unknown @ 0x76ef03d0 (jmp 0x162760|jmp 0xfffffffffffffc29|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtOpenEvent : Unknown @ 0x76ef02d0 (jmp 0x162520|jmp 0xfffffffffffffd29|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtAssignProcessToJobObject : Unknown @ 0x76ef0390 (jmp 0x162160|jmp 0xfffffffffffffc69|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtSetContextThread : Unknown @ 0x76ef03f0 (jmp 0x161510|jmp 0xfffffffffffffc09|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateSection : Unknown @ 0x76ef0300 (jmp 0x1624b0|jmp 0xfffffffffffffcf9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtOpenProcess : Unknown @ 0x76ef0360 (jmp 0x162750|jmp 0xfffffffffffffc99|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtNotifyChangeMultipleKeys : Unknown @ 0x76ef0490 (jmp 0x161bf0|jmp 0xfffffffffffffb69|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtQueryObject : Unknown @ 0x76ef0440 (jmp 0x162990|jmp 0xfffffffffffffbb9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateIoCompletion : Unknown @ 0x76ef0340 (jmp 0x162020|jmp 0xfffffffffffffcb9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenSection : Unknown @ 0x76ef0310 (jmp 0x1625f0|jmp 0xfffffffffffffce9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateSemaphore : Unknown @ 0x76ef02a0 (jmp 0x161e90|jmp 0xfffffffffffffd59|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenSemaphore : Unknown @ 0x76ef02b0 (jmp 0x161920|jmp 0xfffffffffffffd49|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateMutant : Unknown @ 0x76ef0280 (jmp 0x161f00|jmp 0xfffffffffffffd79|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenMutant : Unknown @ 0x76ef0290 (jmp 0x161950|jmp 0xfffffffffffffd69|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateTimer : Unknown @ 0x76ef0320 (jmp 0x161ee0|jmp 0xfffffffffffffcd9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenTimer : Unknown @ 0x76ef0330 (jmp 0x161960|jmp 0xfffffffffffffcc9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtCreateThreadEx : Unknown @ 0x76ef03c0 (jmp 0x161f90|jmp 0xfffffffffffffc39|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtTerminateThread : Unknown @ 0x76ef03e0 (jmp 0x162500|jmp 0xfffffffffffffc19|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtOpenThread : Unknown @ 0x76ef0370 (jmp 0x1619b0|jmp 0xfffffffffffffc89|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtSuspendThread : Unknown @ 0x76ef0420 (jmp 0x161290|jmp 0xfffffffffffffbd9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ rpcrt4.dll) ntdll!NtAlpcSendWaitReceivePort : Unknown @ 0x76ef0470 (jmp 0x162270|jmp 0xfffffffffffffb89|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ rpcrt4.dll) ntdll!NtQueueApcThreadEx : Unknown @ 0x76ef0430 (jmp 0x161770|jmp 0xfffffffffffffbc9|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ gdi32.dll) ntdll!NtVdmControl : Unknown @ 0x76ef0270 (jmp 0x160ff0|jmp 0xfffffffffffffd89|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ ntmarta.dll) ntdll!NtOpenEventPair : Unknown @ 0x76ef02f0 (jmp 0x161a20|jmp 0xfffffffffffffd09|jmp 0x19b)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ ws2_32.dll) ntdll!NtLoadDriver : Unknown @ 0x76ef01d0 (jmp 0x161a30|jmp 0xfffffffffffffe29|jmp 0x19b)

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 78f4806284ed6e73f3a83b663c08c754
[BSP] 3b232571214c544ddb843532265a46f2 : HP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 465631 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 953819136 | Size: 11207 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive1:  +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

Title: Re: RogueKiller 11 beta
Post by: greysmouth on December 04, 2015, 05:00:22 pm
Hi greysmouth,

RogueKiller 11 is now released as stable.
Could you please download  latest version, redo a scan and post the report in your next reply ?

Regards.
Hi Curson. Here we go..RK 11 Final version and report. Best regards, greysmouth BO IT.
Title: Re: RogueKiller 11 beta
Post by: Curson on December 07, 2015, 02:29:26 pm
Hi ronster1269,

These entries are false positives.
This should be fixed in RogueKiller current version.

Regards.
Title: Re: RogueKiller 11 beta
Post by: Curson on December 07, 2015, 02:30:46 pm
Hi greysmouth,

Your report is perfectly clean.
Thanks for taking your time to help us through the beta. :)

Regards.
Title: Re: RogueKiller 11 beta
Post by: greysmouth on December 07, 2015, 03:15:34 pm
Hello. Glad to hear you. So, now running the RK stable version. It works good. Best regards, greysmouth BO IT.
Title: Re: RogueKiller 11 beta
Post by: Curson on December 07, 2015, 03:24:06 pm
Hi greysmouth,

Glad to hear this.

Regards.