Show Posts
1
RogueKiller / IAT hook detection or is it a false positive?
« on: November 21, 2015, 03:59:44 PM »
Hello,
The scan with Roguekiller show me a problem of rootkit :
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\Ide\IdeDeviceP1T0L0-1 : \Driver\PxHlpa64 @ Unknown (\SystemRoot\system32\Drivers\SEP\0C011010\103C.105\x64\SYMEFA64.SYS)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtTerminateProcess : C:\WINDOWS\System32\sysfer.dll @ 0x74a79e19 (jmp 0xfffffffffda6c1a9)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtMapViewOfSection : C:\WINDOWS\System32\sysfer.dll @ 0x74a79c39 (jmp 0xfffffffffda6c009)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtDeleteValueKey : C:\WINDOWS\System32\sysfer.dll @ 0x74a79bfd (jmp 0xfffffffffda6b6bd)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateKey : C:\WINDOWS\System32\sysfer.dll @ 0x74a79b49 (jmp 0xfffffffffda6bfc9)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtSetValueKey : C:\WINDOWS\System32\sysfer.dll @ 0x74a79ddd (jmp 0xfffffffffda6be2d)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtOpenKey : C:\WINDOWS\System32\sysfer.dll @ 0x74a79cb1 (jmp 0xfffffffffda6c1e1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtSetInformationFile : C:\WINDOWS\System32\sysfer.dll @ 0x74a79da1 (jmp 0xfffffffffda6c181)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateFile : C:\WINDOWS\System32\sysfer.dll @ 0x74a79b0d (jmp 0xfffffffffda6bc0d)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtOpenFile : C:\WINDOWS\System32\sysfer.dll @ 0x74a79c75 (jmp 0xfffffffffda6bf95)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateUserProcess : C:\WINDOWS\System32\sysfer.dll @ 0x74a79b85 (jmp 0xfffffffffda6b705)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtDeleteKey : C:\WINDOWS\System32\sysfer.dll @ 0x74a79d29 (jmp 0xfffffffffda6b819)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtOpenKeyEx : C:\WINDOWS\System32\sysfer.dll @ 0x74a79ced (jmp 0xfffffffffda6b3ed)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtTerminateThread : C:\WINDOWS\System32\sysfer.dll @ 0x74a79e55 (jmp 0xfffffffffda6bf75)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ advapi32.dll) ntdll!NtRenameKey : C:\WINDOWS\System32\sysfer.dll @ 0x74a79d65 (jmp 0xfffffffffda6afd5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ apphelp.dll) ntdll!NtDeleteFile : C:\WINDOWS\System32\sysfer.dll @ 0x74a79bc1 (jmp 0xfffffffffda6b6c1)
Is it a rootkit or a false positive ?
In the report (joined) their also suspicious paths but I think it's may be false positives with Trusteer ...
Thank You for any help you can give
Luc
The scan with Roguekiller show me a problem of rootkit :
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\Ide\IdeDeviceP1T0L0-1 : \Driver\PxHlpa64 @ Unknown (\SystemRoot\system32\Drivers\SEP\0C011010\103C.105\x64\SYMEFA64.SYS)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtTerminateProcess : C:\WINDOWS\System32\sysfer.dll @ 0x74a79e19 (jmp 0xfffffffffda6c1a9)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtMapViewOfSection : C:\WINDOWS\System32\sysfer.dll @ 0x74a79c39 (jmp 0xfffffffffda6c009)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtDeleteValueKey : C:\WINDOWS\System32\sysfer.dll @ 0x74a79bfd (jmp 0xfffffffffda6b6bd)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateKey : C:\WINDOWS\System32\sysfer.dll @ 0x74a79b49 (jmp 0xfffffffffda6bfc9)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtSetValueKey : C:\WINDOWS\System32\sysfer.dll @ 0x74a79ddd (jmp 0xfffffffffda6be2d)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtOpenKey : C:\WINDOWS\System32\sysfer.dll @ 0x74a79cb1 (jmp 0xfffffffffda6c1e1)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtSetInformationFile : C:\WINDOWS\System32\sysfer.dll @ 0x74a79da1 (jmp 0xfffffffffda6c181)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateFile : C:\WINDOWS\System32\sysfer.dll @ 0x74a79b0d (jmp 0xfffffffffda6bc0d)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtOpenFile : C:\WINDOWS\System32\sysfer.dll @ 0x74a79c75 (jmp 0xfffffffffda6bf95)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtCreateUserProcess : C:\WINDOWS\System32\sysfer.dll @ 0x74a79b85 (jmp 0xfffffffffda6b705)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtDeleteKey : C:\WINDOWS\System32\sysfer.dll @ 0x74a79d29 (jmp 0xfffffffffda6b819)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!NtOpenKeyEx : C:\WINDOWS\System32\sysfer.dll @ 0x74a79ced (jmp 0xfffffffffda6b3ed)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ KERNELBASE.dll) ntdll!NtTerminateThread : C:\WINDOWS\System32\sysfer.dll @ 0x74a79e55 (jmp 0xfffffffffda6bf75)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ advapi32.dll) ntdll!NtRenameKey : C:\WINDOWS\System32\sysfer.dll @ 0x74a79d65 (jmp 0xfffffffffda6afd5)
[IAT:Inl(Hook.IEAT)] (explorer.exe @ apphelp.dll) ntdll!NtDeleteFile : C:\WINDOWS\System32\sysfer.dll @ 0x74a79bc1 (jmp 0xfffffffffda6b6c1)
Is it a rootkit or a false positive ?
In the report (joined) their also suspicious paths but I think it's may be false positives with Trusteer ...
Thank You for any help you can give
Luc
