Author Topic: RootKit False positive on Win8.1 ? / Faux positif sur Win8.1 ?  (Read 6901 times)

0 Members and 1 Guest are viewing this topic.

May 30, 2014, 01:55:31 PM

oimmio

  • Guest
Hello Guys,

I write in english but I am french so feel free to answer as you like :-)

I need some advice please. I am getting the following IAT/EAT rootkit detections on every Windows 8.1 system (I checked 3 of them for now).
I was therefore wondering if this might not be a false positive.
Analysis is done with RogueKiller64 v9 -RogueKiller32 does not show them).

Thanks for your feeedback.

¤¤¤ Antirootkit : 53 ¤¤¤
[IAT:Addr] (explorer.exe) api-ms-win-core-com-l1-1-1.dll - CoRevokeClassObject : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98dffaea0
[IAT:Addr] (explorer.exe) api-ms-win-core-com-l1-1-1.dll - CoRegisterClassObject : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98dfd41e4
[IAT:Addr] (explorer.exe) api-ms-win-core-com-l1-1-1.dll - CoCreateInstance : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98df9cbe0
[IAT:Addr] (explorer.exe) api-ms-win-core-com-l1-1-1.dll - RoGetAgileReference : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98dfb40a0
[IAT:Addr] (explorer.exe) api-ms-win-core-com-l1-1-1.dll - CoDisableCallCancellation : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98dffc8d0
[IAT:Addr] (explorer.exe) api-ms-win-core-com-l1-1-1.dll - CoSetProxyBlanket : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98df99318
[IAT:Addr] (explorer.exe) api-ms-win-core-com-l1-1-1.dll - CoGetApartmentType : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98dffbc40
[IAT:Addr] (explorer.exe) api-ms-win-core-com-l1-1-1.dll - CoTaskMemFree : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98df71b90
[IAT:Addr] (explorer.exe) api-ms-win-core-com-l1-1-1.dll - CoCreateFreeThreadedMarshaler : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98df9d0e0
[IAT:Addr] (explorer.exe) api-ms-win-core-com-l1-1-1.dll - CoWaitForMultipleHandles : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98df9d394
[IAT:Addr] (explorer.exe) api-ms-win-core-com-l1-1-1.dll - CoTaskMemRealloc : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98df9d990
[IAT:Addr] (explorer.exe) api-ms-win-core-com-l1-1-1.dll - CoEnableCallCancellation : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98dffc91c
[IAT:Addr] (explorer.exe) api-ms-win-core-com-l1-1-1.dll - CoCancelCall : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98e089860
[IAT:Addr] (explorer.exe) api-ms-win-core-com-l1-1-1.dll - StringFromGUID2 : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98df9ab00
[IAT:Addr] (explorer.exe) api-ms-win-core-com-l1-1-1.dll - CLSIDFromString : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98df896ac
[IAT:Addr] (explorer.exe) api-ms-win-core-com-l1-1-1.dll - CoInitializeEx : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98df99b70
[IAT:Addr] (explorer.exe) api-ms-win-core-com-l1-1-1.dll - CoUninitialize : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98df9959c
[IAT:Addr] (explorer.exe) api-ms-win-core-com-l1-1-1.dll - CoTaskMemAlloc : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98df71bd0
[IAT:Addr] (explorer.exe) api-ms-win-core-com-l1-1-1.dll - CoGetMalloc : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98df72670
[IAT:Addr] (explorer.exe) api-ms-win-core-com-l1-1-1.dll - CoFreeUnusedLibraries : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98df72c14
[IAT:Addr] (explorer.exe) api-ms-win-core-com-l1-1-1.dll - PropVariantClear : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98dffbbe0
[IAT:Addr] (explorer.exe) api-ms-win-core-com-l1-1-1.dll - CoGetInterfaceAndReleaseStream : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98dfedd74
[IAT:Addr] (explorer.exe) api-ms-win-core-com-l1-1-1.dll - CoReleaseMarshalData : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98df88e00
[IAT:Addr] (explorer.exe) api-ms-win-core-com-l1-1-1.dll - CoMarshalInterThreadInterfaceInStream : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98dfedc34
[IAT:Addr] (explorer.exe) api-ms-win-core-com-l1-1-1.dll - CreateStreamOnHGlobal : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98dfa2ac4
[IAT:Addr] (explorer.exe) api-ms-win-core-winrt-string-l1-1-0.dll - WindowsCreateString : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98dfedf80
[IAT:Addr] (explorer.exe) api-ms-win-core-winrt-string-l1-1-0.dll - WindowsDeleteString : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98dfedec0
[IAT:Addr] (explorer.exe) api-ms-win-core-winrt-string-l1-1-0.dll - WindowsCreateStringReference : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98dfeddf0
[IAT:Addr] (explorer.exe) api-ms-win-core-winrt-string-l1-1-0.dll - WindowsGetStringRawBuffer : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98dfedea0
[IAT:Addr] (explorer.exe) api-ms-win-power-base-l1-1-0.dll - GetPwrCapabilities : C:\WINDOWS\SYSTEM32\powrprof.dll @ 0x7ff98d251aa0
[IAT:Addr] (explorer.exe) api-ms-win-power-base-l1-1-0.dll - PowerDeterminePlatformRoleEx : C:\WINDOWS\SYSTEM32\powrprof.dll @ 0x7ff98d251890
[IAT:Addr] (explorer.exe) api-ms-win-power-base-l1-1-0.dll - CallNtPowerInformation : C:\WINDOWS\SYSTEM32\powrprof.dll @ 0x7ff98d251050
[IAT:Addr] (explorer.exe) api-ms-win-core-com-private-l1-1-0.dll - CoRegisterMessageFilter : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98dff86b0
[IAT:Addr] (explorer.exe) api-ms-win-core-com-private-l1-1-0.dll - CoRevokeInitializeSpy : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98dffc1b8
[IAT:Addr] (explorer.exe) api-ms-win-core-com-private-l1-1-0.dll - CoRegisterInitializeSpy : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98dffc2b4
[IAT:Addr] (explorer.exe) api-ms-win-eventing-controller-l1-1-0.dll - EnableTraceEx2 : C:\WINDOWS\SYSTEM32\sechost.dll @ 0x7ff98e3c90e0
[IAT:Addr] (explorer.exe) api-ms-win-eventing-controller-l1-1-0.dll - StartTraceW : C:\WINDOWS\SYSTEM32\sechost.dll @ 0x7ff98e3cd900
[IAT:Addr] (explorer.exe) api-ms-win-eventing-controller-l1-1-0.dll - StopTraceW : C:\WINDOWS\SYSTEM32\sechost.dll @ 0x7ff98e3c6510
[IAT:Addr] (explorer.exe) api-ms-win-service-management-l2-1-0.dll - NotifyServiceStatusChangeW : C:\WINDOWS\SYSTEM32\sechost.dll @ 0x7ff98e3cbc74
[IAT:Addr] (explorer.exe) api-ms-win-service-management-l2-1-0.dll - QueryServiceConfigW : C:\WINDOWS\SYSTEM32\sechost.dll @ 0x7ff98e3c5eb4
[IAT:Addr] (explorer.exe) api-ms-win-core-winrt-l1-1-0.dll - RoGetActivationFactory : C:\WINDOWS\SYSTEM32\combase.dll @ 0x7ff98dfb080c
[IAT:Addr] (explorer.exe) api-ms-win-security-lsalookup-l1-1-1.dll - GetIdentityProviderInfoByGUID : C:\WINDOWS\SYSTEM32\sechost.dll @ 0x7ff98e3c7fa4
[IAT:Addr] (explorer.exe) api-ms-win-security-lsalookup-l1-1-1.dll - ReleaseIdentityProviderEnumContext : C:\WINDOWS\SYSTEM32\sechost.dll @ 0x7ff98e3c4a00
[IAT:Addr] (explorer.exe) api-ms-win-security-lsalookup-l1-1-1.dll - EnumerateIdentityProviders : C:\WINDOWS\SYSTEM32\sechost.dll @ 0x7ff98e3c4a28
[IAT:Addr] (explorer.exe) api-ms-win-security-lsalookup-l1-1-1.dll - GetDefaultIdentityProvider : C:\WINDOWS\SYSTEM32\sechost.dll @ 0x7ff98e3c8e84
[EAT:Addr] (explorer.exe) sxs.dll - GetAsymmetricEncryptionInterface : C:\WINDOWS\SYSTEM32\bcryptPrimitives.dll @ 0x7ff98d0c9a20
[EAT:Addr] (explorer.exe) sxs.dll - GetCipherInterface : C:\WINDOWS\SYSTEM32\bcryptPrimitives.dll @ 0x7ff98d0dddc8
[EAT:Addr] (explorer.exe) sxs.dll - GetHashInterface : C:\WINDOWS\SYSTEM32\bcryptPrimitives.dll @ 0x7ff98d0cbd44
[EAT:Addr] (explorer.exe) sxs.dll - GetKeyDerivationInterface : C:\WINDOWS\SYSTEM32\bcryptPrimitives.dll @ 0x7ff98d0ed880
[EAT:Addr] (explorer.exe) sxs.dll - GetRngInterface : C:\WINDOWS\SYSTEM32\bcryptPrimitives.dll @ 0x7ff98d0c3c14
[EAT:Addr] (explorer.exe) sxs.dll - GetSecretAgreementInterface : C:\WINDOWS\SYSTEM32\bcryptPrimitives.dll @ 0x7ff98d0d516c
[EAT:Addr] (explorer.exe) sxs.dll - GetSignatureInterface : C:\WINDOWS\SYSTEM32\bcryptPrimitives.dll @ 0x7ff98d0d4ffc
[EAT:Addr] (explorer.exe) sxs.dll - ProcessPrng : C:\WINDOWS\SYSTEM32\bcryptPrimitives.dll @ 0x7ff98d0c12d0
« Last Edit: May 30, 2014, 01:58:34 PM by oimmio »

Reply #1May 30, 2014, 02:07:52 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 956
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: RootKit False positive on Win8.1 ? / Faux positif sur Win8.1 ?
« Reply #1 on: May 30, 2014, 02:07:52 PM »
Bonjour,
C'est rajouté, merci :)

Reply #2May 30, 2014, 02:42:11 PM

oimmio

  • Guest
Re: RootKit False positive on Win8.1 ? / Faux positif sur Win8.1 ?
« Reply #2 on: May 30, 2014, 02:42:11 PM »
Merci pour ce retour ultra rapide.

Vous voulez dire "rajouté dans une liste de fausse détection probable" ?
Donc je ne m'inquiète pas trop ?

Merci encore ;-)

Reply #3May 30, 2014, 02:48:52 PM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 956
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: RootKit False positive on Win8.1 ? / Faux positif sur Win8.1 ?
« Reply #3 on: May 30, 2014, 02:48:52 PM »
Oui, rajouté en whitelist.
La moitié l'était déjà en fait.