Author Topic: IAT Hooks legit?  (Read 8268 times)

0 Members and 1 Guest are viewing this topic.

February 17, 2017, 06:26:04 AM

IngoPan

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
IAT Hooks legit?
« on: February 17, 2017, 06:26:04 AM »
Hi,

I had some Alueron infection lately and i am now unsure if these hooks are legit or if its coincidence:

RogueKiller V12.9.7.0 (x64) [Feb  6 2017] (Premium) von Adlice Software
Mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Betriebssystem : Windows 10 (10.0.14393) 64 bits version
Gestartet in : Normalmodus
User : IngoPan [Administrator]
Gestartet von : C:\Users\IngoPan\Downloads\RogueKillerX64.exe
Modus : Scannen -- Datum : 02/16/2017 22:44:15 (Dauer : 00:13:29)

¤¤¤ Prozesse : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Dateien : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts-Datei : 0 ¤¤¤

¤¤¤ Anti-Rootkit : 116 (Driver: Geladen) ¤¤¤
[IAT:Addr(Hook.IEAT)] (explorer.exe) user32!SetWindowCompositionAttribute : Unknown @ 0x5eb0080
[IAT:Addr(Hook.IEAT)] (explorer.exe) gdi32!StretchDIBits : Unknown @ 0x5eb0020
[IAT:Addr(Hook.IEAT)] (chrome.exe) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_elf.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shlwapi.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GdiDllInitialize : Unknown @ 0x7ff8868a002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_elf.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shlwapi.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GdiDllInitialize : Unknown @ 0x7ff8868a002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_elf.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shlwapi.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GdiDllInitialize : Unknown @ 0x7ff8868a002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_elf.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ AcGenral.dll) user32!GetMonitorInfoW : Unknown @ 0x7ff8841e012c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shlwapi.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GdiDllInitialize : Unknown @ 0x7ff8868a002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) user32!EnumDisplayMonitors : Unknown @ 0x7ff8841e006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) user32!GetMonitorInfoW : Unknown @ 0x7ff8841e012c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ imm32.dll) user32!GetMonitorInfoW : Unknown @ 0x7ff8841e012c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_elf.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) user32!GetMonitorInfoW : Unknown @ 0x7ff8841e012c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) user32!GetMonitorInfoW : Unknown @ 0x7ff8841e012c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) user32!EnumDisplayMonitors : Unknown @ 0x7ff8841e006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) user32!GetMonitorInfoW : Unknown @ 0x7ff8841e012c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) user32!EnumDisplayMonitors : Unknown @ 0x7ff8841e006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pepflashplayer.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pepflashplayer.dll) user32!EnumDisplayDevicesA : Unknown @ 0x7ff8841e00ac
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pepflashplayer.dll) user32!GetMonitorInfoA : Unknown @ 0x7ff8841e00ec
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pepflashplayer.dll) user32!GetMonitorInfoW : Unknown @ 0x7ff8841e012c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ pepflashplayer.dll) user32!EnumDisplayMonitors : Unknown @ 0x7ff8841e006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ GdiPlus.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shlwapi.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GdiDllInitialize : Unknown @ 0x7ff8868a002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_elf.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shlwapi.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ user32.dll) gdi32!GdiDllInitialize : Unknown @ 0x7ff8868a002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ ole32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ shell32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_elf.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) kernel32!CreateNamedPipeW : Unknown @ 0x7ff8844d002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ chrome_child.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comdlg32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) gdi32!GetStockObject : Unknown @ 0x7ff8868a006c
[IAT:Addr(Hook.IEAT)] (chrome.exe @ comctl32.dll) user32!RegisterClassW : Unknown @ 0x7ff8841e002c

¤¤¤ Webbrowser : 0 ¤¤¤

¤¤¤ MBR-Übeprüfung : ¤¤¤
+++++ PhysicalDrive0: Samsung SSD 850 EVO 500GB +++++
--- User ---
[MBR] 9706b026d752dc15e582cdccf50e5624
[BSP] f29bea51de29fb471d44c4065688aad4 : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 450 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 923648 | Size: 100 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1128448 | Size: 16 MB
3 - Basic data partition | Offset (sectors): 1161216 | Size: 476372 MB
User = LL1 ... OK
User = LL2 ... OK



Reply #1February 17, 2017, 02:02:52 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: IAT Hooks legit?
« Reply #1 on: February 17, 2017, 02:02:52 PM »
Hi IngoPan,

Welcome to Adlice.com forum and thanks for supporting our product.
These hooks are not malicious, they are part of Chrome Sandbox feature.

Regards.

Note : This thread has been moved to the "RogueKiller PREMIUM" section for clarity and your license number removed for privacy.

Reply #2April 03, 2017, 03:54:40 AM

IngoPan

  • Newbie

  • Offline
  • *

  • 2
  • Reputation:
    0
    • View Profile
Re: IAT Hooks legit?
« Reply #2 on: April 03, 2017, 03:54:40 AM »
Hi IngoPan,

Welcome to Adlice.com forum and thanks for supporting our product.
These hooks are not malicious, they are part of Chrome Sandbox feature.

Regards.

Note : This thread has been moved to the "RogueKiller PREMIUM" section for clarity and your license number removed for privacy.

Thanks! Is it realöly 60 hooks? Sounds quite a lot ...

Regards, Ingo

Reply #3April 03, 2017, 07:25:20 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: IAT Hooks legit?
« Reply #3 on: April 03, 2017, 07:25:20 PM »
Hi IngoPan,

Yes, Chrome heavily relies on hooks to implement some features.
In the futur, they will be recognized as legit and therefore not displayed anymore in RogueKiller reports.

Regards.

Reply #4April 21, 2017, 05:41:57 PM

calamityjane

  • Newbie

  • Offline
  • *

  • 29
  • Reputation:
    0
  • Personal Text
    Not in Kansas
    • View Profile
Re: IAT Hooks legit?
« Reply #4 on: April 21, 2017, 05:41:57 PM »
Hello Curson, et al, Forum members,

Curson, you previously said, in above post,
"Yes, Chrome heavily relies on hooks to implement some features.
In the futur, they will be recognized as legit and therefore not displayed anymore in RogueKiller reports."

I had similar experience but with one exception:

Only one hook specifically was detected by RK as a "positive" (highlighted in red), as opposed to all the other aforementioned hooks which were as you previously described (normal).

With the latest version upgrade, ALL the hooks have disappeared INCLUDING the one suspect hook that I've been attempting to isolate, prior to the version upgrade.

I saw this hook in RK V12.10.1.0 [Mar 20 2017] (Premium) and earlier.

Below is the suspect hook info that is no longer detected-

Detection             Type   Detour Object                           Hook                                                             
Hook.SSDT   SSDT   Inl         ZwDeleteAtom[119]    C:\Windows\System32\win32k.sys @ 0xffffffffab2b7f63

Nothing was documented under header, "Status".

Can I (hopefully) assume this was a false positive?
I cannot confirm any kind of infection other than this.

My PC is Windows Vista 32 bits .

Thanks for your assistance.
CJ
« Last Edit: April 21, 2017, 05:44:24 PM by calamityjane »

Reply #5April 21, 2017, 08:15:03 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: IAT Hooks legit?
« Reply #5 on: April 21, 2017, 08:15:03 PM »
Hi calamityjane,

SSDT hooks aren't displayed anymore unless you run the program in Expert Mode.
Yes, the hook you described is a false positive that was fixed some time ago.

Regards.