Author Topic: Hook IEAT need help  (Read 12021 times)

0 Members and 4 Guests are viewing this topic.

November 28, 2015, 02:11:44 PM

Temium

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Hook IEAT need help
« on: November 28, 2015, 02:11:44 PM »
Hi, just installed RK and got a report which I don't know how to read... specialy this :

¤¤¤ Antirootkit : 1 (Driver: Chargé) ¤¤¤
[IAT:Inl(Hook.IEAT)] (explorer.exe @ kernel32.dll) ntdll!LdrLoadDll : Unknown @ 0x7ff90cab0430 (jmp 0xffffffffff895540|call rbx|jmp 0x102)

is it a false positive ? Can someone help.
full report attached.

Reply #1November 29, 2015, 11:06:49 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Hook IEAT need help
« Reply #1 on: November 29, 2015, 11:06:49 PM »
Hi Temium,

Welcome to Adlice.com Forum.
Could you please attach RogueKiller JSON report in your next reply ?

Regards.

Reply #2November 30, 2015, 03:55:24 PM

Temium

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Re: Hook IEAT need help
« Reply #2 on: November 30, 2015, 03:55:24 PM »
Hi Curson,

Thanks for your replying.

I Had to run RK again (and to redownload it ) to get the report in .JSON format.

And a lot of new IEAT HOOK came up !

see attached file...  :-\





Reply #3November 30, 2015, 04:22:33 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Hook IEAT need help
« Reply #3 on: November 30, 2015, 04:22:33 PM »
Hi Temium,

We are going to perform an extended analysis on the hooks.
Please follow the following process :
  • Download Process Explorer and save it to your desktop.
  • Click on the setup file (procexp.exe) and select Run as Administrator to start the tool.
  • Locate the process named explorer.exe, do a right click on it and select Create Dump > Create Full Dump...
  • Save the dump on your desktop and compress it.
  • Go to Adlice Software upload form, select the dumps as files to be uploaded and copy/paste a link to this thread in the "Comment" section.
Regards.

Reply #4December 02, 2015, 06:47:04 PM

Temium

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Re: Hook IEAT need help
« Reply #4 on: December 02, 2015, 06:47:04 PM »
Hi Curson,

I uploaded the dump file (zipped)
and put the link to your message as a comment of my upload, that is :

http://forum.adlice.com/index.php?topic=609.msg3424#msg3424

I hope everything went all right... I'm not very familiar with forum uses.

Reply #5December 03, 2015, 03:19:54 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Hook IEAT need help
« Reply #5 on: December 03, 2015, 03:19:54 PM »
Hi Temium,

I haven't received anything.
Could you please host the dump on DropBox/Onedrive and share the link here ?

Regards.

Reply #6December 03, 2015, 05:18:35 PM

Temium

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Re: Hook IEAT need help
« Reply #6 on: December 03, 2015, 05:18:35 PM »
Hi Curson,

Here's a link to my Dropbox :

https://www.dropbox.com/sh/e0wrzybrywjqa1z/AADSSDNwnHRX74t4fKws-qUMa?dl=0

You can upload either .dum ou .zip file.


Reply #7December 04, 2015, 02:10:32 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Hook IEAT need help
« Reply #7 on: December 04, 2015, 02:10:32 PM »
Hi Temium,

The dump your provided will be analysed as soon as possible.
Thanks for your patience.

Regards.

Reply #8December 04, 2015, 03:07:28 PM

Temium

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Re: Hook IEAT need help
« Reply #8 on: December 04, 2015, 03:07:28 PM »
Thanks for your message, Curson.

Reply #9December 04, 2015, 03:24:45 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Hook IEAT need help
« Reply #9 on: December 04, 2015, 03:24:45 PM »
Hi Temium,

You are welcome.

Regards.

Reply #10December 22, 2015, 02:11:54 PM

Temium

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Re: Hook IEAT need help
« Reply #10 on: December 22, 2015, 02:11:54 PM »
Hi Curson,

I haven't heard from you for a while now...
Could it be that you have forgotten to send me my analysis ?
Or is it Christmas rush ?

season's greatings
Temium



Reply #11December 22, 2015, 09:08:10 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Hook IEAT need help
« Reply #11 on: December 22, 2015, 09:08:10 PM »
Hi Temium,

I'm really sorry but we have not yet had time to process your dump.

Regards.

Reply #12December 28, 2015, 12:15:31 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Hook IEAT need help
« Reply #12 on: December 28, 2015, 12:15:31 PM »
Hi Temium,

The hooks are legit.
We will whitelist them as soon as possible.

Regards.

Reply #13January 27, 2016, 12:46:55 AM

Temium

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Re: Hook IEAT need help
« Reply #13 on: January 27, 2016, 12:46:55 AM »
Thanks a lot.
And pardon me for not thanking you before... I think I missed the notification of your post.

Reply #14January 27, 2016, 02:13:43 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: Hook IEAT need help
« Reply #14 on: January 27, 2016, 02:13:43 PM »
Hi Temium,

You are very welcome.

Regards.