[Vol-users] api hooking

malware monna malware.monna at gmail.com
Thu Dec 8 12:25:59 CST 2011


Hi All,

i'm new to Volatility, i was trying to analyze a spyeye sample, and while
running apihooks i got the below output, it looks like there is inline api
hook and i see jump into this 0xba.....location.... i would like to know
the DLL that is associated with a JMP, in this case it shows
unknown............how can i determine the dll? and how can dump the dll
from the memory?.....any information would be helpful, sorry this could be
a stupid question.


VMwareUser.exe[636]              inline
wininet.dll!InternetReadFile[0x7806abb4] 0x7806abb4 JMP 0xbaf140c (UNKNOWN)
VMwareUser.exe[636]              inline
wininet.dll!InternetReadFileExA[0x78082ae2] 0x78082ae2 JMP 0xbaf1526
(UNKNOWN)
VMwareUser.exe[636]              inline
wininet.dll!InternetWriteFile[0x78073645] 0x78073645 JMP 0xbaf2d4b (UNKNOWN)
VMwareUser.exe[636]              inline
ntdll.dll!NtEnumerateValueKey[0x7c90d2d0] 0x7c90d2d0 JMP 0xbadac6c (UNKNOWN)
VMwareUser.exe[636]              inline
ntdll.dll!NtQueryDirectoryFile[0x7c90d750] 0x7c90d750 JMP 0xbae4f20
(UNKNOWN)
VMwareUser.exe[636]              inline
ntdll.dll!NtResumeThread[0x7c90db20]     0x7c90db20 JMP 0xbaf625c (UNKNOWN)
VMwareUser.exe[636]              inline
ntdll.dll!NtSetInformationFile[0x7c90dc40] 0x7c90dc40 JMP 0xbada9b6
(UNKNOWN)
VMwareUser.exe[636]              inline
ntdll.dll!NtVdmControl[0x7c90df00]       0x7c90df00 JMP 0xbae4fd6 (UNKNOWN)
VMwareUser.exe[636]              inline
ntdll.dll!ZwEnumerateValueKey[0x7c90d2d0] 0x7c90d2d0 JMP 0xbadac6c (UNKNOWN)
VMwareUser.exe[636]              inline
ntdll.dll!ZwQueryDirectoryFile[0x7c90d750] 0x7c90d750 JMP 0xbae4f20
(UNKNOWN)
VMwareUser.exe[636]              inline
ntdll.dll!ZwResumeThread[0x7c90db20]     0x7c90db20 JMP 0xbaf625c (UNKNOWN)
VMwareUser.exe[636]              inline
ntdll.dll!ZwSetInformationFile[0x7c90dc40] 0x7c90dc40 JMP 0xbada9b6
(UNKNOWN)
VMwareUser.exe[636]              inline
ntdll.dll!ZwVdmControl[0x7c90df00]       0x7c90df00 JMP 0xbae4fd6 (UNKNOWN)
VMwareUser.exe[636]              inline
crypt32.dll!PFXImportCertStore[0x77aeff8f] 0x77aeff8f JMP 0xbae0b02
(UNKNOWN)
VMwareUser.exe[636]              inline
user32.dll!TranslateMessage[0x7e418bf6]  0x7e418bf6 JMP 0xbadc47f (UNKNOWN)
VMwareUser.exe[636]              inline
advapi32.dll!CryptEncrypt[0x77dee340]    0x77dee340 JMP 0xbaeda23 (UNKNOWN)
VMwareUser.exe[636]              inline
ws2_32.dll!send[0x71ab4c27]              0x71ab4c27 JMP 0xbaee35d (UNKNOWN)
ctfmon.exe[768]                  inline
ntdll.dll!NtClose[0x7c90cfd0]            0x7c90cfd0 JMP 0xa003b2 (UNKNOWN)
ctfmon.exe[768]                  inline
ntdll.dll!ZwClose[0x7c90cfd0]            0x7c90cfd0 JMP 0xa003b2 (UNKNOWN)
wmiprvse.exe[1876]               inline
ntdll.dll!NtEnumerateValueKey[0x7c90d2d0] 0x7c90d2d0 JMP 0xbadac6c (UNKNOWN)
wmiprvse.exe[1876]               inline
ntdll.dll!NtQueryDirectoryFile[0x7c90d750] 0x7c90d750 JMP 0xbae4f20
(UNKNOWN)
wmiprvse.exe[1876]               inline
ntdll.dll!NtResumeThread[0x7c90db20]     0x7c90db20 JMP 0xbaf625c (UNKNOWN)
wmiprvse.exe[1876]               inline
ntdll.dll!NtSetInformationFile[0x7c90dc40] 0x7c90dc40 JMP 0xbada9b6
(UNKNOWN)
wmiprvse.exe[1876]               inline
ntdll.dll!NtVdmControl[0x7c90df00]       0x7c90df00 JMP 0xbae4fd6 (UNKNOWN)
wmiprvse.exe[1876]               inline
ntdll.dll!ZwEnumerateValueKey[0x7c90d2d0] 0x7c90d2d0 JMP 0xbadac6c (UNKNOWN)

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20111208/35c1216d/attachment.html


More information about the Vol-users mailing list