[Vol-users] api hooking

Michael Hale Ligh michael.hale at gmail.com
Tue Dec 13 07:48:14 CST 2011


There are various ways of injecting code without using a DLL. To quote
the CommandReference
(http://code.google.com/p/volatility/wiki/CommandReference#apihooks):

"Here is an example of detecting IAT hooks installed by Coreflood. The
far right field contains UNKNOWN because there is no module associated
with the memory in which the rootkit code exists."

You can dump the code block using vaddump, then look for the file
named according to the 0xba range.

MHL

On Thu, Dec 8, 2011 at 1:25 PM, malware monna <malware.monna at gmail.com> wrote:
> Hi All,
>
> i'm new to Volatility, i was trying to analyze a spyeye sample, and while
> running apihooks i got the below output, it looks like there is inline api
> hook and i see jump into this 0xba.....location.... i would like to know the
> DLL that is associated with a JMP, in this case it shows
> unknown............how can i determine the dll? and how can dump the dll
> from the memory?.....any information would be helpful, sorry this could be a
> stupid question.
>
>
> VMwareUser.exe[636]              inline
> wininet.dll!InternetReadFile[0x7806abb4] 0x7806abb4 JMP 0xbaf140c (UNKNOWN)
> VMwareUser.exe[636]              inline
> wininet.dll!InternetReadFileExA[0x78082ae2] 0x78082ae2 JMP 0xbaf1526
> (UNKNOWN)
> VMwareUser.exe[636]              inline
> wininet.dll!InternetWriteFile[0x78073645] 0x78073645 JMP 0xbaf2d4b (UNKNOWN)
> VMwareUser.exe[636]              inline
> ntdll.dll!NtEnumerateValueKey[0x7c90d2d0] 0x7c90d2d0 JMP 0xbadac6c (UNKNOWN)
> VMwareUser.exe[636]              inline
> ntdll.dll!NtQueryDirectoryFile[0x7c90d750] 0x7c90d750 JMP 0xbae4f20
> (UNKNOWN)
> VMwareUser.exe[636]              inline
> ntdll.dll!NtResumeThread[0x7c90db20]     0x7c90db20 JMP 0xbaf625c (UNKNOWN)
> VMwareUser.exe[636]              inline
> ntdll.dll!NtSetInformationFile[0x7c90dc40] 0x7c90dc40 JMP 0xbada9b6
> (UNKNOWN)
> VMwareUser.exe[636]              inline
> ntdll.dll!NtVdmControl[0x7c90df00]       0x7c90df00 JMP 0xbae4fd6 (UNKNOWN)
> VMwareUser.exe[636]              inline
> ntdll.dll!ZwEnumerateValueKey[0x7c90d2d0] 0x7c90d2d0 JMP 0xbadac6c (UNKNOWN)
> VMwareUser.exe[636]              inline
> ntdll.dll!ZwQueryDirectoryFile[0x7c90d750] 0x7c90d750 JMP 0xbae4f20
> (UNKNOWN)
> VMwareUser.exe[636]              inline
> ntdll.dll!ZwResumeThread[0x7c90db20]     0x7c90db20 JMP 0xbaf625c (UNKNOWN)
> VMwareUser.exe[636]              inline
> ntdll.dll!ZwSetInformationFile[0x7c90dc40] 0x7c90dc40 JMP 0xbada9b6
> (UNKNOWN)
> VMwareUser.exe[636]              inline
> ntdll.dll!ZwVdmControl[0x7c90df00]       0x7c90df00 JMP 0xbae4fd6 (UNKNOWN)
> VMwareUser.exe[636]              inline
> crypt32.dll!PFXImportCertStore[0x77aeff8f] 0x77aeff8f JMP 0xbae0b02
> (UNKNOWN)
> VMwareUser.exe[636]              inline
> user32.dll!TranslateMessage[0x7e418bf6]  0x7e418bf6 JMP 0xbadc47f (UNKNOWN)
> VMwareUser.exe[636]              inline
> advapi32.dll!CryptEncrypt[0x77dee340]    0x77dee340 JMP 0xbaeda23 (UNKNOWN)
> VMwareUser.exe[636]              inline
> ws2_32.dll!send[0x71ab4c27]              0x71ab4c27 JMP 0xbaee35d (UNKNOWN)
> ctfmon.exe[768]                  inline
> ntdll.dll!NtClose[0x7c90cfd0]            0x7c90cfd0 JMP 0xa003b2 (UNKNOWN)
> ctfmon.exe[768]                  inline
> ntdll.dll!ZwClose[0x7c90cfd0]            0x7c90cfd0 JMP 0xa003b2 (UNKNOWN)
> wmiprvse.exe[1876]               inline
> ntdll.dll!NtEnumerateValueKey[0x7c90d2d0] 0x7c90d2d0 JMP 0xbadac6c (UNKNOWN)
> wmiprvse.exe[1876]               inline
> ntdll.dll!NtQueryDirectoryFile[0x7c90d750] 0x7c90d750 JMP 0xbae4f20
> (UNKNOWN)
> wmiprvse.exe[1876]               inline
> ntdll.dll!NtResumeThread[0x7c90db20]     0x7c90db20 JMP 0xbaf625c (UNKNOWN)
> wmiprvse.exe[1876]               inline
> ntdll.dll!NtSetInformationFile[0x7c90dc40] 0x7c90dc40 JMP 0xbada9b6
> (UNKNOWN)
> wmiprvse.exe[1876]               inline
> ntdll.dll!NtVdmControl[0x7c90df00]       0x7c90df00 JMP 0xbae4fd6 (UNKNOWN)
> wmiprvse.exe[1876]               inline
> ntdll.dll!ZwEnumerateValueKey[0x7c90d2d0] 0x7c90d2d0 JMP 0xbadac6c (UNKNOWN)
>
> Thanks
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>


More information about the Vol-users mailing list