[Vol-users] IAT hook question

Michael Hale Ligh michael.hale at gmail.com
Thu Jan 17 11:47:54 CST 2013


Mike, if you could use dlldump and extract kernel32.dll from pid 464 and
send it to me, I'll take a look. The necessary pages of the PE file may
just not be memory resident.

MHL


On Thu, Jan 17, 2013 at 12:31 PM, Mike Lambert <dragonforen at hotmail.com>wrote:

>  I am looking at a Red October infection. The malware is svchost PID 464,
> C:\Program Files\Windows NT\svchost.exe
>
> GMER tells me that the IAT is hooked. See attached.
>
> I wanted to see this with Volatility per the apihooks documentation here
> http://code.google.com/p/volatility/wiki/CommandReferenceMal22
>
> "As of Volatility 2.1, apihooks also detects hooked winsock procedure
> tables, includes an easier to read output format, supports multiple hop
> disassembly, and can optionally scan quicker through memory by ignoring
> non-critical processes and DLLs.
>
> Here is an example of detecting IAT hooks installed by Coreflood. The
> hooking module is unknown because there is no module (DLL) associated with
> the memory in which the rootkit code exists. If you want to extract the
> code containing the hooks, you have a few options: "
>
>
> I tried apihooks in Volatility 2.1 and 2.2, below is the result
>
> C:\Python27\volatility-2.1>vol.py -f E:\Tests\130115b\Vol\130115b.w32
> --profile=WinXPSP3x86 -p 464 apihooks
> Volatile Systems Volatility Framework 2.1
>
> C:\Python27\volatility-2.1>
>
> -------------------------
>
> C:\Python27\volatility-2.2>vol.py apihooks -f
> E:\Tests\130115b\Vol\130115b.w32 --profile=WinXPSP3x86 -p 464
> Volatile Systems Volatility Framework 2.2
>
> C:\Python27\volatility-2.2>
>
> =========================
>
> My question is, "what am I doing wrong?" It is probably something simple.
>
> Thanks for the help,
> Mike
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130117/634a4b50/attachment.html


More information about the Vol-users mailing list