[Vol-users] IAT hook question
Michael Hale Ligh
michael.hale at gmail.com
Thu Jan 17 11:47:54 CST 2013
Mike, if you could use dlldump and extract kernel32.dll from pid 464 and
send it to me, I'll take a look. The necessary pages of the PE file may
just not be memory resident.
On Thu, Jan 17, 2013 at 12:31 PM, Mike Lambert <dragonforen at hotmail.com>wrote:
> I am looking at a Red October infection. The malware is svchost PID 464,
> C:\Program Files\Windows NT\svchost.exe
> GMER tells me that the IAT is hooked. See attached.
> I wanted to see this with Volatility per the apihooks documentation here
> "As of Volatility 2.1, apihooks also detects hooked winsock procedure
> tables, includes an easier to read output format, supports multiple hop
> disassembly, and can optionally scan quicker through memory by ignoring
> non-critical processes and DLLs.
> Here is an example of detecting IAT hooks installed by Coreflood. The
> hooking module is unknown because there is no module (DLL) associated with
> the memory in which the rootkit code exists. If you want to extract the
> code containing the hooks, you have a few options: "
> I tried apihooks in Volatility 2.1 and 2.2, below is the result
> C:\Python27\volatility-2.1>vol.py -f E:\Tests\130115b\Vol\130115b.w32
> --profile=WinXPSP3x86 -p 464 apihooks
> Volatile Systems Volatility Framework 2.1
> C:\Python27\volatility-2.2>vol.py apihooks -f
> E:\Tests\130115b\Vol\130115b.w32 --profile=WinXPSP3x86 -p 464
> Volatile Systems Volatility Framework 2.2
> My question is, "what am I doing wrong?" It is probably something simple.
> Thanks for the help,
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Vol-users