[Vol-users] IAT hook question

Michael Hale Ligh michael.hale at gmail.com
Thu Jan 17 13:48:06 CST 2013


Hmm sorry, I must be reading the GMER log incorrectly:

IAT     C:\Program Files\Windows NT\svchost.exe[464] @ C:\Program
Files\Windows NT\svchost.exe [KERNEL32.dll!GetFileType]
            E80C244C

I thought that was saying functions in kernel32.dll's IAT were hooked, but
I think its saying the IAT entries in svchost.exe for kernel32 APIs are
hooked. So in that case I'd need you to use procexedump -p 464 and send the
extracted svchost.exe.

Also if that number at the end (E80C244C) is the address of the hook,
something is seriously wrong because that's an address in kernel space.
Hooray for log files with no meaningful labels ;-)

MHL


On Thu, Jan 17, 2013 at 1:09 PM, Mike Lambert <dragonforen at hotmail.com>wrote:

>  MHL,
>
> Thank you very much. Attached is a ZIP. (Rocra is the short name)  I used
> Volatility 2.1
>
> C:\Python27\volatility-2.1>vol.py dlldump -f
> E:\Tests\130115b\Vol\130115b.w32 --profile=WinXPSP3x86 -p 464 -D
> E:\Tests\130115b\Vol\dlldump > E:\Tests\130115b\Vol\dlldump.txt
>
> Volatile Systems Volatility Framework 2.1
>
> C:\Python27\volatility-2.1>
>
> Have a good day,
> Mike
>
>  ------------------------------
> Date: Thu, 17 Jan 2013 12:47:54 -0500
> Subject: Re: [Vol-users] IAT hook question
> From: michael.hale at gmail.com
> To: dragonforen at hotmail.com
> CC: vol-users at volatilityfoundation.org
>
>
> Mike, if you could use dlldump and extract kernel32.dll from pid 464 and
> send it to me, I'll take a look. The necessary pages of the PE file may
> just not be memory resident.
>
> MHL
>
>
> On Thu, Jan 17, 2013 at 12:31 PM, Mike Lambert <dragonforen at hotmail.com>wrote:
>
>  I am looking at a Red October infection. The malware is svchost PID 464,
> C:\Program Files\Windows NT\svchost.exe
>
> GMER tells me that the IAT is hooked. See attached.
>
> I wanted to see this with Volatility per the apihooks documentation here
> http://code.google.com/p/volatility/wiki/CommandReferenceMal22
>
> "As of Volatility 2.1, apihooks also detects hooked winsock procedure
> tables, includes an easier to read output format, supports multiple hop
> disassembly, and can optionally scan quicker through memory by ignoring
> non-critical processes and DLLs.
>
> Here is an example of detecting IAT hooks installed by Coreflood. The
> hooking module is unknown because there is no module (DLL) associated with
> the memory in which the rootkit code exists. If you want to extract the
> code containing the hooks, you have a few options: "
>
>
> I tried apihooks in Volatility 2.1 and 2.2, below is the result
>
> C:\Python27\volatility-2.1>vol.py -f E:\Tests\130115b\Vol\130115b.w32
> --profile=WinXPSP3x86 -p 464 apihooks
> Volatile Systems Volatility Framework 2.1
>
> C:\Python27\volatility-2.1>
>
> -------------------------
>
> C:\Python27\volatility-2.2>vol.py apihooks -f
> E:\Tests\130115b\Vol\130115b.w32 --profile=WinXPSP3x86 -p 464
> Volatile Systems Volatility Framework 2.2
>
> C:\Python27\volatility-2.2>
>
> =========================
>
> My question is, "what am I doing wrong?" It is probably something simple.
>
> Thanks for the help,
> Mike
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130117/ab0b1cd6/attachment-0001.html


More information about the Vol-users mailing list