[IN PROGRESS]Problems here. Help appreciated.
CastleCops
-> Rootkit Revelations
Author: F9FD1, Location: USA
Posted: Sat Jun 14, 2008 9:45 pm Post subject: Problems here. Help appreciated.
I have a module with no name loaded in memory it is 98304 bytes and if i try to dump it with gmer my computer crashes. Seen anything like this?
Also I have a5gb8dtk.sys that hooks IAT ( I have a limited knowledge about this but doesn't IAT hooking mean that it has to hook every function in every executable with write process memory ? ) in ntoskrnl.exe and hal.dll ( this is one mean rootkit if it goes all the way down to the hardware abstractization layer, is it not? )
.Mentioning that a5gb8dtk.sys does not appear were gmer say it is so it hides from windows api and from gmer and darkspy, icesword etc.
I tempted to start the softice dinosaur to see what these are all about but I have a feeling that it will take a hell lot of time to RE them. Anyway it would be more practical to start in windows console recovery mode save on a disk and analyse them with IDA... What do you think?
Author: negster22,
Posted: Tue Jun 17, 2008 10:19 pm Post subject:
Do you have Alcohol installed? It creates a randomly named driver that consists of 8 chars beginning with an "a". I'm quite sure that's what it is.
CastleCops
-> Rootkit Revelations
All times are GMT
Page 1 of 1
Powered by phpBB © 2001 phpBB Group