x42x4b Posted August 30, 2006 Posted August 30, 2006 (edited) Hello,i've spent 10h on "search form" and i didn't find solution.This is anti-rootkit thing, yeah, yeah... why create new one when we have IceSword :-)...I'm making removing tool for malware (free for all, that's why I am AutoITing It :-) ). This damn malware hooked my ntdll.dll (OpenProcess, FindFile..., Reg...). I can't lock PID and handles for malware-process. I think there are two ways to unhook it...1) http://www.stanford.edu/~stinson/misc/curr...ating_hooks.txt- "repair" hooked func- take down mal-process- repair regs, del files2) http://***.org/- "break" hooked func (change protected filenames, regkeys, procnames)- take down mal-process- repair regs, del filesI know, there are people on this forum, who are able to help. I know about anti-public politic in such a funcs in AutoIT. Well, what can I say... If someone needs gov-aprovement = PM :-).Once more time, please help me.Regards.Edit: Removed URL for hooks library :-) Edited August 31, 2006 by x42x4b 1. RTFM | /dev/LOL2. RTFS | /dev/OMG3. FGI | /dev/WTF4. /dev/BBQ :)
x42x4b Posted August 31, 2006 Author Posted August 31, 2006 (edited) Well i tricked rootkit process... I'm deleting his file before it starts. Thx for help :-). Edited August 31, 2006 by x42x4b 1. RTFM | /dev/LOL2. RTFS | /dev/OMG3. FGI | /dev/WTF4. /dev/BBQ :)
Confuzzled Posted September 2, 2006 Posted September 2, 2006 I'm sorry, I'm having a blonde moment. I read your two posts twice and still can't make any sense out of what you started out to achieve, what you wanted, and whether you finally got it.
x42x4b Posted September 3, 2006 Author Posted September 3, 2006 Confuzzled said: I'm sorry, I'm having a blonde moment. I read your two posts twice and still can't make any sense out of what you started out to achieve, what you wanted, and whether you finally got it. malware replaces (place hook) functions in ntdll.dll which are for getting process ID. For example:malware process name is klopok.exe :-), when any process asks ntdll.dll for pid of klopok.exe receives nothing :-).I'd like to replace hooked function by correct one, which shows me pid of klopok.exe. Just simple and maybe stupid example but I think you should get a point (if you know what hooking funcs in win is) 1. RTFM | /dev/LOL2. RTFS | /dev/OMG3. FGI | /dev/WTF4. /dev/BBQ :)
taozhong Posted September 29, 2006 Posted September 29, 2006 x42x4b said: 1) http://www.stanford.edu/~stinson/misc/curr...ating_hooks.txt- "repair" hooked func- take down mal-process- repair regs, del files2) http://***.org/- "break" hooked func (change protected filenames, regkeys, procnames)- take down mal-process- repair regs, del filesIf you want to unlock the dll file, maybe you could try this- Unlocker- Direct downloadIt can unlock the process which hooked the file, then you can delete the mal-process.Sorry for my english, I'm Taiwanese.And if I misunderstand your problem please forgive me.
x42x4b Posted December 4, 2006 Author Posted December 4, 2006 taozhong said: If you want to unlock the dll file, maybe you could try this- Unlocker- Direct downloadIt can unlock the process which hooked the file, then you can delete the mal-process.Sorry for my english, I'm Taiwanese.And if I misunderstand your problem please forgive me. Thanks for answer but I'm not looking for a tool for unlocking dlls or apps. When process is a rootkit (in ring3) you need to unhook APIs...This topic is still active... :-).Regards... 1. RTFM | /dev/LOL2. RTFS | /dev/OMG3. FGI | /dev/WTF4. /dev/BBQ :)
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now