Log in

View Full Version : How to find a suspectious program?

Hero
November 15th, 2007, 00:16
Hi
Last day I tried to debug a program after a while,and notice something suspectious.

When I set a BP on LoadLibraryA and reached it, I saw a code similar too this:
mov ebp,esp
push ebp
nop
jmp BEB24561(not sure about address)

This codes means that a global hook has been install on my computer,and a good one too.Now I get a problem that I can't debug programs,because programs crashs while debugging on that strange JMP,yet if I run programs normally,everything seems to be correct.
How I can find what is the programs that had installed this hook?I can find anything suspecious(nothing is shown in Process Explorer).

Regards
Kayaker
November 15th, 2007, 00:30
Hi,

I'd probably try RKU RootkitUnhooker or Raide and see if they ferret out the culprit, there are probably several others as well but I've tested both of those without problems.

http://www.rootkit.com/vault/petersilberman/RAIDE_BETA_1.zip

You could also run Sysinternals Rootkit Revealer, though I'm not sure if it would pick up such a thing.

Let us know what you find out.
dELTA
November 15th, 2007, 03:15
Also, if you've only used a ring 3 debugger to try to trace that jump, try a ring 0 debugger too, depending on the technique used, it might work better.

And if it still crashes while following a jump, is it possible to just view the code at the destination of the jump without actually jumping to it? That might reveal some interesting things too.
fr33ke
November 15th, 2007, 06:45
Jumping to kernel memory (usually >0x80000000) from r3 will almost always create a fault, so I guess the fault handler is hooked somewhere.
evlncrn8
November 15th, 2007, 10:10
Quote:
[Originally Posted by fr33ke;70249]Jumping to kernel memory (> 0x80000000) from r3 will always create a fault, so I guess the fault handler is hooked somewhere.


hardly, considering kernel32 is loaded MUCH higher than that...
please check your information.. its wrong
dELTA
November 15th, 2007, 10:57
Are you sure about that evlncrn8? I think fr33ke is right, and as far as I can remember kernel32 (and all other system DLLs) are usually loaded at 0x7xxxxxxx addresses? (I'm talking NT/2000/XP here, don't remember for earlier ones, but I think they were the same too?)

I just double-checked (in Windows XP, OllyDbg's executable modules window), and it was indeed the case. Can we see a screenshot of your OllyDbg executable modules window for an arbitrary process, with kernel32 loaded higher than 0x80000000?

And just to rule out any misunderstandings: We're talking ring 3 applications in 32-bit operating systems here.

Are you sure you haven't just played around too much with fancy CD protections that already employ similar API hooking/redirection techniques to the ones mentioned above?
janus68
November 15th, 2007, 10:57
Quote:
[Originally Posted by evlncrn8;70251]hardly, considering kernel32 is loaded MUCH higher than that...

Just checked,kernel32 loaded at addr : xp sp2 : 0x7C800000,vista : 0x76980000.
Really you have kernel32 loaded above 0x80000000 ?
scherzo
November 15th, 2007, 11:32
Quote:
[Originally Posted by dELTA;70252]as far as I can remember kernel32 (and all other system DLLs) are usually loaded at 0x7xxxxxxx addresses? (I'm talking NT/2000/XP here, don't remember for earlier ones, but I think they were the same too?)


If I remember well, in win98 system dlls are loaded at something like 0xB0000000. Anyway, I don't know anything about win98 kernel, so I'm not sure about that.

scherzo
evlncrn8
November 15th, 2007, 12:30
w98x ones are 0xbf??????, really depends on the architecture... i was remembering from those ones, 2k etc are at the ones specified, also memory mapped files are > 08000000h range, so that area would be perfectly valid in ring 3... i didnt mean to attack, i just meant to point out that you cant take addresses as a 'given' range, various things can go outside of the range.. like the heap being below the base address, memory maps higher than 08000000h and so on...
blabberer
November 15th, 2007, 12:32
iirc /3gb switch systems can have kernel.dll loaded at anything less than 0xc0000000 so oxb###### can be a valid address in r3 in that case

otherwise 0xb###### is too high an address for r3 applications

and no you cannot jump to r3 from r0 as easily as that with jmp blah
naides
November 15th, 2007, 14:51
I think there is a source of confusion in this thread. In windows NT flat memory model, Memory above 0x8000000 address, the upper 2 Gbytes, is called kernel reserved memory and is untouchable/unjumpable from ring 3 programs.

kernel32.dll (and user32.dll and others) despite having the name "kernel" in it, are user modules, loaded in the application (user) memory space, typically around 0x700000000 area, freely available to ring 3 applications, which indeed routinely call and jump to them during program execution.

In other words, kernel32.dll is a user level module, loaded in user memory (more specifically in segment in memory shared by all user level programs) but acts as an inter phase with the bonafide windows kernel, which is ring 0, loaded at the top 2 Gbyte area of memory, along with all the low level stuff of windows: system drivers, scheduler, HAL, BIOS etc.
Hero
November 15th, 2007, 15:18
Thanks for replies...
I should say some info here was new but I knew some other ones(for example kernel32.dll is loaded in user address space not kernel one and I know I can't jump from a r3 code directly to r0 code).
But the application behaviour is really strange and i donna why applications run at all.
Here an example:
I opened notepad.exe in olly,and went on LoadLibraryA adress(not every API from kernel32.dll has changed,only a few ones like LoadLibraryA).
Here is ther exact code that I see:
---
push ebp
mov ebp,esp
nop
pop ebp
jmp B2E85B25
---
I donna why when I run program by pressing F9,everything is OK,but when I try to do it step by step,or use ALT-F9 to return to user code,it crashs...
I cannot find any execption handler for it too(pehaps I couldn't find it,is there anyway to force ollydbg to stop at begining of evey execption handler when an exception accured and don't stop olly on exception itself?).
how is it possible to handle such a jump in a hook?any other way except installing an exception handle?

Regards
naides
November 15th, 2007, 16:36
Here is the code I see in my LoadLibraryA with NotePad loaded:

Code:
7C801D77 >  8BFF            MOV EDI,EDI;   This is where "legal" hook hooks

7C801D79    55              PUSH EBP

7C801D7A    8BEC            MOV EBP,ESP

7C801D7C    837D 08 00      CMP DWORD PTR SS:[EBP+8],0  Are the bytes at least similar??

7C801D80    53              PUSH EBX

7C801D81    56              PUSH ESI

7C801D82    74 14           JE SHORT kernel32.7C801D98

7C801D84    68 C0E0807C     PUSH kernel32.7C80E0C0                   ; ASCII "twain_32.dll"

7C801D89    FF75 08         PUSH DWORD PTR SS:[EBP+8]

7C801D8C    FF15 9C13807C   CALL DWORD PTR DS:[<&ntdll._strcmpi>]    ; ntdll._stricmp

7C801D92    85C0            TEST EAX,EAX


If you disassembly kernel32.dll FROM DISK how does the code look like??

Try patching the code in memory to the original state see what happens.


Do you have a FireWall/antiMalware that may be hooking things in a weird fashion??

Can you place a BP beyond the modif code and let it run??
Maximus
November 15th, 2007, 21:10
u-uhm... weird. Download and install Syser -and use it to trace in r0 debugger.

IF the jump succeeds (no error), it can mean only that such memory is kernel-mapped in your space. The 0x8x address limit isnt a processor limit, and a jump is restricted only by the processor limits.
If it can jump there, then it has a memory block mapped that can be executed. Simple. The only behaviour i could think of is a global hook shared a' la' win98 sys dlls.

weird... make a sample for us, I'm curious
Hero
November 16th, 2007, 01:05
Quote:
[Originally Posted by naides;70259]
If you disassembly kernel32.dll FROM DISK how does the code look like??

this is start of kernel32.dd from disk:
Code:
00871D77 >/$ 8BFF           MOV EDI,EDI

00871D79  |. 55             PUSH EBP

00871D7A  |. 8BEC           MOV EBP,ESP

00871D7C  |. 837D 08 00     CMP DWORD PTR SS:[EBP+8],0

00871D80  |. 53             PUSH EBX

00871D81  |. 56             PUSH ESI

00871D82  |. 74 14          JE SHORT kernel_1.00871D98

00871D84  |. 68 F0E28700    PUSH kernel_1.0087E2F0                   ; /s2 = "twain_32.dll"

00871D89  |. FF75 08        PUSH DWORD PTR SS:[EBP+8]                ; |s1

00871D8C  |. FF15 9C138700  CALL DWORD PTR DS:[<&ntdll._strcmpi>]    ; \_stricmp

00871D92  |. 85C0           TEST EAX,EAX

exactly like yours....
I'm using kaspersky antivirus that make some hooks,but i don't think that this hook belong to kaspersky(if somebody who has kaspersky check this,it will be great).
because when I tried that RKU RootkitUnhooker,it both detect some user lvl hooks that belong to kaspersky and some hooks with Unknown module.
Here is some result of RKU RootkitUnhooker,in user level scan that belongs to LoadLibraryA:
Code:


[-] C:\WINDOWS\system32\ntdll.dll has had it's IAT table modified. Function LoadLibraryA has been changed to point a module that could not be identified (0x00d000b8).

[-] C:\WINDOWS\system32\kernel32.dll has had one of its functions modified. Function LoadLibraryA has been modified with an inline hook to point a module that could not be identified (0x00d000b8).

[-] C:\WINDOWS\system32\ntdll.dll has had it's IAT table modified. Function LoadLibraryA has been changed to point a module that could not be identified (0x00ad00b8).

[-] C:\WINDOWS\system32\kernel32.dll has had one of its functions modified. Function LoadLibraryA has been modified with an inline hook to point to d:\program files\kaspersky lab\kaspersky anti-virus 6.0\avlib.ppl

[-] C:\WINDOWS\system32\kernel32.dll has had one of its functions modified. Function LoadLibraryA has been modified with an inline hook to point a module that could not be identified (0x63602a5b).

lol,a little too much user mode,isn't it?
Quote:
[Originally Posted by Maximus]make a sample for us

What you mean by make a sample?
In addition,do you now any kernel level tool could give me all sstem memory map?I mean that even show us adrressed that belong driver,...

here is some new interesting data:
1-if you don't use olly bp man,when you set a BP on for examle LoadLibraryA,after restrating olly,all these BPs are gone....
But this is not happening for me anymore,for example I set a BP on LoadLibraryA after loading kernel32.dll on olly.
then when I restart olly,it stops 2 times on that BP over LoadLibrary before even Loading DLL using LoadDll.exe!!!!and the more funny is that the 2nd one was a call to LoadLibraryA with kernel32.dll as its module name to be loaded!!!
2-I noticed that real kernel32.dll never changes while loading!!!!
this hook is really clever:it seems it changes FirstThunk of APIs when process is going o create to point to its own code!!!!
for example for LoadLibraryA,the export address is 0x7C801D77 but when i set a BP it will be set on address 0x7C882F9C that is data section of kernel32,not its code section and that strange code stands here.
great way for hooking,isn't it?

Regards
disavowed
November 16th, 2007, 12:07
Quote:
[Originally Posted by Hero;70267]do you now any kernel level tool could give me all sstem memory map?I mean that even show us adrressed that belong driver,...

windbg
deroko
November 16th, 2007, 12:13
@Hero : that's Kasperky hook. Here is more info from EP_X0FF : http://www.rootkit.com/newsread.php?newsid=778
Hero
November 16th, 2007, 12:21
Quote:
[Originally Posted by deroko;70270]@Hero : that's Kasperky hook. Here is more info from EP_X0FF : http://www.rootkit.com/newsread.php?newsid=778


Great information deroko!!!!
Kaspersky is a good antivirus,but i think i should uninstall it for this problem....

Regards!!!
blabberer
November 16th, 2007, 23:47
ah kaspersky

it hooks everything and then allows backdoors that makes one write from user to kernel etc is what skywing wrote in one of this uninformed articles long back

check that out for kaspy baby hooker

Quote:

For instance, KAV's modified NtOpenProcess attempts to determine if a user
address is valid by comparing it to the hardcoded value 0x7FFF0000. On most
x86 Windows systems, this address is below the highest user address (typically
0x7FFEFFFF). However, hardcoding the size of the kernel address space is not a
very good idea; there is a boot parameter `/3GB' that can be set in boot.ini in
order to change the default address space split of 2GB kernel and 2GB user to
1GB kernel and 3GB user. If a system with KAV is configured with /3GB, it is
expected that anything that calls NtOpenProcess (such as the win32 OpenProcess)
may randomly fail if parameter addresses are located above the first 2GB of the
user address space:


Quote:

KAV's kernel patching is not limited to just system services, however. One of
the most dangerous hooks that KAV installs is one in the middle of the
nt!SwapContext function, which is neither exported nor a system service (and
thus has reliable mechanism to be detected by driver code, other than code
fingerprinting). nt!SwapContext is called by the kernel on every context
switch in order to perform some internal bookkeeping tasks.


Quote:

2.6. Allowing user mode code to access kernel memory directly from user mode,
improper validation of user mode structures.

One of the most important principles of the kernel/user division that modern
operating systems enforce is that user mode is not allowed to directly access
kernel mode memory. This is necessary to enforce system stability, otherwise
a buggy user mode program could corrupt the kernel and bring down the whole
system.

Unfortunately, the KAV programmers appear to think that this distinction is not
really so important after all.

One of the strangest of the unsafe practicies implemented by KAV is to allow
user mode to directly call some portions of their kernel driver (within kernel
address space!) instead of just loading a user mode DLL (or otherwise loading
user mode code in the target process).

This mechanism appears to be used to inspect DLLs as they are loaded - a task
which would be much better accomplished with PsSetLoadImageNotifyRoutine.

KAV patches kernel32.dll as a new process is created, such that the export
table points all of the DLL-loading routines (e.g. LoadLibraryA) to a thunk
that calls portions of KAV's driver in kernel mode. Additionally, KAV modifes
protections on parts of its code and data sections to allow user mode read
access.

KAV sets a PsLoadImageNotifyRoutine hook to detect kernel32.dll being loaded in
order to know when to patch kernel32's export table. The author wonders why
KAV did not just do their work from within PsSetLoadImageNotifyRoutine directly
instead of going through all the trouble to allow user mode to call kernel mode
for a LoadLibrary hook.

The CheckInjectCodeForNewProcess function is called when a new process loads an
image, and checks for kernel32 being loaded. If this is the case, it will
queue an APC to the process that will perform patching.



http://www.uninformed.org/index.cgi?v=4&a=4&t=txt