WaxfordSqueers
January 27th, 2008, 03:02
I've been bugging Ricardo over in Our Tools regarding Paimei...trying to get it running. Thought I'd give him a break.
Ricardo suggested I needed a clean install, or a VM, since I seem to be the only one who can't get Paimei running with all apps. He theorized that something might be hooking a module or app I was using, and screwing up Paimei. The exercise was not wasted, however, since I have a concern about rootkits.
Two questions I have here are not Paimei related and it's getting into the malware area, but my interest is in the reversing arena. It is a noob-like question, however, involving the IDT. I need to start learning that stuff, and I was hoping someone could make a suggestion that would lower the learning curve.
Question 1)I ran several rootkit apps including rootkit revealer, gmer and raide. Raide showed up a lot of hooks, 95% of which were related to the Sygate personal firewall and Alcohol 120%. The latter uses a rootkit-like driver to hide itself from protection system. The version I am running is lightweight in that respect, however.
I completely uninstalled Sygate and Alcohol, and made sure none of their drivers were left behind. I ran raide again, and it cut the hooks dramatically, to about 21. The remaining hooks are mainly related to NDIS.sys, which I'm sure is about my wireless router. There are only five problems remaining involving Interrupts 1, 3 and 14, and a hidden app.
The interrupt info is as follows:
Interrupt 1(0x01) has been hooked by an unknown module.
Interrupt 3(0x03) has been hooked by an unknown module.
Interrupt 14(0x0e) has been hooked by an unknown module.
There is a message with them that, "No action can be taken against IDT hooks".
I'm really dumb when it comes to interrupts and I need to read on that, I am hoping someone who reads this can make a suggestion that might point me in the right direction. For example, why would an app want to hook and interrupt like 1 or 3 if it isn't a debugger?
One clue comes from this blurb:
Interrupt 14
The PC interrupt used to reroute messages from the serial port to the network interface card (NIC); used by some terminal-emulation programs.
That could mean it is related to the router as well...but why the serial port?
Question 2)I get two other messages from raide claiming:
Found a hidden process. ∞ogonui.exe:3000 is hidden
using PspCidTable Remove method. This method is commonly used by FUTo.
Found a hidden process. LOGOJUI.EXE:3980 is hidden
using PspCidTable Remove method. This method is commonly used by FUTo.
Sometimes, this file shows up correctly as logonui.exe and other times it shows up with a distorted name, like shown above. I don't know if that's a problem in raide or if it's micro$oft being silly.
I searched Google a fair amount for info on the file and there is a mention relating it to msgina.dll, which seems to be a genuine Microsoft NT logon file. As usual, with the malware crowd, no one seems to know exactly what it is. BTW.. the reference to Futo comes from the rootkit supplied by the raide site.
From a reverse engineering perspective, how would I go about finding a hidden file? I'm asking here first because the best answers come from here.
Anyway, uninstalling Sygate and Alcohol made no difference to the way Paimei works for me. I got it going on Notepad and Minesweeper, but so far, nothing else. Anyone interested can view the Paimei thread in the Tools section.
Ricardo suggested I needed a clean install, or a VM, since I seem to be the only one who can't get Paimei running with all apps. He theorized that something might be hooking a module or app I was using, and screwing up Paimei. The exercise was not wasted, however, since I have a concern about rootkits.
Two questions I have here are not Paimei related and it's getting into the malware area, but my interest is in the reversing arena. It is a noob-like question, however, involving the IDT. I need to start learning that stuff, and I was hoping someone could make a suggestion that would lower the learning curve.
Question 1)I ran several rootkit apps including rootkit revealer, gmer and raide. Raide showed up a lot of hooks, 95% of which were related to the Sygate personal firewall and Alcohol 120%. The latter uses a rootkit-like driver to hide itself from protection system. The version I am running is lightweight in that respect, however.
I completely uninstalled Sygate and Alcohol, and made sure none of their drivers were left behind. I ran raide again, and it cut the hooks dramatically, to about 21. The remaining hooks are mainly related to NDIS.sys, which I'm sure is about my wireless router. There are only five problems remaining involving Interrupts 1, 3 and 14, and a hidden app.
The interrupt info is as follows:
Interrupt 1(0x01) has been hooked by an unknown module.
Interrupt 3(0x03) has been hooked by an unknown module.
Interrupt 14(0x0e) has been hooked by an unknown module.
There is a message with them that, "No action can be taken against IDT hooks".
I'm really dumb when it comes to interrupts and I need to read on that, I am hoping someone who reads this can make a suggestion that might point me in the right direction. For example, why would an app want to hook and interrupt like 1 or 3 if it isn't a debugger?
One clue comes from this blurb:
Interrupt 14
The PC interrupt used to reroute messages from the serial port to the network interface card (NIC); used by some terminal-emulation programs.
That could mean it is related to the router as well...but why the serial port?
Question 2)I get two other messages from raide claiming:
Found a hidden process. ∞ogonui.exe:3000 is hidden
using PspCidTable Remove method. This method is commonly used by FUTo.
Found a hidden process. LOGOJUI.EXE:3980 is hidden
using PspCidTable Remove method. This method is commonly used by FUTo.
Sometimes, this file shows up correctly as logonui.exe and other times it shows up with a distorted name, like shown above. I don't know if that's a problem in raide or if it's micro$oft being silly.
I searched Google a fair amount for info on the file and there is a mention relating it to msgina.dll, which seems to be a genuine Microsoft NT logon file. As usual, with the malware crowd, no one seems to know exactly what it is. BTW.. the reference to Futo comes from the rootkit supplied by the raide site.
From a reverse engineering perspective, how would I go about finding a hidden file? I'm asking here first because the best answers come from here.

Anyway, uninstalling Sygate and Alcohol made no difference to the way Paimei works for me. I got it going on Notepad and Minesweeper, but so far, nothing else. Anyone interested can view the Paimei thread in the Tools section.