Page 5 of 16
Re: RkUnhooker 3.8 SR2 public beta test
PostPosted:Sun Mar 28, 2010 10:49 am
by liangtong
Hello,the test machine has no VT support(I installed XP Mode with a recent KB977206 update).
Re: RkUnhooker 3.8 SR2 public beta test
PostPosted:Sun Mar 28, 2010 11:57 am
by EP_X0FF
Hello,
I was able to reproduce your crash.
This is VirtualPC caused. You can reproduce that even with old VirtualPC 2007 (result of execution will be BSOD in rku driver).
When hardware acceleration is not available or disabled SGDT instruction gives unpredictable result when executed in kernel mode.
For example it returns Limit value = MAXWORD, while the same SGDT call in user mode giving me correct value of 1023.
Exactly this causing rku to crash. When hardware acceleration is enabled - everything works as expected.
We already have strange behavior of virtual machine in case of VMWare with VT disabled.
When VT is disabled for VmWare virtual machine, SGDT in user mode returns incorrect values. When hardware acceleration is enabled - everything works as expected.
The only workaround that I see for now - detection of public virtual machines (it could be done easy without VT) and turning off some features while work.
Regards.
Re: RkUnhooker 3.8 SR2 public beta test
PostPosted:Sun Mar 28, 2010 10:57 pm
by Dreg
I am working in a new method to fix this scenario without disable the detection
Re: RkUnhooker 3.8 SR2 public beta test
PostPosted:Mon Mar 29, 2010 12:41 am
by teamtopkarl
stealth code:
Exception code : 0xC0000005
Instruction address : 0x0043D470
Attempt to read at address : 0x013A100B
Re: RkUnhooker 3.8 SR2 public beta test
PostPosted:Mon Mar 29, 2010 3:01 am
by EP_X0FF
Hello,
the same reason as above. Currently rku stealth code scan is not compatible with Virtual Machines without Vanderpool / Pacifica hw support.
This will be fixed in next beta version update.
Thanks.
Re: RkUnhooker 3.8 SR2 public beta test
PostPosted:Mon Mar 29, 2010 5:00 pm
by EP_X0FF
Hello,
liangtong and other who has experienced crash under windowsxp mode.
Please test this version. It contains workaround for this problem (used Dreg's advice).
It was tested with Virtual PC / VmWare and hw VT acceleration disabled.
MD5
9f89fd4edee0bfaa1bbe16f4bf2c527f
SHA1
8d9e92561870dff75c25b0b939823b84fde1cae0
Re: RkUnhooker 3.8 SR2 public beta test
PostPosted:Tue Mar 30, 2010 8:59 am
by kingken
:D :D good
Re: RkUnhooker 3.8 SR2 public beta test
PostPosted:Tue Mar 30, 2010 11:13 am
by liangtong
Hello,
Stealth code scan worked well on XP Mode with no VT support.
But there's another problem.On Windows 7,stealth code always gets the following result.
0x8EADBF2E Unknown thread object [ ETHREAD 0x8B8F6D48 ] TID: 2372, 600 bytes
kd> dt nt!_ethread 8b8f6d48
+0x218 StartAddress : 0x8eadbf2e Void
+0x260 Win32StartAddress : 0x8eadbf2e Void
0: kd> u 0x8eadbf2e
<Unloaded_spsys.sys>+0x2af2e:
8eadbf2e ?? ???
^ Memory access error in 'u 0x8eadbf2e'
Re: RkUnhooker 3.8 SR2 public beta test
PostPosted:Tue Mar 30, 2010 12:18 pm
by EP_X0FF
Thanks for testing. Your contribution helped to solve this issue.
0x8EADBF2E Unknown thread object [ ETHREAD 0x8B8F6D48 ] TID: 2372, 600 bytes
This is false positive. Process exiting and thread marked as terminated but still accessible through manual structures parsing.
Re: RkUnhooker 3.8 SR2 public beta test
PostPosted:Thu Apr 01, 2010 3:06 pm
by markusg
do you found a ossibility to use the screen reader together with your tool