KernelMode.info

Hello,

Because Rootkit Unhooker uses some self-protection against user mode malware and GUI attacks, sorry but this is nearly impossible :(

Regards.

Update.
2 April 2010.

MD5 for exe
0b74739e7a71dc44e8c6ffe6804133a4

SHA1 for exe
48065c9197cd18ba6d6315bdd16bc0bd4c207b8f

xpsp3 working good thanks for an update :)

Update with fix to Pandex Rootkit anti-RkU specific code.
11 April 2010.



It is highly recommended use this version instead of all previous.

MD5 for exe
74fc5f6228f9901d382876e98ad7008a

SHA1 for exe
543d22699fccd080ccc7070d7032daefb1f35b7d

Oops! NOT load... previous version worked well.
Win 7 Ultimate x86

Thanks for testing. This rebuild should solve issue.

MD5 for exe
2f26f3cbafacfa5a3d9c0ad7c21ac8c4

SHA1 for exe
2a812a68469249ffe7887272cda4e87ecd308b10

Yes! :) Started and works, thanks!

Update.
14 April 2010

MD5 for exe
39119f7fe25c806395edd1983b6f47df

SHA1 for exe
4a113b4d48433c38d80ade4a972c301db317aceb

All previous locals are incompatible with this version.

In attach Russian local.dll (MD5 4d214cf3430cc02815f9ba8d25c5fc4a) and translatable resources project
(local_dll.dll MD5 50138f5bc833fd075f4899ddee888fc0,
Res1.res MD5 ae7d62113d78c116e73ff00603f4f310)

Seems that kernel pool overflow/corruption is in normandy.sys.
It happened after clicking on Stealth Code Tab.
WinXP SP3 Rus, kernel crash info:
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000050, Attempt to free a non-allocated paged pool address
Arg2: e12f2000, Starting address
Arg3: 000002f2, Start offset in pages from beginning of paged pool
Arg4: 0a000000, Size in bytes of paged pool

Debugging Details:
------------------

PEB is paged out (Peb.Ldr = 7ffdf00c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffdf00c). Type ".hh dbgerr001" for details

BUGCHECK_STR: 0xc2_50

DEFAULT_BUCKET_ID: CODE_CORRUPTION

PROCESS_NAME: RKUnhookerLE.EX

LAST_CONTROL_TRANSFER: from 80548c2d to 804f9f43

STACK_TEXT:
eb785ae0 80548c2d 000000c2 00000050 e12f2000 nt!KeBugCheckEx+0x1b
eb785b20 8054b49a 00000012 8052e788 00000000 nt!MiFreePoolPages+0x8b
eb785b60 8054b95f e12f2000 00000000 eb785bd8 nt!ExFreePoolWithTag+0x1ba
eb785b70 eb731a8b e12f2000 85adc008 86df3cf0 nt!ExFreePool+0xf
WARNING: Stack unwind information not available. Following frames may be wrong.
eb785bd8 eb732a0a 022e0000 864c56e8 86df3cf0 Normandy+0x3a8b
eb785c40 804ef19f 85ad8278 85adc008 806e6410 Normandy+0x4a0a
eb785c50 8057f982 85adc078 864c56e8 85adc008 nt!IopfCallDriver+0x31
eb785c64 805807f7 85ad8278 85adc008 864c56e8 nt!IopSynchronousServiceTail+0x70
eb785d00 80579274 00000084 00000000 00000000 nt!IopXxxControlFile+0x5c5
eb785d34 8054163c 00000084 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
eb785d34 7c90e514 00000084 00000000 00000000 nt!KiFastCallEntry+0xfc
022cf838 00000000 00000000 00000000 00000000 0x7c90e514


STACK_COMMAND: kb

CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
804fa87a-804fa87e 5 bytes - nt!KeDelayExecutionThread
[ 8b ff 55 8b ec:e9 05 3d 23 6b ]
80504498-8050449b 4 bytes - nt!KiServiceTable+2c (+0x9c1e)
[ 16 bb 5e 80:da 0b 93 ee ]
805044e8-805044eb 4 bytes - nt!KiServiceTable+7c (+0x50)
[ 96 45 5a 80:b8 01 93 ee ]
80504500-80504503 4 bytes - nt!KiServiceTable+94 (+0x18)
[ 84 90 57 80:40 08 93 ee ]
80504510-80504513 4 bytes - nt!KiServiceTable+a4 (+0x10)
[ c8 37 62 80:5a 13 93 ee ]
80504524-80504527 4 bytes - nt!KiServiceTable+b8 (+0x14)
[ b2 50 5a 80:9a 00 93 ee ]
80504534-80504537 4 bytes - nt!KiServiceTable+c8 (+0x10)
[ 8e b3 5a 80:6a 20 93 ee ]
8050453c-80504543 8 bytes - nt!KiServiceTable+d0 (+0x08)
[ a6 39 5c 80 d2 0f 5d 80:02 23 93 ee 60 fc 92 ee ]
80504568-8050456b 4 bytes - nt!KiServiceTable+fc (+0x2c)
[ 64 3c 62 80:c4 0f 93 ee ]
80504570-80504573 4 bytes - nt!KiServiceTable+104 (+0x08)
[ 34 3e 62 80:74 11 93 ee ]
8050457c-8050457f 4 bytes - nt!KiServiceTable+110 (+0x0c)
[ b4 df 5b 80:92 fa 92 ee ]
805045f0-805045f3 4 bytes - nt!KiServiceTable+184 (+0x74)
[ 3a 41 58 80:ec 1c 93 ee ]
80504610-80504613 4 bytes - nt!KiServiceTable+1a4 (+0x20)
[ 80 c5 5b 80:3c 04 93 ee ]
8050463c-8050463f 4 bytes - nt!KiServiceTable+1d0 (+0x2c)
[ 82 a1 57 80:1c 0a 93 ee ]
80504654-80504657 4 bytes - nt!KiServiceTable+1e8 (+0x18)
[ fa b3 5c 80:c2 f7 92 ee ]
80504660-80504663 4 bytes - nt!KiServiceTable+1f4 (+0x0c)
[ b2 a3 5a 80:cc 06 93 ee ]
8050466c-8050466f 4 bytes - nt!KiServiceTable+200 (+0x0c)
[ 86 b6 5c 80:3a f9 92 ee ]
8050476c-8050476f 4 bytes - nt!KiServiceTable+300 (+0x100)
[ ea 31 62 80:20 17 93 ee ]
8050478c-8050478f 4 bytes - nt!KiServiceTable+320 (+0x20)
[ 3c 2d 5a 80:48 26 93 ee ]
805047b4-805047b7 4 bytes - nt!KiServiceTable+348 (+0x28)
[ 2a 3d 5a 80:88 1a 93 ee ]
80504820-80504823 4 bytes - nt!KiServiceTable+3b4 (+0x6c)
[ da 05 5c 80:c0 0d 93 ee ]
8050482c-8050482f 4 bytes - nt!KiServiceTable+3c0 (+0x0c)
[ ec f3 60 80:9a 1e 93 ee ]
80504848-8050484b 4 bytes - nt!KiServiceTable+3dc (+0x1c)
[ 3a 1d 62 80:20 15 93 ee ]
80504850-80504853 4 bytes - nt!KiServiceTable+3e4 (+0x08)
[ 76 26 61 80:d6 03 93 ee ]
80504868-8050486b 4 bytes - nt!KiServiceTable+3fc (+0x18)
[ 92 77 61 80:c0 05 93 ee ]
80504870-80504877 8 bytes - nt!KiServiceTable+404 (+0x08)
[ 82 29 5d 80 7c 2b 5d 80:64 ff 92 ee 32 fe 92 ee ]
80537014-80537018 5 bytes - nt!ExAllocatePool (+0x327a4)
[ 8b ff 55 8b ec:e9 0c 75 1f 6b ]
8054b968-8054b96c 5 bytes - nt!ExAllocatePoolWithTag
[ 8b ff 55 8b ec:e9 e8 2b 1e 6b ]
123 errors : !nt (804fa87a-8054b96c)

MODULE_NAME: Normandy

IMAGE_NAME: Normandy.SYS

DEBUG_FLR_IMAGE_TIMESTAMP: 4bc3deca

FOLLOWUP_NAME: MachineOwner

MEMORY_CORRUPTOR: PATCH_Normandy

FAILURE_BUCKET_ID: MEMORY_CORRUPTION_PATCH_Normandy

BUCKET_ID: MEMORY_CORRUPTION_PATCH_Normandy

Followup: MachineOwner
---------

Dear EP_X0FF, could you be so kind to include a small changelog on each new version?