Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hooks cleared #52

Open
cr3m opened this issue Aug 16, 2019 · 9 comments
Open

Hooks cleared #52

cr3m opened this issue Aug 16, 2019 · 9 comments

Comments

@cr3m
Copy link

cr3m commented Aug 16, 2019

In some cases, kernel32.dll is unloaded but actually the reference count of that module still greater than zero but apis hooked are cleared.
@MarioVilas
Copy link
Owner

Hi! Thanks for the bug report. Can you provide any way to reproduce this problem so I can work on it?

@MarioVilas
Copy link
Owner

Also TBH I'm not entirely sure why would kernel32.dll ever be unloaded... perhaps you are debugging an NT native binary?

@cr3m
Copy link
Author

cr3m commented Aug 29, 2019
edited
Loading

Hi,
I have a sample (MD5: C3DD5EDA4800C1D049D7B39D742705E1), I set some api hooks to kernel32.dll and run in Windows 7 64-bit. Hooks are not stable, I mean sometime they are hit, sometime not and sample run through. Check the log event:

...
[] <864:2976> Load DLL event: 'C:\Windows\SysWOW64\kernel32.dll' at 0x7736fc52
[] <864:2976> Unload DLL event: 'C:\Windows\SysWOW64\kernel32.dll' at 0x7736fc82
...

After Unload Event of kernel32 above, I worked-arround and make hooks again then it works.

Thanks

@MarioVilas
Copy link
Owner

Perhaps that's an anti-debugging trick I don't know, it would make sense then since kernel32 should never be unloaded. I'm guessing the malware is trying to unload kernel32 but the system won't let it - however the debugger thinks it succeeded and removes all hooks.

If you can send me the sample over email (mvilas at gmail dot com) that would help me a lot in figuring out what this malware is doing. :)

@MarioVilas
Copy link
Owner

The sample seems to have other anti-debug tricks in it so I'm pretty sure that must be what's going on here. https://infosec.cert-pa.it/analyze/search/0/0/0/0/0/0/tag:Vimditator.html

@cr3m
Copy link
Author

cr3m commented Aug 29, 2019
edited
Loading

Hello Mario,
Do you still need the sample anymore ?
Yes, the sample has the anti-debug trick but it is after packer's code. The unload event I mentioned above is in packer stub and the problem happened randomly, sometime the hooks work, sometime not.

Updated: Sample sent to you

@MarioVilas
Copy link
Owner

MarioVilas commented Aug 29, 2019
edited
Loading

Yes please, send me the sample. I only found a reference to it online, not the actual file.
EDIT: must have landed in spam or got blocked by gmail, try sending it in an encrypted 7z file with a non obvious password ("infected" doesn't work anymore...)

@cr3m
Copy link
Author

cr3m commented Aug 30, 2019

Yes, so sorry Mario. I just noticed that my previous email got blocked since I zipped it. Just sent another email to you.
Thanks.

@cr3m
Copy link
Author

cr3m commented Sep 3, 2019

Just spam one more here in case you still missed my email. I uploaded sample here:
https://wetransfer.com/downloads/36810f1db363517a4b736f31d58a1e4920190902001323/8facf0
Pass: infected

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MarioVilas @cr3m