Friday, March 21, 2008

I'm not dead.. just busy.. more HIPS FUN..

HIPS.. Hope it protects something... ;-)

As usual I'm digging into various HIPS products and having fun.. I found a bit of time to post more hook exploration...

enjoy...

ZwSetLdtEntries hooked, jump to 00191BCB
ZwSetValueKey hooked, jump to 00191B97
ZwWriteVirtualMemory hooked, jump to 00190105

kernel32.dll
CopyFileA hooked, jump to 00190175
CopyFileExA hooked, jump to 00191B09
CopyFileExW hooked, jump to 0019019F
CopyFileW hooked: f=8BFF558BEC, m=FF2C258557
CreateFileA hooked, jump to 00191AD9
CreateFileMappingA hooked, jump to 00191AA4
CreateFileMappingW hooked: f=8BFF558BEC, m=8AFF368ADB
CreateFileW hooked: f=8BFF558BEC, m=87C92E3E26
CreateMailslotA hooked: f=8BFF558BEC, m=8BC036F3FF
difference at relocated offset 7C834E41 in CreateMailslotW
CreateNamedPipeA hooked: f=8BFF558BEC, m=EB07C0D200
CreateNamedPipeW hooked: f=8BFF558BEC, m=3EF38ADBF2
CreateProcessA hooked: f=8BFF558BEC, m=F30F008CA4
difference at relocated offset 7C81DA9E in CreateProcessInternalA
CreateProcessInternalW hooked, jump to 0019022E
difference at relocated offset 7C802332 in CreateProcessW
CreateRemoteThread hooked, jump to 00191A7E
CreateThread hooked: f=8BFF558BEC, m=90F2653E26
CreateToolhelp32Snapshot hooked, jump to 00191A51
CreateVirtualBuffer hooked: f=8BFF558BEC, m=8D3FC0F600
DebugActiveProcess hooked, jump to 00190251
DeleteFileA hooked, jump to 00191A32
DeleteFileW hooked: f=8BFF558BEC, m=F694A49BF1
DeviceIoControl hooked, jump to 00190286
difference at relocated offset 7C80E016 in DuplicateHandle
DuplicateHandle hooked, jump to 001902BC
GetModuleHandleA hooked, jump to 00191A19
GetModuleHandleW hooked: f=8BFF558BEC, m=653E90F29C
GetProcAddress hooked: f=8BFF558BEC, m=86C08BE467
HeapCreate hooked: f=8BFF558BEC, m=87C96765F2
LoadLibraryA hooked, jump to 001902EB
LoadLibraryExA hooked, jump to 00190310
LoadLibraryExW hooked, jump to 00190344
LoadLibraryW hooked, jump to 001919E2
difference at relocated offset 7C86125E in LoadModule
MapViewOfFile hooked: f=8BFF558BEC, m=FF2C2596B7
MapViewOfFileEx hooked: f=8BFF558BEC, m=87C9902636
MoveFileA hooked: f=8BFF558BEC, m=900FACF900
MoveFileExA hooked: f=8BFF558BEC, m=FF2C25ACD2
MoveFileExW hooked: f=8BFF558BEC, m=2E8D3F9036
MoveFileW hooked: f=8BFF558BEC, m=FF2C256396
MoveFileWithProgressA hooked, jump to 00191969
MoveFileWithProgressW hooked, jump to 00191951
OpenFile hooked, jump to 00190378
difference at relocated offset 7C81E079 in OpenProcess
OpenProcess hooked: f=8BFF558BEC, m=363E2E2EFF
OpenThread hooked: f=8BFF558BEC, m=26F22E36C0
ReadFile hooked, jump to 00191915
ReadFileEx hooked: f=8BFF558BEC, m=F2F3362EFF
ReadProcessMemory hooked: f=8BFF558BEC, m=F694E4CFF1
SetThreadContext hooked, jump to 001918DC
SetUnhandledExceptionFilter hooked, jump to 001918B3
VirtualAlloc hooked: f=8BFF558BEC, m=F266F20FAC
VirtualAllocEx hooked, jump to 00191895
VirtualFree hooked: f=8BFF558BEC, m=90FF2C251D
VirtualFreeEx hooked: f=8BFF558BEC, m=87C96A5567
VirtualProtect hooked: f=8BFF558BEC, m=3666678D34
VirtualProtectEx hooked: f=8BFF558BEC, m=8BC0EB0965
VirtualQuery hooked: f=8BFF558BEC, m=0F86B7EF93
VirtualQueryEx hooked: f=8BFF558BEC, m=8BE436F3EA
WinExec hooked: f=8BFF558BEC, m=900F862997
WriteFile hooked, jump to 00191852
WriteFileEx hooked: f=8BFF558BEC, m=9068C46176
WriteProcessMemory hooked: f=8BFF558BEC, m=86E4EB0F3E
_lcreat hooked, jump to 00191824
_lopen hooked, jump to 001917E7

user32.dll
SendInput hooked, jump to 001917CB
keybd_event hooked: f=8BFF558BEC, m=F2F23EF30F
mouse_event hooked: f=8BFF558BEC, m=3EF3F22EC1


ws2_32.dll
WSAAccept hooked: f=8BFF558BEC, m=68E4819663
difference at relocated offset 71AC0C69 in WSAConnect
WSADuplicateSocketA hooked: f=8BFF558BEC, m=67F3660FBF
WSADuplicateSocketW hooked: f=8BFF558BEC, m=260F8668F7
WSARecv hooked: f=8BFF558BEC, m=3667F2F3E9
difference at relocated offset 71ABF5D6 in WSARecvDisconnect
WSARecvDisconnect hooked: f=8BFF558BEC, m=87C9FF2C25
WSARecvFrom hooked: f=8BFF558BEC, m=6894B14693
WSASend hooked: f=8BFF558BEC, m=FF2C253E62
WSASendDisconnect hooked: f=8BFF558BEC, m=87C9900F86
WSASendTo hooked: f=8BFF558BEC, m=6586C026E9
WSASocketA hooked: f=8BFF558BEC, m=0FA4DD0036
WSASocketW hooked, jump to 00190884
accept hooked: f=8BFF558BEC, m=8D3FEB0590
connect hooked: f=8BFF558BEC, m=87C9FF2C25
recv hooked: f=8BFF558BEC, m=68C4617643
recvfrom hooked: f=8BFF558BEC, m=3E2E0FA4DD
send hooked: f=8BFF558BEC, m=6A7D689F04
sendto hooked: f=8BFF558BEC, m=90F3F22667
socket hooked: f=8BFF558BEC, m=86C03E2EFF
Terminé
psapi.dll

advapi32.dll
ControlService hooked, jump to 00190420
CreateProcessAsUserA hooked: f=8BFF558BEC, m=3E8AFF8DAD
CreateProcessAsUserW hooked: f=8BFF558BEC, m=6766678D74
difference at relocated offset 77E15C9D in CreateProcessWithLogonW
difference at relocated offset 77E15C9F in CreateProcessWithLogonW
CreateServiceA hooked, jump to 00191721
CreateServiceW hooked, jump to 0019170B
ElfClearEventLogFileA hooked, jump to 00190472
ElfClearEventLogFileW hooked, jump to 001916C8
InstallApplication hooked: f=8BFF558BEC, m=2E3EFF2C25
LogonUserA hooked: f=8BFF558BEC, m=90656894B1
LogonUserW hooked: f=8BFF558BEC, m=F39087ED65
LsaAddAccountRights hooked, jump to 00191689
LsaAddPrivilegesToAccount hooked, jump to 0019165C
LsaCreateAccount hooked, jump to 0019049D
LsaOpenAccount hooked, jump to 001904C5
LsaOpenSecret hooked, jump to 0019161B
LsaQuerySecret hooked, jump to 001904DC
difference at relocated offset 77DF02D6 in LsaRetrievePrivateData
LsaSetSecret hooked, jump to 001915EB
difference at relocated offset 77DF04A1 in LsaStorePrivateData
LsaStorePrivateData hooked, jump to 001915AD
difference at relocated offset 77DF64A0 in OpenEventLogA
OpenEventLogW hooked: f=8BFF558BEC, m=0F878A9E35
OpenProcessToken hooked, jump to 0019053F
OpenSCManagerA hooked, jump to 00191591
OpenSCManagerW hooked, jump to 00191551
OpenServiceA hooked, jump to 00190578
OpenServiceW hooked, jump to 0019153B
OpenThreadToken hooked: f=8BFF558BEC, m=680C693ECB
RegCreateKeyA hooked: f=8BFF558BEC, m=268BE490F2
RegCreateKeyExA hooked: f=8BFF558BEC, m=3E2E36EAFE
RegCreateKeyExW hooked: f=8BFF558BEC, m=2686E42E36
RegCreateKeyW hooked: f=8BFF558BEC, m=9086C02EF2
RegDeleteKeyA hooked: f=8BFF558BEC, m=6A4568E70C
RegDeleteKeyW hooked: f=8BFF558BEC, m=36650FACC9
RegDeleteValueA hooked: f=8BFF558BEC, m=86C0642E67
RegDeleteValueW hooked: f=8BFF558BEC, m=26F29C9067
difference at relocated offset 77DFC41B in RegOpenKeyA
RegOpenKeyA hooked: f=8BFF558BEC, m=660FBFD264
RegOpenKeyExA hooked: f=8BFF558BEC, m=2E36F367C0
RegOpenKeyExW hooked: f=8BFF558BEC, m=36FF2C2590
RegOpenKeyW hooked: f=8BFF558BEC, m=F29C659090
RegSetKeySecurity hooked: f=8BFF558BEC, m=F3F2F3649C
RegSetValueA hooked: f=8BFF558BEC, m=6894B14693
RegSetValueExA hooked, jump to 001905B1
RegSetValueExW hooked, jump to 00191527
RegSetValueW hooked: f=8BFF558BEC, m=8BC00F8C00
RevertToSelf hooked: f=8BFF558BEC, m=3E8D920000
SetFileSecurityA hooked: f=8BFF558BEC, m=909C0EF265
SetFileSecurityW hooked: f=8BFF558BEC, m=0F01442488
SetNamedSecurityInfoA hooked, jump to 00191512
SetNamedSecurityInfoExA hooked, jump to 001905E8
SetNamedSecurityInfoExW hooked, jump to 001914DA
SetNamedSecurityInfoW hooked: f=8BFF558BEC, m=F694E4A3FA
SetSecurityInfo hooked: f=8BFF558BEC, m=6686E486C0
SetSecurityInfoExA hooked, jump to 001905FE
difference at relocated offset 77E23AB1 in SetSecurityInfoExW
StartServiceA hooked, jump to 00190634
StartServiceW hooked, jump to 0019066E
SystemFunction029 hooked: f=8BFF558BEC, m=90FF2C256D
SystemFunction034 hooked: f=8BFF558BEC, m=9065676AAD
SystemFunction035 hooked: f=8BFF558BEC, m=670FA4ED00
SystemFunction040 hooked: f=8BFF558BEC, m=EAF18DDF77
SystemFunction041 hooked: f=8BFF558BEC, m=362E0F8612
UninstallApplication hooked, jump to 00191495

ole32.dll
CoCreateInstance hooked: f=8BFF558BEC, m=2E9086C0F2
CoCreateInstanceEx hooked: f=8BFF558BEC, m=F28ADB909C
CoGetClassObject hooked: f=8BFF558BEC, m=C1D7009026
CoGetInstanceFromFile hooked: f=8BFF558BEC, m=3666C1D300
difference at relocated offset 77596327 in CoInstall
CoInstall hooked: f=8BFF558BEC, m=36EA2F6359
CoLoadLibrary hooked, jump to 0019085F
CoRevertToSelf hooked, jump to 00191075

No comments: