winappdbg icon indicating copy to clipboard operation
winappdbg copied to clipboard
verified publisher icon MarioVilas

Hooks cleared

Open cr3m opened this issue 6 years ago • 9 comments

In some cases, kernel32.dll is unloaded but actually the reference count of that module still greater than zero but apis hooked are cleared.

cr3m avatar Aug 16 '19 04:08 cr3m

Hi! Thanks for the bug report. Can you provide any way to reproduce this problem so I can work on it?

MarioVilas avatar Aug 28 '19 08:08 MarioVilas

Also TBH I'm not entirely sure why would kernel32.dll ever be unloaded... perhaps you are debugging an NT native binary?

MarioVilas avatar Aug 28 '19 08:08 MarioVilas

Hi, I have a sample (MD5: C3DD5EDA4800C1D049D7B39D742705E1), I set some api hooks to kernel32.dll and run in Windows 7 64-bit. Hooks are not stable, I mean sometime they are hit, sometime not and sample run through. Check the log event:

... [] <864:2976> Load DLL event: 'C:\Windows\SysWOW64\kernel32.dll' at 0x7736fc52 [] <864:2976> Unload DLL event: 'C:\Windows\SysWOW64\kernel32.dll' at 0x7736fc82 ...

After Unload Event of kernel32 above, I worked-arround and make hooks again then it works.

Thanks

cr3m avatar Aug 29 '19 00:08 cr3m

Perhaps that's an anti-debugging trick I don't know, it would make sense then since kernel32 should never be unloaded. I'm guessing the malware is trying to unload kernel32 but the system won't let it - however the debugger thinks it succeeded and removes all hooks.

If you can send me the sample over email (mvilas at gmail dot com) that would help me a lot in figuring out what this malware is doing. :)

MarioVilas avatar Aug 29 '19 08:08 MarioVilas

The sample seems to have other anti-debug tricks in it so I'm pretty sure that must be what's going on here. https://infosec.cert-pa.it/analyze/search/0/0/0/0/0/0/tag:Vimditator.html

MarioVilas avatar Aug 29 '19 08:08 MarioVilas

Hello Mario, Do you still need the sample anymore ? Yes, the sample has the anti-debug trick but it is after packer's code. The unload event I mentioned above is in packer stub and the problem happened randomly, sometime the hooks work, sometime not.

Updated: Sample sent to you

cr3m avatar Aug 29 '19 09:08 cr3m

Yes please, send me the sample. I only found a reference to it online, not the actual file. EDIT: must have landed in spam or got blocked by gmail, try sending it in an encrypted 7z file with a non obvious password ("infected" doesn't work anymore...)

MarioVilas avatar Aug 29 '19 12:08 MarioVilas

Yes, so sorry Mario. I just noticed that my previous email got blocked since I zipped it. Just sent another email to you. Thanks.

cr3m avatar Aug 30 '19 00:08 cr3m

Just spam one more here in case you still missed my email. I uploaded sample here: https://wetransfer.com/downloads/36810f1db363517a4b736f31d58a1e4920190902001323/8facf0 Pass: infected

cr3m avatar Sep 03 '19 00:09 cr3m