Hooks cleared

Question

Hooks cleared

Opened this issue 5 years ago · 9 comments

In some cases, kernel32.dll is unloaded but actually the reference count of that module still greater than zero but apis hooked are cleared.

Answer 1 · 2019-08-28T08:13:44.000Z

Hi! Thanks for the bug report. Can you provide any way to reproduce this problem so I can work on it?

Answer 2 · 2019-08-28T08:14:24.000Z

Also TBH I'm not entirely sure why would kernel32.dll ever be unloaded... perhaps you are debugging an NT native binary?

Answer 3 · 2019-08-29T00:24:21.000Z

Hi,
I have a sample (MD5: C3DD5EDA4800C1D049D7B39D742705E1), I set some api hooks to kernel32.dll and run in Windows 7 64-bit. Hooks are not stable, I mean sometime they are hit, sometime not and sample run through. Check the log event:

...
[] <864:2976> Load DLL event: 'C:\Windows\SysWOW64\kernel32.dll' at 0x7736fc52
[] <864:2976> Unload DLL event: 'C:\Windows\SysWOW64\kernel32.dll' at 0x7736fc82
...

After Unload Event of kernel32 above, I worked-arround and make hooks again then it works.

Thanks

Answer 4 · 2019-08-29T08:03:22.000Z

Perhaps that's an anti-debugging trick I don't know, it would make sense then since kernel32 should never be unloaded. I'm guessing the malware is trying to unload kernel32 but the system won't let it - however the debugger thinks it succeeded and removes all hooks.

If you can send me the sample over email (mvilas at gmail dot com) that would help me a lot in figuring out what this malware is doing. :)

Answer 5 · 2019-08-29T08:08:31.000Z

The sample seems to have other anti-debug tricks in it so I'm pretty sure that must be what's going on here. https://infosec.cert-pa.it/analyze/search/0/0/0/0/0/0/tag:Vimditator.html

Answer 6 · 2019-08-29T09:07:48.000Z

Hello Mario,
Do you still need the sample anymore ?
Yes, the sample has the anti-debug trick but it is after packer's code. The unload event I mentioned above is in packer stub and the problem happened randomly, sometime the hooks work, sometime not.

Updated: Sample sent to you

Answer 7 · 2019-08-29T12:33:56.000Z

Yes please, send me the sample. I only found a reference to it online, not the actual file.
EDIT: must have landed in spam or got blocked by gmail, try sending it in an encrypted 7z file with a non obvious password ("infected" doesn't work anymore...)

Answer 8 · 2019-08-30T00:44:01.000Z

Yes, so sorry Mario. I just noticed that my previous email got blocked since I zipped it. Just sent another email to you.
Thanks.

Answer 9 · 2019-09-03T00:34:00.000Z

Just spam one more here in case you still missed my email. I uploaded sample here:
https://wetransfer.com/downloads/36810f1db363517a4b736f31d58a1e4920190902001323/8facf0
Pass: infected