DTM05 / malwarecookbook

Automatically exported from code.google.com/p/malwarecookbook
0 stars 0 forks source link

more than 2 SSDT tables cause ssdt_by_threads to fail #14

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
from the plain ssdt command:

...
Entry 0x11f6: 0xf0fd05a6 (NtUserSendInput) owned by vsdatant.sys
... no more hooks ...
Entry 0x1299: 0xbf954c65 (NtGdiUMPDEngFreeUserMem) owned by win32k.sys
Entry 0x129a: 0xbf817637 (NtGdiDrawStream) owned by win32k.sys
SSDT[2] at e2187818 with 5 entries
  Entry 0x2000: 0xefead620 (Unknown) owned by UNKNOWN
  Entry 0x2001: 0xefead65e (Unknown) owned by UNKNOWN
...

From ssdt_by_thread

  Entry 0x11db: 0xf0fd007a (NtUserPostMessage) owned by vsdatant.sys
  Entry 0x11dc: 0xf0fd01b2 (NtUserPostThreadMessage) owned by vsdatant.sys
  Entry 0x11dd: 0xf0f27480 (NtUserPrintWindow) owned by RapportPG.sys
  Entry 0x11e3: 0xf0f21f56 (NtUserQueryWindow) owned by RapportPG.sys
  Entry 0x11eb: 0xf0fcdb4c (NtUserRegisterRawInputDevices) owned by vsdatant.sys
  Entry 0x11f6: 0xf0fd05a6 (NtUserSendInput) owned by vsdatant.sys
Traceback (most recent call last):
  File "vol.py", line 130, in <module>
    main()
  File "vol.py", line 121, in main
    command.execute()
  File "C:\Volatility-1.4_rc1\volatility\commands.py", line 101, in execute
    func(outfd, data)
  File "C:\Volatility-1.4_rc1\volatility\plugins\malware.py", line 3154, in render_text
    for (pid, tid, name, tbl, hooked) in data:
  File "C:\Volatility-1.4_rc1\volatility\plugins\malware.py", line 3142, in calculate
    if mod_name not in self.executive_modules[idx]:
IndexError: list index out of range

Original issue reported on code.google.com by michael.hale@gmail.com on 28 Mar 2011 at 1:00

GoogleCodeExporter commented 8 years ago

Original comment by michael.hale@gmail.com on 28 Mar 2011 at 1:36