Open greenozon opened 2 days ago
Do I need to run the tool on even higher priv, eg https://github.com/nfedera/run-as-trustedinstaller ?
Hi @greenozon ! Yes, clearly Admin is not enough and HH doesn't have the privilege to access those processes. Can you check with which privileges each of them run? What exactly is your Windows version? Do you have any AV/EDR software installed? Sometimes such products block access to specific processes.
Thanks for reply! I dont have any AV/EDR I'm using old good W7x64SP1 I'll check what priv are those processes using
details:
C:\Windows\system32\AUDIODG.EXE 0x9d8 User: NT AUTHORITY\LOCAL SERVICE
about "Could not access" errors for chrome.exe and opera.exe - wow! each time I ran the tool and tried to find the PID using ProcExplorer - I was not able to find those! I've also seen that those chrome/opera are constantly creating and deleting processes might it be the case? Also a side note: all chrome/opera processes are running under my local (non-admin) user so might it be the case that you start scanning it and during scan this process was killed by browser due to it internal kitchen?
and last question on this case:
Scanning PID: 12572 : Clock7.exe [-] Section 0: out ouf bounds, skipping...
could you explain a bit more pls this is an extremly small (1 KB PE64) digital clock nice tool - shows transparent clock on the Desktop
and one more question: could you print more info in case of [!] Could not access
issue?
eg getlasterror() or so..
@greenozon - I will add better error reporting. In the meanwhile, could you please try scanning each of the problematic processes with PE-sieve? It is an engine used by HollowsHunter. It scans only one process at the time, but has extended reporting of errors. It is very much possible that it cannot access the process because it terminated before the scan completed. Regarding Clock7.exe - can you share this application? I will take a look.
Gave it a try but generally the thing is that the pe-sieve tool works with a single PID per run it means I can't catch taht nasty open/close issue with this tool... BTW, while reading logs out of it I've seen
[-] Could not set debug privilege
is it just an informational msg or you are skipping some deeper functionality?
Clock7 attached hope you'll enjoy this small piecee of mastership!
btw, the tool did not tell more info besides as before... ([-] Section 0: out ouf bounds, skipping...)
C:\Prg\Hiteq\pe\PeBear>pe-sieve.exe /pid 12920
PID: 12920
Output filter: no filter: dump everything (default)
Dump mode: autodetect (default)
[-] Could not set debug privilege
[*] Using raw process!
[-] Section 0: out ouf bounds, skipping...
[*] Scanning: C:\Prg\inet\crypto\certs\Clock7.exe
[*] Scanning: C:\Windows\System32\ntdll.dll
[*] Scanning: C:\Windows\System32\kernel32.dll
[*] Scanning: C:\Windows\System32\KERNELBASE.dll
[*] Scanning: C:\Windows\System32\gdi32.dll
[*] Scanning: C:\Windows\System32\user32.dll
[*] Scanning: C:\Windows\System32\lpk.dll
[*] Scanning: C:\Windows\System32\usp10.dll
[*] Scanning: C:\Windows\System32\msvcrt.dll
[*] Scanning: C:\Windows\System32\imm32.dll
[*] Scanning: C:\Windows\System32\msctf.dll
[*] Scanning: C:\Windows\System32\nvinitx.dll
[*] Scanning: C:\Windows\System32\version.dll
[*] Scanning: C:\Windows\System32\advapi32.dll
[*] Scanning: C:\Windows\System32\sechost.dll
[*] Scanning: C:\Windows\System32\rpcrt4.dll
[*] Scanning: C:\Program Files\NVIDIA Corporation\CoProcManager\detoured.dll
[*] Scanning: C:\Program Files\NVIDIA Corporation\CoProcManager\nvd3d9wrapx.dll
[*] Scanning: C:\Windows\System32\setupapi.dll
[*] Scanning: C:\Windows\System32\cfgmgr32.dll
[*] Scanning: C:\Windows\System32\oleaut32.dll
[*] Scanning: C:\Windows\System32\ole32.dll
[*] Scanning: C:\Windows\System32\devobj.dll
[*] Scanning: C:\Program Files\NVIDIA Corporation\CoProcManager\nvdxgiwrapx.dll
[*] Scanning: C:\Windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.27361_none_145bfe468b8fc347\GdiPlus.dll
[*] Scanning: C:\Windows\System32\uxtheme.dll
[*] Scanning: C:\Windows\System32\dwmapi.dll
[*] Scanning: C:\Windows\System32\CRYPTBASE.dll
Scanning workingset: 199 memory regions.
[*] Workingset scanned in 16 ms.
[+] Report dumped to: process_12920
[*] Dumped module to: C:\Prg\Hiteq\pe\PeBear\\process_12920\140000000.Clock7.exe as VIRTUAL
[*] Dumped module to: C:\Prg\Hiteq\pe\PeBear\\process_12920\77490000.kernel32.dll as UNMAPPED
[*] Dumped module to: C:\Prg\Hiteq\pe\PeBear\\process_12920\7fefd360000.KERNELBASE.dll as REALIGNED
[*] Dumped module to: C:\Prg\Hiteq\pe\PeBear\\process_12920\7fefe9a0000.gdi32.dll as UNMAPPED
[*] Dumped module to: C:\Prg\Hiteq\pe\PeBear\\process_12920\77390000.user32.dll as UNMAPPED
[*] Dumped module to: C:\Prg\Hiteq\pe\PeBear\\process_12920\7fefde20000.ole32.dll as UNMAPPED
[+] Dumped modified to: process_12920
[+] Report dumped to: process_12920
---
PID: 12920
---
SUMMARY:
Total scanned: 28
Skipped: 0
-
Hooked: 6
Replaced: 0
Hdrs Modified: 0
IAT Hooks: 0
Implanted: 0
Unreachable files: 0
Other: 0
-
Total suspicious: 6
---
Could you also explain the goal of .tag file, eg:
8b90;D3DKMTQueryAdapterInfo->7fefd3501f0;5
8b95;patch_1;3
bde0;D3DKMTGetDisplayModeList->7fefd3501b8;5
bde5;patch_3;3
Could you also explain the goal of .tag file, eg:
8b90;D3DKMTQueryAdapterInfo->7fefd3501f0;5 8b95;patch_1;3 bde0;D3DKMTGetDisplayModeList->7fefd3501b8;5 bde5;patch_3;3
It is explained on PE-sieve Wiki, check it out: https://github.com/hasherezade/pe-sieve/wiki/3.1.-Investigating-hooks-and-patches
Clock7 attached hope you'll enjoy this small piecee of mastership!
btw, the tool did not tell more info besides as before... ([-] Section 0: out ouf bounds, skipping...)
Thank you! I checked your clock application, it is indeed very nice, looks like written in pure assembly, is it? Also, I understood why it was showing that message - this executable has atypical alignment of sections. And also, the raw size of the section defined in the header was going beyond the file size.
I fixed my library to better handle such cases, so from now this message is not gonna be shown.
@greenozon - finally, I made a new test build - please have a look:
It has a new parameter added: /report
with the help of which you can define if you want to generate report with details for the executables that failed to be scanned.
The report looks like this:
Even if I ran cmd.exe as Admin, the tool can't access some processes are there any clues why is that?
eg:
the first two I guess are OK, but what about the rest?