Crash Dump Analysis Patterns (Part 38)
Hooking functions using trampoline method is so common on Windows and sometimes we need to check Hooked Functions in specific modules and determine which module hooked them for troubleshooting or memory forensic analysis needs. If original unhooked modules are available (via symbol server, for example) this can be done by using !chkimg WinDbg extension command:
0:002> !chkimg -lo 50 -d !kernel32 -v
Searching for module with expression: !kernel32
Will apply relocation fixups to file used for comparison
Will ignore NOP/LOCK errors
Will ignore patched instructions
Image specific ignores will be applied
Comparison image path: c:\mss\kernel32.dll\44C60F39102000\kernel32.dll
No range specified
Scanning section: .text
Size: 564445
Range to scan: 77e41000-77ecacdd
77e44004-77e44008 5 bytes - kernel32!GetDateFormatA
[ 8b ff 55 8b ec:e9 f7 bf 08 c0 ]
77e4412e-77e44132 5 bytes - kernel32!GetTimeFormatA (+0×12a)
[ 8b ff 55 8b ec:e9 cd be 06 c0 ]
77e4e857-77e4e85b 5 bytes - kernel32!FileTimeToLocalFileTime (+0xa729)
[ 8b ff 55 8b ec:e9 a4 17 00 c0 ]
77e56b5f-77e56b63 5 bytes - kernel32!GetTimeZoneInformation (+0×8308)
[ 8b ff 55 8b ec:e9 9c 94 00 c0 ]
77e579a9-77e579ad 5 bytes - kernel32!GetTimeFormatW (+0xe4a)
[ 8b ff 55 8b ec:e9 52 86 06 c0 ]
77e57fc8-77e57fcc 5 bytes - kernel32!GetDateFormatW (+0×61f)
[ 8b ff 55 8b ec:e9 33 80 08 c0 ]
77e6f32b-77e6f32f 5 bytes - kernel32!GetLocalTime (+0×17363)
[ 8b ff 55 8b ec:e9 d0 0c 00 c0 ]
77e6f891-77e6f895 5 bytes - kernel32!LocalFileTimeToFileTime (+0×566)
[ 8b ff 55 8b ec:e9 6a 07 01 c0 ]
77e83499-77e8349d 5 bytes - kernel32!SetLocalTime (+0×13c08)
[ 8b ff 55 8b ec:e9 62 cb 00 c0 ]
77e88c32-77e88c36 5 bytes - kernel32!SetTimeZoneInformation (+0×5799)
[ 8b ff 55 8b ec:e9 c9 73 01 c0 ]
Total bytes compared: 564445(100%)
Number of errors: 50
50 errors : !kernel32 (77e44004-77e88c36)
0:002> u 77e44004
kernel32!GetDateFormatA:
77e44004 e9f7bf08c0 jmp 37ed0000
77e44009 81ec18020000 sub esp,218h
77e4400f a148d1ec77 mov eax,dword ptr [kernel32!__security_cookie (77ecd148)]
77e44014 53 push ebx
77e44015 8b5d14 mov ebx,dword ptr [ebp+14h]
77e44018 56 push esi
77e44019 8b7518 mov esi,dword ptr [ebp+18h]
77e4401c 57 push edi
0:002> u 37ed0000
*** ERROR: Symbol file could not be found. Defaulted to export symbols for MyDateTimeHooks.dll -
37ed0000 e99b262f2d jmp MyDateTimeHooks+0×26a0 (651c26a0)
37ed0005 8bff mov edi,edi
37ed0007 55 push ebp
37ed0008 8bec mov ebp,esp
37ed000a e9fa3ff73f jmp kernel32!GetDateFormatA+0×5 (77e44009)
37ed000f 0000 add byte ptr [eax],al
37ed0011 0000 add byte ptr [eax],al
37ed0013 0000 add byte ptr [eax],al
- Dmitry Vostokov @ DumpAnalysis.org -
May 21st, 2008 at 2:17 pm
Example from the kernel:
4: kd> !chkimg -lo 50 -d !nt
8083351c-80833520 5 bytes - nt!NtYieldExecution
[ 8b ff 55 8b ec:e9 5c 03 e6 73 ]
808345d0-808345d3 4 bytes - nt!KiServiceTable+440 (+0×10b4)
[ 9c c2 8b 80:5c d7 f1 f4 ]
808eeb1e-808eeb22 5 bytes - nt!NtCreateFile
[ 8b ff 55 8b ec:e9 1c 4d da 73 ]
809233b0-809233b4 5 bytes - nt!NtUnmapViewOfSection (+0×34892)
[ 8b ff 55 8b ec:e9 f2 04 d7 73 ]
8092d3ae-8092d3b4 7 bytes - nt!NtMapViewOfSection (+0×9ffe)
[ 6a 38 68 b8 41 80 80:e9 de 64 d6 73 90 90 ]
80931c90-80931c96 7 bytes - nt!NtProtectVirtualMemory (+0×48e2)
[ 6a 44 68 d8 43 80 80:e9 be 1b d6 73 90 90 ]
8094af32-8094af36 5 bytes - nt!NtCreateProcess (+0×192a2)
[ 8b ff 55 8b ec:e9 32 89 d4 73 ]
8094c714-8094c718 5 bytes - nt!NtTerminateProcess (+0×17e2)
[ 8b ff 55 8b ec:e9 12 71 d4 73 ]
43 errors : !nt (8083351c-8094c718)
4: kd> u 8094af32
nt!NtCreateProcess:
*** ERROR: Symbol file could not be found. Defaulted to export symbols for 3rdPartyAVDriver.sys -
8094af32 e93289d473 jmp 3rdPartyAVDriver+0×13869 (f4693869)
8094af37 33c0 xor eax,eax
8094af39 f6451c01 test byte ptr [ebp+1Ch],1
8094af3d 7401 je nt!NtCreateProcess+0xe (8094af40)
8094af3f 40 inc eax
8094af40 f6452001 test byte ptr [ebp+20h],1
8094af44 7403 je nt!NtCreateProcess+0×17 (8094af49)
8094af46 83c802 or eax,2
June 20th, 2008 at 1:07 pm
[…] specific component that is known to patch the process import table. Applying techniques outlined in Hooked Functions pattern we notice two different 3rd-party components that patched two different modules (kernel 32 […]
August 10th, 2008 at 9:01 am
[…] - Hooked Functions […]
September 19th, 2008 at 7:58 am
[…] I introduced Hooked Functions pattern where I used !chkimg WinDbg command and today after accidentally discovering yet another […]
February 4th, 2009 at 6:13 pm
[…] environment somehow affected this application we checked for the presence of any hooks and found hooked functions in […]
August 31st, 2009 at 2:28 pm
[…] troubleshooting hypothesis. Here is a sample of !analyze -v output showing massive patching (hooked functions pattern) by DriverA […]
May 7th, 2010 at 11:02 pm
[…] is a variation of Hooked Functions pattern for kernel space. In addition to trampoline patching we also see a modified service […]
July 6th, 2010 at 3:50 pm
[…] via windows message hooking mechanism that I call Message Hooks pattern to differentiate it from Hooked Functions pattern. In some cases message hooking become sources of aberrant software behaviour including […]
July 7th, 2010 at 4:32 pm
[…] also see a message hook function implemented in DllA. To see if there are any other hooks including patched API we look at the raw […]
August 13th, 2010 at 7:16 pm
[…] We can stop here and still recommend to upgrade AppA product seen from the thread running on the first processor but the fact that the second thread belongs to innocent calc.exe demands some attention. Was it calculating incessantly some financial figures following button clicks from a financial genius? Taking advantage of a complete memory dump and the fact that this process spent most of the time in user space we can check for Hooked Functions pattern: […]
October 18th, 2010 at 9:56 pm
[…] 0×321aaaf address. We see that wininet function was hooked by a code running in 0×0321XXXX […]
October 26th, 2010 at 9:21 pm
[…] command) we see the presence of the whole Pervasive System. It is not just a module that does function and / or message hooking but the whole system of modules from a single vendor that is […]
January 9th, 2012 at 12:03 pm
The simplified version of the command:
!chkimg -db -v ModuleName
For example:
!chkimg -db -v ntdll
February 3rd, 2012 at 3:20 pm
To include the mismatch summary use this version:
The simplified version of the command:
!chkimg -db -d -v ModuleName
For example:
!chkimg -db -d -v ntdll
September 25th, 2015 at 2:45 pm
Sometimes, several different modules from different products may patch different functions from the DLL. So, in general, we need to check all reported hooked functions.