Crash Dump Analysis Patterns (Part 38)

Hooking functions using trampoline method is so common on Windows and sometimes we need to check Hooked Functions in specific modules and determine which module hooked them for troubleshooting or memory forensic analysis needs. If original unhooked modules are available (via symbol server, for example) this can be done by using !chkimg WinDbg extension command:

0:002> !chkimg -lo 50 -d !kernel32 -v
Searching for module with expression: !kernel32
Will apply relocation fixups to file used for comparison
Will ignore NOP/LOCK errors
Will ignore patched instructions
Image specific ignores will be applied
Comparison image path: c:\mss\kernel32.dll\44C60F39102000\kernel32.dll
No range specified

Scanning section:    .text
Size: 564445
Range to scan: 77e41000-77ecacdd
    77e44004-77e44008  5 bytes - kernel32!GetDateFormatA
 [ 8b ff 55 8b ec:e9 f7 bf 08 c0 ]
    77e4412e-77e44132  5 bytes - kernel32!GetTimeFormatA (+0×12a)
 [ 8b ff 55 8b ec:e9 cd be 06 c0 ]
    77e4e857-77e4e85b  5 bytes - kernel32!FileTimeToLocalFileTime (+0xa729)
 [ 8b ff 55 8b ec:e9 a4 17 00 c0 ]
    77e56b5f-77e56b63  5 bytes - kernel32!GetTimeZoneInformation (+0×8308)
 [ 8b ff 55 8b ec:e9 9c 94 00 c0 ]
    77e579a9-77e579ad  5 bytes - kernel32!GetTimeFormatW (+0xe4a)
 [ 8b ff 55 8b ec:e9 52 86 06 c0 ]
    77e57fc8-77e57fcc  5 bytes - kernel32!GetDateFormatW (+0×61f)
 [ 8b ff 55 8b ec:e9 33 80 08 c0 ]
    77e6f32b-77e6f32f  5 bytes - kernel32!GetLocalTime (+0×17363)
 [ 8b ff 55 8b ec:e9 d0 0c 00 c0 ]
    77e6f891-77e6f895  5 bytes - kernel32!LocalFileTimeToFileTime (+0×566)
 [ 8b ff 55 8b ec:e9 6a 07 01 c0 ]
    77e83499-77e8349d  5 bytes - kernel32!SetLocalTime (+0×13c08)
 [ 8b ff 55 8b ec:e9 62 cb 00 c0 ]
    77e88c32-77e88c36  5 bytes - kernel32!SetTimeZoneInformation (+0×5799)
 [ 8b ff 55 8b ec:e9 c9 73 01 c0 ]
Total bytes compared: 564445(100%)
Number of errors: 50
50 errors : !kernel32 (77e44004-77e88c36)

0:002> u 77e44004
kernel32!GetDateFormatA:
77e44004 e9f7bf08c0      jmp     37ed0000
77e44009 81ec18020000    sub     esp,218h
77e4400f a148d1ec77      mov     eax,dword ptr [kernel32!__security_cookie (77ecd148)]
77e44014 53              push    ebx
77e44015 8b5d14          mov     ebx,dword ptr [ebp+14h]
77e44018 56              push    esi
77e44019 8b7518          mov     esi,dword ptr [ebp+18h]
77e4401c 57              push    edi

0:002> u 37ed0000
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for MyDateTimeHooks.dll -
37ed0000 e99b262f2d      jmp     MyDateTimeHooks+0×26a0 (651c26a0)
37ed0005 8bff            mov     edi,edi
37ed0007 55              push    ebp
37ed0008 8bec            mov     ebp,esp
37ed000a e9fa3ff73f      jmp     kernel32!GetDateFormatA+0×5 (77e44009)
37ed000f 0000            add     byte ptr [eax],al
37ed0011 0000            add     byte ptr [eax],al
37ed0013 0000            add     byte ptr [eax],al

- Dmitry Vostokov @ DumpAnalysis.org -

15 Responses to “Crash Dump Analysis Patterns (Part 38)”

  1. Dmitry Vostokov Says:

    Example from the kernel:

    4: kd> !chkimg -lo 50 -d !nt
    8083351c-80833520 5 bytes - nt!NtYieldExecution
    [ 8b ff 55 8b ec:e9 5c 03 e6 73 ]
    808345d0-808345d3 4 bytes - nt!KiServiceTable+440 (+0×10b4)
    [ 9c c2 8b 80:5c d7 f1 f4 ]
    808eeb1e-808eeb22 5 bytes - nt!NtCreateFile
    [ 8b ff 55 8b ec:e9 1c 4d da 73 ]
    809233b0-809233b4 5 bytes - nt!NtUnmapViewOfSection (+0×34892)
    [ 8b ff 55 8b ec:e9 f2 04 d7 73 ]
    8092d3ae-8092d3b4 7 bytes - nt!NtMapViewOfSection (+0×9ffe)
    [ 6a 38 68 b8 41 80 80:e9 de 64 d6 73 90 90 ]
    80931c90-80931c96 7 bytes - nt!NtProtectVirtualMemory (+0×48e2)
    [ 6a 44 68 d8 43 80 80:e9 be 1b d6 73 90 90 ]
    8094af32-8094af36 5 bytes - nt!NtCreateProcess (+0×192a2)
    [ 8b ff 55 8b ec:e9 32 89 d4 73 ]
    8094c714-8094c718 5 bytes - nt!NtTerminateProcess (+0×17e2)
    [ 8b ff 55 8b ec:e9 12 71 d4 73 ]
    43 errors : !nt (8083351c-8094c718)

    4: kd> u 8094af32
    nt!NtCreateProcess:
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for 3rdPartyAVDriver.sys -
    8094af32 e93289d473 jmp 3rdPartyAVDriver+0×13869 (f4693869)
    8094af37 33c0 xor eax,eax
    8094af39 f6451c01 test byte ptr [ebp+1Ch],1
    8094af3d 7401 je nt!NtCreateProcess+0xe (8094af40)
    8094af3f 40 inc eax
    8094af40 f6452001 test byte ptr [ebp+20h],1
    8094af44 7403 je nt!NtCreateProcess+0×17 (8094af49)
    8094af46 83c802 or eax,2

  2. Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 66) Says:

    […] specific component that is known to patch the process import table. Applying techniques outlined in Hooked Functions pattern we notice two different 3rd-party components that patched two different modules (kernel 32 […]

  3. Crash Dump Analysis » Blog Archive » Hooksware Says:

    […] - Hooked Functions  […]

  4. Crash Dump Analysis » Blog Archive » Hooked Modules Says:

    […] I introduced Hooked Functions pattern where I used !chkimg WinDbg command and today after accidentally discovering yet another […]

  5. Crash Dump Analysis » Blog Archive » NULL code pointer, changed environment and hooked functions: pattern cooperation Says:

    […] environment somehow affected this application we checked for the presence of any hooks and found hooked functions in […]

  6. Crash Dump Analysis » Blog Archive » 10 Common Mistakes in Memory Analysis (Part 5) Says:

    […] troubleshooting hypothesis. Here is a sample of !analyze -v output showing massive patching (hooked functions pattern) by DriverA […]

  7. Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 38b) Says:

    […] is a variation of Hooked Functions pattern for kernel space. In addition to trampoline patching we also see a modified service […]

  8. Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 100) Says:

    […] via windows message hooking mechanism that I call Message Hooks pattern to differentiate it from Hooked Functions pattern. In some cases message hooking become sources of aberrant software behaviour including […]

  9. Crash Dump Analysis » Blog Archive » Spiking thread, main thread, message hooks, hooked functions, semantic split, coincidental symbolic information and not my version: pattern cooperation Says:

    […] also see a message hook function implemented in DllA. To see if there are any other hooks including patched API we look at the raw […]

  10. Crash Dump Analysis » Blog Archive » Truncated dump, spiking thread, not my version and hooked functions: pattern cooperation Says:

    […] We can stop here and still recommend to upgrade AppA product seen from the thread running on the first processor but the fact that the second thread belongs to innocent calc.exe demands some attention. Was it calculating incessantly some financial figures following button clicks from a financial genius? Taking advantage of a complete memory dump and the fact that this process spent most of the time in user space we can check for Hooked Functions pattern: […]

  11. Crash Dump Analysis » Blog Archive » Crash Dump Analysis of Defective Malware: A Case Study Says:

    […] 0×321aaaf address. We see that wininet function was hooked by a code running in 0×0321XXXX […]

  12. Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 111) Says:

    […] command) we see the presence of the whole Pervasive System. It is not just a module that does function and / or message hooking but the whole system of modules from a single vendor that is […]

  13. Dmitry Vostokov Says:

    The simplified version of the command:

    !chkimg -db -v ModuleName

    For example:

    !chkimg -db -v ntdll

  14. Dmitry Vostokov Says:

    To include the mismatch summary use this version:

    The simplified version of the command:

    !chkimg -db -d -v ModuleName

    For example:

    !chkimg -db -d -v ntdll

  15. Dmitry Vostokov Says:

    Sometimes, several different modules from different products may patch different functions from the DLL. So, in general, we need to check all reported hooked functions.

Leave a Reply