Hi
I want to get all the services in the system, for this purpose I need to use ZwEnumerateKey, but this might be Hooked so I want to use NtEnumerateKey of ntoskrnl.exe, but this API is not exported.
How to use this API??
I read the threads similar to this topic but couldn’t conclude anything from them
also googling didn’t lead me to anything
please help
(I am sorry if it sounds annoying)
You cannot use an unexported API. Basically you would need to track
down the exact offset of the entry point in the kernel and call there,
and if you can do it the people hooking can do it. As has been said way
too many times on this forum, if your system is compromised you are not
going to be able to stop the MALWARE!
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@gmail.com” wrote in message
news:xxxxx@ntdev:
> Hi
> I want to get all the services in the system, for this purpose I need to use ZwEnumerateKey, but this might be Hooked so I want to use NtEnumerateKey of ntoskrnl.exe, but this API is not exported.
> How to use this API??
> I read the threads similar to this topic but couldn’t conclude anything from them
> also googling didn’t lead me to anything
> please help
> (I am sorry if it sounds annoying)
Okay I get that, but is there any other way to get the hidden services ?
No there is no way. You are not going to be able to make a stable
driver trying to use un-exported API’s, it just does not work.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@gmail.com” wrote in message
news:xxxxx@ntdev:
> Okay I get that, but is there any other way to get the hidden services ?
but there are utilities like GMER that displays the hidden services.
AFAIK they don’t use un-exported calls, and they are not particularly
reliable. Bottom line once a system is infected, you are in deep
trouble. Search for malware and/or rootkits on this forum it has been
discussed for years, with every new person thinking they will “fix the
system” and being told it won’t work.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@gmail.com” wrote in message
news:xxxxx@ntdev:
> but there are utilities like GMER that displays the hidden services.
Thanks. 
keeping in mind what Don just said, which is absolutely true
many root kits hide themselves from the task manager’s list and also from
the kernel mode APIs to query and fetch information. However, they still
need to schedule themselves and their threads still need to run There is
something called the PspCID table which is your final place to hunt down
these services.
Google on it there is a score of info and also some well known commercial
rootkit hunters that do that…
http://helios.miel-labs.com/downloads/process_scan.pdf
http:
http://uninformed.org/index.cgi?v=3&a=7&p=6
http:
http://forum.sysinternals.com/hiding-a-process-pspcidtable_topic15362.html
Please note: I am not advocating usage of this technique, or the instability
(if any) caused by their usage. I am simply trying to answer a qn that was
asked in this forum.
thanks
amitr0
http:
On Sat, Mar 5, 2011 at 7:33 PM, wrote:
> Thanks.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
–
- amitr0</http:></http:></http:>
>>but there are utilities like GMER that displays the hidden services. <<
They do, but they also warn that the solution is unreliable and it can BSOD.
Thank you
Okay. Other than the not exported APIs, there has to be some other way to get the hidden services.
anti-rootkits parse registry files manually, they don’t use Reg- APIs or
their kernel-mode equivalents
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Wednesday, March 09, 2011 7:32 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Using Un-Exported API
Okay. Other than the not exported APIs, there has to be some other way to
get the hidden services.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
can u define ‘a hidden service’?
is it a running service, or an on disk file meant to run as a service when
loaded?
On Wed, Mar 9, 2011 at 12:02 PM, wrote:
> Okay. Other than the not exported APIs, there has to be some other way to
> get the hidden services.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
–
- amitr0
>>anti-rootkits parse registry files manually, they don’t use Reg- APIs or their kernel-mode equivalents<<
It might be slow. If I would be a rootkit, I’d also hook fs operations and watch out registry files, just in case.
On a simular subject. One should not forget about simple solutions as well. Recently, one of my customers has sent me log of failing MSI installation asking why it fails.
After looking into the log file I saw that I could not regopen with read access a service registry key named “tdsserv” in order to get it’s tag (I try to read tags of PNP_TDI group). It failed with access denied.
Therefore, it was quite indirect method of detection of rootkit because tdsserv turned out to be a trojan/rootkit/malware after some googling. Customer was happy
>> parse registry files manually <<
I googled it but in vain. Please throw some light on it.
Firstly windows does not allow to access the registry files in %systemroot%\system32\config
somehow i managed to make a copy of “System” registry file.
now what? I don’t know it’s structure? How to get the keys and subkeys?
You parse it.
What’s the format, you ask? Well, my friend, you’ll have to figure that out. That’s what makes the project interesting. As we say in the States “that’s why you make the big bucks” – if it was easy, everyone would do it and there’d be no need for the product your working on.
Here’s a hint you apparently didn’t think of: Google is your friend.
Peter
OSR