flat assembler
Message board for the users of flat assembler.

Index > Heap > Backtrack creation of file in c:\windows\system directory

Author
Thread Post new topic Reply to topic
Fixit



Joined: 22 Nov 2012
Posts: 161
Fixit
There was a veering off course on the thread, so I started a new one.

Say an app put a .dll in the system32 directory that should not be there,

The app disable virus scanners and does not allow their re installation.

I removed the dll and the problems stopped.

The file is on a Linux partition for safe keeping.

There are no strings in it.

Maybe it's packed.

I was wondering if there would be a way of examining the dll to see what put it there ?

In other words, backtrack to what copied or created the file.

Thanks.
Post 26 Aug 2013, 04:03
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2914
Location: [RSP+8*5]
bitRAKE
Use IDA to disassemble it. There doesn't need to be a back-link of any type to the dropper. Search the registry for the DLL filename. Can also use the SysInternal tools to search for the filename. Mark Russinovich has some videos showing how to trace anomalies.
Post 26 Aug 2013, 05:21
View user's profile Send private message Visit poster's website Reply with quote
sinsi



Joined: 10 Aug 2007
Posts: 695
Location: Adelaide
sinsi
You might get an idea of when it was dropped by looking at "date created".
It sounds like the front-end for a rootkit.

A dll in system or system32?
Post 26 Aug 2013, 06:12
View user's profile Send private message Reply with quote
Fixit



Joined: 22 Nov 2012
Posts: 161
Fixit
Code:

Part of what is inside CollectedData_1035.xml in C:\WINDOWS\pchealth\helpctr\DataColl

CLASSNAME="Win32_StartupCommand"><KEYBINDING NAME="Command"><KEYVALUE VALUETYPE="string">pkiviewt.dll</KEYVALUE></KEYBINDING><KEYBINDING NAME="Location"><KEYVALUE VALUETYPE="string">Startup</KEYVALUE></KEYBINDING><KEYBINDING NAME="Name"><KEYVALUE 

Found this in the registry.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ApprovedByRegRun2\AntiRepl\0]
"Operation"=dword:00000001
"Target"="\\??\\C:\\WINDOWS\\SYSTEM32\\PKIVIEWT.DLL"
"Source"="
    
Post 26 Aug 2013, 13:05
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.