ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2010/05/29 15:31 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xB5045000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF79AD000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xB2F65000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\hiberfil.sys Status: Locked to the Windows API! SSDT ------------------- #: 011 Function Name: NtAdjustPrivilegesToken Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed458c #: 025 Function Name: NtClose Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed4e0c #: 031 Function Name: NtConnectPort Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed5922 #: 035 Function Name: NtCreateEvent Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed5e94 #: 037 Function Name: NtCreateFile Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed50ee #: 041 Function Name: NtCreateKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed3436 #: 043 Function Name: NtCreateMutant Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed5d6c #: 044 Function Name: NtCreateNamedPipeFile Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed4192 #: 046 Function Name: NtCreatePort Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed5c28 #: 050 Function Name: NtCreateSection Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed434e #: 051 Function Name: NtCreateSemaphore Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed5fc6 #: 052 Function Name: NtCreateSymbolicLinkObject Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed7c08 #: 053 Function Name: NtCreateThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed4aaa #: 056 Function Name: NtCreateWaitablePort Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed5cca #: 057 Function Name: NtDebugActiveProcess Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed75fa #: 063 Function Name: NtDeleteKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed39fa #: 065 Function Name: NtDeleteValueKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed3d88 #: 066 Function Name: NtDeviceIoControlFile Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed5576 #: 068 Function Name: NtDuplicateObject Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed85ca #: 071 Function Name: NtEnumerateKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed3eca #: 073 Function Name: NtEnumerateValueKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed3f74 #: 084 Function Name: NtFsControlFile Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed5382 #: 097 Function Name: NtLoadDriver Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed768c #: 098 Function Name: NtLoadKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed3412 #: 099 Function Name: NtLoadKey2 Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed3424 #: 108 Function Name: NtMapViewOfSection Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed7cbc #: 111 Function Name: NtNotifyChangeKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed40c0 #: 114 Function Name: NtOpenEvent Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed5f36 #: 116 Function Name: NtOpenFile Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed4e8e #: 119 Function Name: NtOpenKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed35dc #: 120 Function Name: NtOpenMutant Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed5e04 #: 122 Function Name: NtOpenProcess Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed4792 #: 125 Function Name: NtOpenSection Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed7c32 #: 126 Function Name: NtOpenSemaphore Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed6068 #: 128 Function Name: NtOpenThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed46b6 #: 160 Function Name: NtQueryKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed401e #: 161 Function Name: NtQueryMultipleValueKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed3c46 #: 167 Function Name: NtQuerySection Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed7fd4 #: 177 Function Name: NtQueryValueKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed3896 #: 180 Function Name: NtQueueApcThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed7922 #: 192 Function Name: NtRenameKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed3b0e #: 193 Function Name: NtReplaceKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed32b0 #: 194 Function Name: NtReplyPort Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed63f2 #: 195 Function Name: NtReplyWaitReceivePort Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed62b8 #: 200 Function Name: NtRequestWaitReplyPort Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed739a #: 204 Function Name: NtRestoreKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5edae2c #: 206 Function Name: NtResumeThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed84ac #: 207 Function Name: NtSaveKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed3248 #: 210 Function Name: NtSecureConnectPort Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed565c #: 213 Function Name: NtSetContextThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed4cc8 #: 230 Function Name: NtSetInformationToken Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed6c4a #: 237 Function Name: NtSetSecurityObject Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed7786 #: 240 Function Name: NtSetSystemInformation Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed8114 #: 247 Function Name: NtSetValueKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed371e #: 253 Function Name: NtSuspendProcess Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed81f8 #: 254 Function Name: NtSuspendThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed8320 #: 255 Function Name: NtSystemDebugControl Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed7526 #: 257 Function Name: NtTerminateProcess Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed490a #: 258 Function Name: NtTerminateThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed4860 #: 267 Function Name: NtUnmapViewOfSection Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed7e8a #: 277 Function Name: NtWriteVirtualMemory Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ed49ea Shadow SSDT ------------------- #: 013 Function Name: NtGdiBitBlt Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ee5ca6 #: 227 Function Name: NtGdiMaskBlt Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ee5d70 #: 237 Function Name: NtGdiPlgBlt Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ee5dda #: 292 Function Name: NtGdiStretchBlt Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ee5d0a #: 307 Function Name: NtUserAttachThreadInput Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ee58ba #: 323 Function Name: NtUserCallOneParam Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ee5c72 #: 378 Function Name: NtUserFindWindowEx Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ee5aa8 #: 383 Function Name: NtUserGetAsyncKeyState Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ee5822 #: 414 Function Name: NtUserGetKeyboardState Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ee5baa #: 416 Function Name: NtUserGetKeyState Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ee586e #: 460 Function Name: NtUserMessageCall Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ee59fa #: 475 Function Name: NtUserPostMessage Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ee5950 #: 476 Function Name: NtUserPostThreadMessage Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ee59a4 #: 491 Function Name: NtUserRegisterRawInputDevices Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ee5b3a #: 502 Function Name: NtUserSendInput Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ee5a5a #: 549 Function Name: NtUserSetWindowsHookEx Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ee5772 #: 552 Function Name: NtUserSetWinEventHook Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xb5ee57c8 ==EOF==