среда, 29 апреля 2015 г.

Cezurity cota in wincheck logs

Nothing new and interesting actually:
SDT entry 44 (ZwDuplicateObject) hooked BA8000CC !
SDT entry 7A (ZwOpenProcess) hooked BA800060 !
SDT entry 80 (ZwOpenThread) hooked BA800096 !
SDT entry C1 (ZwReplaceKey) hooked BA800138 !
SDT entry CC (ZwRestoreKey) hooked BA80016E !
SDT entry ED (ZwSetSecurityObject) hooked BA800102 !


Process notifiers:
[0] B9BB78D0 cz_cota.sys


Registry notifiers:
[0] B9BBCC10 cz_cota.sys


IopNotifyLastChanceShutdownQueueHead:
 [0] DevObj 8AF07F18 Drv 8AF2CB40 \??\C:\WINDOWS\system32\Drivers\cz_ddall.sys

And new fltmgr instance:  
 INSTANCE 8AA5F720:
  IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION: 8AA5F864
   PreOperation:            B9718EE0 cz_cotam.sys
   PostOperation:           00000000
  IRP_MJ_CREATE: 8AA5F8AC
   PreOperation:            B9719270 cz_cotam.sys
   PostOperation:           00000000
  IRP_MJ_WRITE: 8AA5F894
   PreOperation:            B9719020 cz_cotam.sys
   PostOperation:           00000000
  IRP_MJ_SET_INFORMATION: 8AA5F87C
   PreOperation:            B9718F50 cz_cotam.sys
   PostOperation:           B9718FA0 cz_cotam.sys
  IRP_MJ_CLEANUP: 8AA5F8C4
   PreOperation:            B9718FD0 cz_cotam.sys
   PostOperation:           B9719000 cz_cotam.sys

 INSTANCE 8AAA2008:
  IRP_MJ_CREATE: 8AAA214C
   PreOperation:            B9BC3AE0 cz_cota.sys
   PostOperation:           B9BC3A40 cz_cota.sys
  IRP_MJ_SET_INFORMATION: 8AAA2164
   PreOperation:            B9BC3930 cz_cota.sys
   PostOperation:           00000000

Комментариев нет:

Отправить комментарий