Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: saos on February 13, 2012, 03:34:50 PM

Title: avast and Windows API hooks
Post by: saos on February 13, 2012, 03:34:50 PM

I would like to  know which (if any) api avast hooks to in Windows 7 for the real time protection features.

A couple of anti rootkit programs (namely Gmer and Rootkit Buster) showed many API hooks apparently comingo from avast. I alo ran TDSSKiller, which didn´t show any rootkit, which made me believe that the hooks I´m seeing are really from avast.

Anyone could confirm this and provide a list of legit api hooks by avast?

Thanks in advance.

Title: Re: avast and Windows API hooks
Post by: Pondus on February 13, 2012, 05:50:37 PM

do you have a virus problem ?

OBS: and Gmer rootkit scan is already integrated in avast 
http://www.avast.com/pr-avast!-gmer-technology-gets-top-score-in-rootkit-detection-tests

Title: Re: avast and Windows API hooks
Post by: saos on February 13, 2012, 07:07:47 PM

I´m not sure it is a virus. That´s what I´m trying to find out.

A full system scan with avast finds nothing, the same happens with Trendmicro Housecall. But as I mentioned befor, the last time I checked for rootkits with Rootkit Buster I got a few entries like this:

[HOOKED_SERVICE_API]:
     Service API     : ZwAddBootEntry
     Image Path      : C:\Windows\System32\Drivers\aswSnx.SYS
     OriginalHandler : 0x8313f4be
     CurrentHandler  : 0x8fa7efc4
     ServiceNumber   : 0x9
     ModuleName      : aswSnx.SYS
     SDTType         : 0x0

A recently installed avast on my Windows 7 machine, so I´m guessing that these are API hooks from avast, but I´m just trying to confirm everything is ok.

Thanks.

Title: Re: avast and Windows API hooks
Post by: Pondus on February 13, 2012, 07:10:18 PM

if you suspect infection, follow this guide and attach all logs...not copy and paste
http://forum.avast.com/index.php?topic=53253.0

Title: Re: avast and Windows API hooks
Post by: DavidR on February 13, 2012, 09:43:50 PM

@ saos
This :C:\Windows\System32\Drivers\aswSnx.SYS is the avast sandbox driver (avast! Virtualization Driver/AVAST Software).

Title: Re: avast and Windows API hooks
Post by: pk on February 13, 2012, 10:47:56 PM

@saos, yes, avast hooks several system APIs (as other AVs or security programs). The most hooks are done from sandbox/autosandbox driver (aswSnx.sys) or behavior shield (aswSP.sys). GMER show you all hooked APIs and if you scan processes in GMER, then it'll show you our injected DLL (snxhk.dll) in those processes.

Title: Re: avast and Windows API hooks
Post by: saos on February 14, 2012, 06:41:13 PM

yes, @pk and @DavidR, most hooks where from aswSynx.sys, a few from aswSp.sys.

there is also a kernel patch at ZwCreateProcessEx, which I assume is also part of the real-time shields.

thanks.