« previous next »
Pages: [1]   Go Down

Author Topic: avast and Windows API hooks  (Read 3574 times)

0 Members and 1 Guest are viewing this topic.

saos

  • Guest
avast and Windows API hooks
« on: February 13, 2012, 03:34:50 PM »
I would like to  know which (if any) api avast hooks to in Windows 7 for the real time protection features.

A couple of anti rootkit programs (namely Gmer and Rootkit Buster) showed many API hooks apparently comingo from avast. I alo ran TDSSKiller, which didn´t show any rootkit, which made me believe that the hooks I´m seeing are really from avast.

Anyone could confirm this and provide a list of legit api hooks by avast?

Thanks in advance.
Logged

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37527
  • Not a avast user
Re: avast and Windows API hooks
« Reply #1 on: February 13, 2012, 05:50:37 PM »
do you have a virus problem ?

OBS: and Gmer rootkit scan is already integrated in avast 
http://www.avast.com/pr-avast!-gmer-technology-gets-top-score-in-rootkit-detection-tests
« Last Edit: February 13, 2012, 05:53:45 PM by Pondus »
Logged

saos

  • Guest
Re: avast and Windows API hooks
« Reply #2 on: February 13, 2012, 07:07:47 PM »
I´m not sure it is a virus. That´s what I´m trying to find out.

A full system scan with avast finds nothing, the same happens with Trendmicro Housecall. But as I mentioned befor, the last time I checked for rootkits with Rootkit Buster I got a few entries like this:

[HOOKED_SERVICE_API]:
     Service API     : ZwAddBootEntry
     Image Path      : C:\Windows\System32\Drivers\aswSnx.SYS
     OriginalHandler : 0x8313f4be
     CurrentHandler  : 0x8fa7efc4
     ServiceNumber   : 0x9
     ModuleName      : aswSnx.SYS
     SDTType         : 0x0

A recently installed avast on my Windows 7 machine, so I´m guessing that these are API hooks from avast, but I´m just trying to confirm everything is ok.

Thanks.
Logged

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37527
  • Not a avast user
Re: avast and Windows API hooks
« Reply #3 on: February 13, 2012, 07:10:18 PM »
if you suspect infection, follow this guide and attach all logs...not copy and paste
http://forum.avast.com/index.php?topic=53253.0
Logged

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89031
  • No support PMs thanks
Re: avast and Windows API hooks
« Reply #4 on: February 13, 2012, 09:43:50 PM »
@ saos
This :C:\Windows\System32\Drivers\aswSnx.SYS is the avast sandbox driver (avast! Virtualization Driver/AVAST Software).
Logged
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2078
Re: avast and Windows API hooks
« Reply #5 on: February 13, 2012, 10:47:56 PM »
@saos, yes, avast hooks several system APIs (as other AVs or security programs). The most hooks are done from sandbox/autosandbox driver (aswSnx.sys) or behavior shield (aswSP.sys). GMER show you all hooked APIs and if you scan processes in GMER, then it'll show you our injected DLL (snxhk.dll) in those processes.
Logged

saos

  • Guest
Re: avast and Windows API hooks
« Reply #6 on: February 14, 2012, 06:41:13 PM »
yes, @pk and @DavidR, most hooks where from aswSynx.sys, a few from aswSp.sys.

there is also a kernel patch at ZwCreateProcessEx, which I assume is also part of the real-time shields.

thanks.
Logged
Pages: [1]   Go Up
« previous next »