ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2009/11/30 11:42 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== SSDT ------------------- #: 000 Function Name: NtAcceptConnectPort Status: Not hooked #: 001 Function Name: NtAccessCheck Status: Not hooked #: 002 Function Name: NtAccessCheckAndAuditAlarm Status: Not hooked #: 003 Function Name: NtAccessCheckByType Status: Not hooked #: 004 Function Name: NtAccessCheckByTypeAndAuditAlarm Status: Not hooked #: 005 Function Name: NtAccessCheckByTypeResultList Status: Not hooked #: 006 Function Name: NtAccessCheckByTypeResultListAndAuditAlarm Status: Not hooked #: 007 Function Name: NtAccessCheckByTypeResultListAndAuditAlarmByHandle Status: Not hooked #: 008 Function Name: NtAddAtom Status: Not hooked #: 009 Function Name: NtAddBootEntry Status: Not hooked #: 010 Function Name: NtAdjustGroupsToken Status: Not hooked #: 011 Function Name: NtAdjustPrivilegesToken Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf20a72 #: 012 Function Name: NtAlertResumeThread Status: Not hooked #: 013 Function Name: NtAlertThread Status: Not hooked #: 014 Function Name: NtAllocateLocallyUniqueId Status: Not hooked #: 015 Function Name: NtAllocateUserPhysicalPages Status: Not hooked #: 016 Function Name: NtAllocateUuids Status: Not hooked #: 017 Function Name: NtAllocateVirtualMemory Status: Not hooked #: 018 Function Name: NtAreMappedFilesTheSame Status: Not hooked #: 019 Function Name: NtAssignProcessToJobObject Status: Not hooked #: 020 Function Name: NtCallbackReturn Status: Not hooked #: 021 Function Name: NtCancelDeviceWakeupRequest Status: Not hooked #: 022 Function Name: NtCancelIoFile Status: Not hooked #: 023 Function Name: NtCancelTimer Status: Not hooked #: 024 Function Name: NtClearEvent Status: Not hooked #: 025 Function Name: NtClose Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf2101e #: 026 Function Name: NtCloseObjectAuditAlarm Status: Not hooked #: 027 Function Name: NtCompactKeys Status: Not hooked #: 028 Function Name: NtCompareTokens Status: Not hooked #: 029 Function Name: NtCompleteConnectPort Status: Not hooked #: 030 Function Name: NtCompressKey Status: Not hooked #: 031 Function Name: NtConnectPort Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf22a82 #: 032 Function Name: NtContinue Status: Not hooked #: 033 Function Name: NtCreateDebugObject Status: Not hooked #: 034 Function Name: NtCreateDirectoryObject Status: Not hooked #: 035 Function Name: NtCreateEvent Status: Not hooked #: 036 Function Name: NtCreateEventPair Status: Not hooked #: 037 Function Name: NtCreateFile Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf22438 #: 038 Function Name: NtCreateIoCompletion Status: Not hooked #: 039 Function Name: NtCreateJobObject Status: Not hooked #: 040 Function Name: NtCreateJobSet Status: Not hooked #: 041 Function Name: NtCreateKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf201e8 #: 042 Function Name: NtCreateMailslotFile Status: Not hooked #: 043 Function Name: NtCreateMutant Status: Not hooked #: 044 Function Name: NtCreateNamedPipeFile Status: Not hooked #: 045 Function Name: NtCreatePagingFile Status: Not hooked #: 046 Function Name: NtCreatePort Status: Not hooked #: 047 Function Name: NtCreateProcess Status: Not hooked #: 048 Function Name: NtCreateProcessEx Status: Not hooked #: 049 Function Name: NtCreateProfile Status: Not hooked #: 050 Function Name: NtCreateSection Status: Not hooked #: 051 Function Name: NtCreateSemaphore Status: Not hooked #: 052 Function Name: NtCreateSymbolicLinkObject Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf243e4 #: 053 Function Name: NtCreateThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf20e1a #: 054 Function Name: NtCreateTimer Status: Not hooked #: 055 Function Name: NtCreateToken Status: Not hooked #: 056 Function Name: NtCreateWaitablePort Status: Not hooked #: 057 Function Name: NtDebugActiveProcess Status: Not hooked #: 058 Function Name: NtDebugContinue Status: Not hooked #: 059 Function Name: NtDelayExecution Status: Not hooked #: 060 Function Name: NtDeleteAtom Status: Not hooked #: 061 Function Name: NtDeleteBootEntry Status: Not hooked #: 062 Function Name: NtDeleteFile Status: Not hooked #: 063 Function Name: NtDeleteKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf2062a #: 064 Function Name: NtDeleteObjectAuditAlarm Status: Not hooked #: 065 Function Name: NtDeleteValueKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf2082a #: 066 Function Name: NtDeviceIoControlFile Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf22744 #: 067 Function Name: NtDisplayString Status: Not hooked #: 068 Function Name: NtDuplicateObject Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf248f0 #: 069 Function Name: NtDuplicateToken Status: Not hooked #: 070 Function Name: NtEnumerateBootEntries Status: Not hooked #: 071 Function Name: NtEnumerateKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf20940 #: 072 Function Name: NtEnumerateSystemEnvironmentValuesEx Status: Not hooked #: 073 Function Name: NtEnumerateValueKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf209a8 #: 074 Function Name: NtExtendSection Status: Not hooked #: 075 Function Name: NtFilterToken Status: Not hooked #: 076 Function Name: NtFindAtom Status: Not hooked #: 077 Function Name: NtFlushBuffersFile Status: Not hooked #: 078 Function Name: NtFlushInstructionCache Status: Not hooked #: 079 Function Name: NtFlushKey Status: Not hooked #: 080 Function Name: NtFlushVirtualMemory Status: Not hooked #: 081 Function Name: NtFlushWriteBuffer Status: Not hooked #: 082 Function Name: NtFreeUserPhysicalPages Status: Not hooked #: 083 Function Name: NtFreeVirtualMemory Status: Not hooked #: 084 Function Name: NtFsControlFile Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf225fa #: 085 Function Name: NtGetContextThread Status: Not hooked #: 086 Function Name: NtGetDevicePowerState Status: Not hooked #: 087 Function Name: NtGetPlugPlayEvent Status: Not hooked #: 088 Function Name: NtGetWriteWatch Status: Not hooked #: 089 Function Name: NtImpersonateAnonymousToken Status: Not hooked #: 090 Function Name: NtImpersonateClientOfPort Status: Not hooked #: 091 Function Name: NtImpersonateThread Status: Not hooked #: 092 Function Name: NtInitializeRegistry Status: Not hooked #: 093 Function Name: NtInitiatePowerAction Status: Not hooked #: 094 Function Name: NtIsProcessInJob Status: Not hooked #: 095 Function Name: NtIsSystemResumeAutomatic Status: Not hooked #: 096 Function Name: NtListenPort Status: Not hooked #: 097 Function Name: NtLoadDriver Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf23ea8 #: 098 Function Name: NtLoadKey Status: Not hooked #: 099 Function Name: NtLoadKey2 Status: Not hooked #: 100 Function Name: NtLockFile Status: Not hooked #: 101 Function Name: NtLockProductActivationKeys Status: Not hooked #: 102 Function Name: NtLockRegistryKey Status: Not hooked #: 103 Function Name: NtLockVirtualMemory Status: Not hooked #: 104 Function Name: NtMakePermanentObject Status: Not hooked #: 105 Function Name: NtMakeTemporaryObject Status: Not hooked #: 106 Function Name: NtMapUserPhysicalPages Status: Not hooked #: 107 Function Name: NtMapUserPhysicalPagesScatter Status: Not hooked #: 108 Function Name: NtMapViewOfSection Status: Not hooked #: 109 Function Name: NtModifyBootEntry Status: Not hooked #: 110 Function Name: NtNotifyChangeDirectoryFile Status: Not hooked #: 111 Function Name: NtNotifyChangeKey Status: Not hooked #: 112 Function Name: NtNotifyChangeMultipleKeys Status: Not hooked #: 113 Function Name: NtOpenDirectoryObject Status: Not hooked #: 114 Function Name: NtOpenEvent Status: Not hooked #: 115 Function Name: NtOpenEventPair Status: Not hooked #: 116 Function Name: NtOpenFile Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf22294 #: 117 Function Name: NtOpenIoCompletion Status: Not hooked #: 118 Function Name: NtOpenJobObject Status: Not hooked #: 119 Function Name: NtOpenKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf2034a #: 120 Function Name: NtOpenMutant Status: Not hooked #: 121 Function Name: NtOpenObjectAuditAlarm Status: Not hooked #: 122 Function Name: NtOpenProcess Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf20c40 #: 123 Function Name: NtOpenProcessToken Status: Not hooked #: 124 Function Name: NtOpenProcessTokenEx Status: Not hooked #: 125 Function Name: NtOpenSection Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf2440e #: 126 Function Name: NtOpenSemaphore Status: Not hooked #: 127 Function Name: NtOpenSymbolicLinkObject Status: Not hooked #: 128 Function Name: NtOpenThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf20b96 #: 129 Function Name: NtOpenThreadToken Status: Not hooked #: 130 Function Name: NtOpenThreadTokenEx Status: Not hooked #: 131 Function Name: NtOpenTimer Status: Not hooked #: 132 Function Name: NtPlugPlayControl Status: Not hooked #: 133 Function Name: NtPowerInformation Status: Not hooked #: 134 Function Name: NtPrivilegeCheck Status: Not hooked #: 135 Function Name: NtPrivilegeObjectAuditAlarm Status: Not hooked #: 136 Function Name: NtPrivilegedServiceAuditAlarm Status: Not hooked #: 137 Function Name: NtProtectVirtualMemory Status: Not hooked #: 138 Function Name: NtPulseEvent Status: Not hooked #: 139 Function Name: NtQueryAttributesFile Status: Not hooked #: 140 Function Name: NtQueryBootEntryOrder Status: Not hooked #: 141 Function Name: NtQueryBootOptions Status: Not hooked #: 142 Function Name: NtQueryDebugFilterState Status: Not hooked #: 143 Function Name: NtQueryDefaultLocale Status: Not hooked #: 144 Function Name: NtQueryDefaultUILanguage Status: Not hooked #: 145 Function Name: NtQueryDirectoryFile Status: Not hooked #: 146 Function Name: NtQueryDirectoryObject Status: Not hooked #: 147 Function Name: NtQueryEaFile Status: Not hooked #: 148 Function Name: NtQueryEvent Status: Not hooked #: 149 Function Name: NtQueryFullAttributesFile Status: Not hooked #: 150 Function Name: NtQueryInformationAtom Status: Not hooked #: 151 Function Name: NtQueryInformationFile Status: Not hooked #: 152 Function Name: NtQueryInformationJobObject Status: Not hooked #: 153 Function Name: NtQueryInformationPort Status: Not hooked #: 154 Function Name: NtQueryInformationProcess Status: Not hooked #: 155 Function Name: NtQueryInformationThread Status: Not hooked #: 156 Function Name: NtQueryInformationToken Status: Not hooked #: 157 Function Name: NtQueryInstallUILanguage Status: Not hooked #: 158 Function Name: NtQueryIntervalProfile Status: Not hooked #: 159 Function Name: NtQueryIoCompletion Status: Not hooked #: 160 Function Name: NtQueryKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf20a10 #: 161 Function Name: NtQueryMultipleValueKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf20714 #: 162 Function Name: NtQueryMutant Status: Not hooked #: 163 Function Name: NtQueryObject Status: Not hooked #: 164 Function Name: NtQueryOpenSubKeys Status: Not hooked #: 165 Function Name: NtQueryPerformanceCounter Status: Not hooked #: 166 Function Name: NtQueryQuotaInformationFile Status: Not hooked #: 167 Function Name: NtQuerySection Status: Not hooked #: 168 Function Name: NtQuerySecurityObject Status: Not hooked #: 169 Function Name: NtQuerySemaphore Status: Not hooked #: 170 Function Name: NtQuerySymbolicLinkObject Status: Not hooked #: 171 Function Name: NtQuerySystemEnvironmentValue Status: Not hooked #: 172 Function Name: NtQuerySystemEnvironmentValueEx Status: Not hooked #: 173 Function Name: NtQuerySystemInformation Status: Not hooked #: 174 Function Name: NtQuerySystemTime Status: Not hooked #: 175 Function Name: NtQueryTimer Status: Not hooked #: 176 Function Name: NtQueryTimerResolution Status: Not hooked #: 177 Function Name: NtQueryValueKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf204f2 #: 178 Function Name: NtQueryVirtualMemory Status: Not hooked #: 179 Function Name: NtQueryVolumeInformationFile Status: Not hooked #: 180 Function Name: NtQueueApcThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf24110 #: 181 Function Name: NtRaiseException Status: Not hooked #: 182 Function Name: NtRaiseHardError Status: Not hooked #: 183 Function Name: NtReadFile Status: Not hooked #: 184 Function Name: NtReadFileScatter Status: Not hooked #: 185 Function Name: NtReadRequestData Status: Not hooked #: 186 Function Name: NtReadVirtualMemory Status: Not hooked #: 187 Function Name: NtRegisterThreadTerminatePort Status: Not hooked #: 188 Function Name: NtReleaseMutant Status: Not hooked #: 189 Function Name: NtReleaseSemaphore Status: Not hooked #: 190 Function Name: NtRemoveIoCompletion Status: Not hooked #: 191 Function Name: NtRemoveProcessDebug Status: Not hooked #: 192 Function Name: NtRenameKey Status: Not hooked #: 193 Function Name: NtReplaceKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf1fe6a #: 194 Function Name: NtReplyPort Status: Not hooked #: 195 Function Name: NtReplyWaitReceivePort Status: Not hooked #: 196 Function Name: NtReplyWaitReceivePortEx Status: Not hooked #: 197 Function Name: NtReplyWaitReplyPort Status: Not hooked #: 198 Function Name: NtRequestDeviceWakeup Status: Not hooked #: 199 Function Name: NtRequestPort Status: Not hooked #: 200 Function Name: NtRequestWaitReplyPort Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf2330c #: 201 Function Name: NtRequestWakeupLatency Status: Not hooked #: 202 Function Name: NtResetEvent Status: Not hooked #: 203 Function Name: NtResetWriteWatch Status: Not hooked #: 204 Function Name: NtRestoreKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf1ffcc #: 205 Function Name: NtResumeProcess Status: Not hooked #: 206 Function Name: NtResumeThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf247c0 #: 207 Function Name: NtSaveKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf1fc68 #: 208 Function Name: NtSaveKeyEx Status: Not hooked #: 209 Function Name: NtSaveMergedKeys Status: Not hooked #: 210 Function Name: NtSecureConnectPort Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf22924 #: 211 Function Name: NtSetBootEntryOrder Status: Not hooked #: 212 Function Name: NtSetBootOptions Status: Not hooked #: 213 Function Name: NtSetContextThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf20f18 #: 214 Function Name: NtSetDebugFilterState Status: Not hooked #: 215 Function Name: NtSetDefaultHardErrorPort Status: Not hooked #: 216 Function Name: NtSetDefaultLocale Status: Not hooked #: 217 Function Name: NtSetDefaultUILanguage Status: Not hooked #: 218 Function Name: NtSetEaFile Status: Not hooked #: 219 Function Name: NtSetEvent Status: Not hooked #: 220 Function Name: NtSetEventBoostPriority Status: Not hooked #: 221 Function Name: NtSetHighEventPair Status: Not hooked #: 222 Function Name: NtSetHighWaitLowEventPair Status: Not hooked #: 223 Function Name: NtSetInformationDebugObject Status: Not hooked #: 224 Function Name: NtSetInformationFile Status: Not hooked #: 225 Function Name: NtSetInformationJobObject Status: Not hooked #: 226 Function Name: NtSetInformationKey Status: Not hooked #: 227 Function Name: NtSetInformationObject Status: Not hooked #: 228 Function Name: NtSetInformationProcess Status: Not hooked #: 229 Function Name: NtSetInformationThread Status: Not hooked #: 230 Function Name: NtSetInformationToken Status: Not hooked #: 231 Function Name: NtSetIntervalProfile Status: Not hooked #: 232 Function Name: NtSetIoCompletion Status: Not hooked #: 233 Function Name: NtSetLdtEntries Status: Not hooked #: 234 Function Name: NtSetLowEventPair Status: Not hooked #: 235 Function Name: NtSetLowWaitHighEventPair Status: Not hooked #: 236 Function Name: NtSetQuotaInformationFile Status: Not hooked #: 237 Function Name: NtSetSecurityObject Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf23fa2 #: 238 Function Name: NtSetSystemEnvironmentValue Status: Not hooked #: 239 Function Name: NtSetSystemEnvironmentValueEx Status: Not hooked #: 240 Function Name: NtSetSystemInformation Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf24438 #: 241 Function Name: NtSetSystemPowerState Status: Not hooked #: 242 Function Name: NtSetSystemTime Status: Not hooked #: 243 Function Name: NtSetThreadExecutionState Status: Not hooked #: 244 Function Name: NtSetTimer Status: Not hooked #: 245 Function Name: NtSetTimerResolution Status: Not hooked #: 246 Function Name: NtSetUuidSeed Status: Not hooked #: 247 Function Name: NtSetValueKey Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf203a0 #: 248 Function Name: NtSetVolumeInformationFile Status: Not hooked #: 249 Function Name: NtShutdownSystem Status: Not hooked #: 250 Function Name: NtSignalAndWaitForSingleObject Status: Not hooked #: 251 Function Name: NtStartProfile Status: Not hooked #: 252 Function Name: NtStopProfile Status: Not hooked #: 253 Function Name: NtSuspendProcess Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf2451c #: 254 Function Name: NtSuspendThread Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf24648 #: 255 Function Name: NtSystemDebugControl Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf23dd4 #: 256 Function Name: NtTerminateJobObject Status: Not hooked #: 257 Function Name: NtTerminateProcess Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf20cea #: 258 Function Name: NtTerminateThread Status: Not hooked #: 259 Function Name: NtTestAlert Status: Not hooked #: 260 Function Name: NtTraceEvent Status: Not hooked #: 261 Function Name: NtTranslateFilePath Status: Not hooked #: 262 Function Name: NtUnloadDriver Status: Not hooked #: 263 Function Name: NtUnloadKey Status: Not hooked #: 264 Function Name: NtUnloadKeyEx Status: Not hooked #: 265 Function Name: NtUnlockFile Status: Not hooked #: 266 Function Name: NtUnlockVirtualMemory Status: Not hooked #: 267 Function Name: NtUnmapViewOfSection Status: Not hooked #: 268 Function Name: NtVdmControl Status: Not hooked #: 269 Function Name: NtWaitForDebugEvent Status: Not hooked #: 270 Function Name: NtWaitForMultipleObjects Status: Not hooked #: 271 Function Name: NtWaitForSingleObject Status: Not hooked #: 272 Function Name: NtWaitHighEventPair Status: Not hooked #: 273 Function Name: NtWaitLowEventPair Status: Not hooked #: 274 Function Name: NtWriteFile Status: Not hooked #: 275 Function Name: NtWriteFileGather Status: Not hooked #: 276 Function Name: NtWriteRequestData Status: Not hooked #: 277 Function Name: NtWriteVirtualMemory Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xedf20d5c #: 278 Function Name: NtYieldExecution Status: Not hooked #: 279 Function Name: NtCreateKeyedEvent Status: Not hooked #: 280 Function Name: NtOpenKeyedEvent Status: Not hooked #: 281 Function Name: NtReleaseKeyedEvent Status: Not hooked #: 282 Function Name: NtWaitForKeyedEvent Status: Not hooked #: 283 Function Name: NtQueryPortInformationProcess Status: Not hooked