Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
May 16th, 2008, 2:05am
   Mischel Internet Security Forum
   TrojanHunter
   TrojanHunter Guard (Moderators: Helena, Gavin_Coe, Magnus)
   MadCodeHook injection driver		 « Previous topic | Next topic »
Pages: 1 2  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: MadCodeHook injection driver  (Read 1392 times)
Brian49
Junior Member
**





   


Posts: 71
MadCodeHook injection driver
« on: Jul 10th, 2007, 12:51pm »		 Quote Quote  Modify Modify
Does TH Guard by any chance make use of the MadCodeHook injection driver, please? I'm trying to figure out why, on startup of my Vista system, the event log shows an audit failure on a file named mchInjDrv.sys, which supposedly resides in C:\Windows\System32\Drivers but which I can't in fact find there. I read elsewhere that some security software programs make legitimate use of this driver, and am wondering whether TH might be one such program. A more specific piece of evidence is that no such event log entry appears if I set TH Guard not to load on Windows startup, but an entry does appear immediately if I then load TH Guard manually. As far as I know, my system is free of any kind of malware. Many thanks.
« Last Edit: Jul 10th, 2007, 1:38pm by Brian49 » IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5270
Re: MadCodeHook injection driver
« Reply #1 on: Jul 10th, 2007, 1:48pm »		 Quote Quote  Modify Modify
Yes, TrojanHunter uses mchInjDrv.sys for injection and self protection.  I assume you are using the new TH V4.7.932 for Vista.  Previous versions of TH also use this injection code.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Brian49
Junior Member
**





   


Posts: 71
Re: MadCodeHook injection driver
« Reply #2 on: Jul 10th, 2007, 2:49pm »		 Quote Quote  Modify Modify
Thanks for responding. Yes, I'm using the latest version. In which case, perhaps Magnus would very kindly take note of the audit failure I've mentioned, and see if anything can be done about it, please. I can of course provide a copy of the full event log entry if it would help. I also of course appreciate that the audit failure may not be a TH-specific issue.
« Last Edit: Jul 10th, 2007, 2:50pm by Brian49 » IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5270
Re: MadCodeHook injection driver
« Reply #3 on: Jul 10th, 2007, 11:38pm »		 Quote Quote  Modify Modify
Quote:
I can of course provide a copy of the full event log entry if it would help.

 
Please provide.  Either post it here or email it to Magnus at support@misec.net.  If you email it, reference this post so that Magnus will know you have posted on the forum.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Brian49
Junior Member
**





   


Posts: 71
Re: MadCodeHook injection driver
« Reply #4 on: Jul 11th, 2007, 3:26am »		 Quote Quote  Modify Modify
Here it is:
 
Log Name: Security
Source:   Microsoft-Windows-Security-Auditing
Date:     10/07/2007 09:21:13
Event ID: 5038
Task Category: System Integrity
Level:    Information
Keywords: Audit Failure
User:     N/A
Computer: Brian49-PC
Description:
Code integrity determined that the image hash of a file is not valid.  The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
 
File Name:\Device\HarddiskVolume3\Windows\System32\drivers\mchInjDrv.sys
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>5038</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12290</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2007-07-10T08:21:13.241Z" />
    <EventRecordID>30960</EventRecordID>
    <Correlation />
    <Execution ProcessID="4" ThreadID="48" />
    <Channel>Security</Channel>
    <Computer>Brian49-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">\Device\HarddiskVolume3\Windows\System32\drivers\mchInjDrv .sys</Data>
  </EventData>
</Event>
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5270
Re: MadCodeHook injection driver
« Reply #5 on: Jul 11th, 2007, 3:42am »		 Quote Quote  Modify Modify
In your security audit are you seeing failures for anything other than this service?
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Brian49
Junior Member
**





   


Posts: 71
Re: MadCodeHook injection driver
« Reply #6 on: Jul 11th, 2007, 5:32am »		 Quote Quote  Modify Modify
Only for one other item, relating to a program called WebDrive, which I've taken up with the developer. It doesn't involve the MadCodeHook driver, which, as far as I can see, is only invoked by TrojanHunter.
« Last Edit: Jul 11th, 2007, 5:33am by Brian49 » IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5270
Re: MadCodeHook injection driver
« Reply #7 on: Jul 11th, 2007, 5:41am »		 Quote Quote  Modify Modify
Okay, I'll email Magnus and ask him to provide his expertise on this.  You can email him also at support@misec.net.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5270
Re: MadCodeHook injection driver
« Reply #8 on: Jul 12th, 2007, 9:49am »		 Quote Quote  Modify Modify
Do you happen to have any component of TrojanHunter (TrojanHunter scanner, LiveUpdate, or THGuard) being started up via the Task Scheduler?  If you do, set it to "Run with Highest Privileges" in the Task Scheduler.  I think that will resolve your problem.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Brian49
Junior Member
**





   


Posts: 71
Re: MadCodeHook injection driver
« Reply #9 on: Jul 12th, 2007, 11:08am »		 Quote Quote  Modify Modify
No, I don't, so that doesn't take us very far, I'm afraid. In any case, it's hard to see how that could be relevant to the issue as described.
« Last Edit: Jul 12th, 2007, 11:37am by Brian49 » IP Logged
doubledown
Full Member
***





   


Posts: 142
Re: MadCodeHook injection driver
« Reply #10 on: Jul 13th, 2007, 5:30am »		 Quote Quote  Modify Modify
Doesn't sound like much of an issue to me ... just another deeply obfuscatory Windows "error" message ... big deal huh ?  
 
 
IP Logged
Brian49
Junior Member
**





   


Posts: 71
Re: MadCodeHook injection driver
« Reply #11 on: Jul 13th, 2007, 9:02am »		 Quote Quote  Modify Modify
I'm perfectly capable of judging the relative importance of things for myself, thank you. If a security issue, however small, arises in relation to a file which is invoked only by a particular program, it makes sense to draw it to the developer's attention. All the more so when that program is itself a security program.
« Last Edit: Jul 13th, 2007, 9:10am by Brian49 » IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5270
Re: MadCodeHook injection driver
« Reply #12 on: Jul 13th, 2007, 9:19am »		 Quote Quote  Modify Modify
This link appears to have a logic explanation.
 
http://www.eventid.net/display.asp?eventid=5038&eventno=8922&sou rce=Microsoft-Windows-Security-Auditing&phase=1
 
Quote:
This behavior happens in Vista when a driver is not digitally signed.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Brian49
Junior Member
**





   


Posts: 71
Re: MadCodeHook injection driver
« Reply #13 on: Jul 13th, 2007, 11:31am »		 Quote Quote  Modify Modify
That makes some sense, although it's worth noting that the quoted statement on EventID.Net comes from an anonymous commentator, so we have no way of knowing whether it's correct. However, just in case they are on to something, perhaps Magnus could raise the question of driver signing with the driver's author, please (the approach would carry more weight coming from him than from me). By the way, when I tried previously to find an answer on EventID.Net I was told that I would first have to pay a subscription. There's no information about this type of event on the Microsoft website. I'm making the assumption that Magnus will wish TrojanHunter not to fall foul of any Windows security checks if it can be avoided.
« Last Edit: Jul 13th, 2007, 12:36pm by Brian49 » IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5270
Re: MadCodeHook injection driver
« Reply #14 on: Jul 14th, 2007, 12:20am »		 Quote Quote  Modify Modify
Quote:
I'm making the assumption that Magnus will wish TrojanHunter not to fall foul of any Windows security checks if it can be avoided.

 
Yes, I agree with you totally.   Smiley  I am contacting Magnus again on this.  The same issue occurs on the three drivers in SAS PRO.  I have contacted the developer there too.  
 
Quote:
There's no information about this type of event on the Microsoft website.
 
 
I haven't found much info on errors on the MS concerning Vista either.  Guess there are a few years of documentation catchup to occur.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Pages: 1 2  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register