Hi Kyle,
It is Identity component which handles behavioral detection, etc.
Thanks
This report from OSHI UNHOOKER
<Patch Name="0x1647" Size="1" Section=".text" RVA="0x1647" MemoryCode="B5960300FF15C71A" FileCode="85960300FF15CF1A"/>
<Patch Name="0x164B" Size="3" TargetName="KeAcquireGuardedMutex" TargetModulePath="C:\WINDOWS\system32\ntoskrnl.exe" TargetModuleName="ntoskrnl.exe" TargetVA="0xFFFFF80293F44D00" Section=".text" RVA="0x164B" Type="Inline hook"/>
<Patch Name="0x1653" Size="1" Section=".text" RVA="0x1653" MemoryCode="8896030000488D0D" FileCode="5896030000488D0D"/>
<Patch Name="0x165B" Size="1" Section=".text" RVA="0x165B" MemoryCode="A19603007526C605" FileCode="719603007526C605"/>
<Patch Name="0x1663" Size="1" Section=".text" RVA="0x1663" MemoryCode="7896030001FF15A2" FileCode="4896030001FF15AA"/>
<Patch Name="0x1668" Size="3" TargetName="KeReleaseGuardedMutex" TargetModulePath="C:\WINDOWS\system32\ntoskrnl.exe" TargetModuleName="ntoskrnl.exe" TargetVA="0xFFFFF80293EAFF10" Section=".text" RVA="0x1668" Type="Inline hook"/>
<Patch Name="0x1674" Size="2" Section=".text" RVA="0x1674" MemoryCode="D8920000458D4101" FileCode="E8980000458D4101"/>
<Patch Name="0x1682" Size="5" TargetName="0x27B60" TargetModulePath="C:\WINDOWS\system32\DRIVERS\avgidsdrivera.sys" TargetModuleName="avgidsdrivera.sys" TargetVA="0xFFFFF80001827B60" Section=".text" RVA="0x1682" Type="Inline hook"/>
<Patch Name="0x1687" Size="3" Section=".text" RVA="0x1687" MemoryCode="E9D9640200FF1583" FileCode="FF158B1A0300488D"/>
<Patch Name="0x1690" Size="1" Section=".text" RVA="0x1690" MemoryCode="549603004533C033" FileCode="249603004533C033"/>
<Patch Name="0x169E" Size="3" TargetName="KeSetEvent" TargetModulePath="C:\WINDOWS\system32\ntoskrnl.exe" TargetModuleName="ntoskrnl.exe" TargetVA="0xFFFFF80293ECE490" Section=".text" RVA="0x169E" Type="Inline hook"/>
<Patch Name="0x16C1" Size="2" Section=".text" RVA="0x16C1" MemoryCode="6BC30300488BD948" FileCode="93A00300488BD948"/>
<Patch Name="0x16DA" Size="1" Section=".text" RVA="0x16DA" MemoryCode="521E0300BA770000" FileCode="321E0300BA770000"/>
<Patch Name="0x16E3" Size="3" TargetName="0x5080" TargetModulePath="C:\WINDOWS\system32\DRIVERS\avgidsdrivera.sys" TargetModuleName="avgidsdrivera.sys" TargetVA="0xFFFFF80001805080" Section=".text" RVA="0x16E3" Type="Inline hook"/>
<Patch Name="0x16F1" Size="2" Section=".text" RVA="0x16F1" MemoryCode="2B9E03004533C945" FileCode="ABA003004533C945"/>
<Patch Name="0x170C" Size="3" TargetName="0x24F80" TargetModulePath="C:\WINDOWS\system32\DRIVERS\avgidsdrivera.sys" TargetModuleName="avgidsdrivera.sys" TargetVA="0xFFFFF80001824F80" Section=".text" RVA="0x170C" Type="Inline hook"/>
<Patch Name="0x171A" Size="2" Section=".text" RVA="0x171A" MemoryCode="029E030033D2FF15" FileCode="82A0030033D2FF15"/>
<Patch Name="0x1734" Size="2" Section=".text" RVA="0x1734" MemoryCode="F8C203004885C074" FileCode="20A003004885C074"/>
<Patch Name="0x174A" Size="1" Section=".text" RVA="0x174A" MemoryCode="E21D0300BA8D0000" FileCode="C21D0300BA8D0000"/>
<Patch Name="0x1753" Size="3" TargetName="0x5080" TargetModulePath="C:\WINDOWS\system32\DRIVERS\avgidsdrivera.sys" TargetModuleName="avgidsdrivera.sys" TargetVA="0xFFFFF80001805080" Section=".text" RVA="0x1753" Type="Inline hook"/>
<Patch Name="0x178C" Size="2" Section=".text" RVA="0x178C" MemoryCode="A0C20300410FB6F1" FileCode="C89F0300410FB6F1"/>
<Patch Name="0x17BC" Size="1" Section=".text" RVA="0x17BC" MemoryCode="C01D0300488D05C9" FileCode="A01D0300488D05A9"/>
<Patch Name="0x17C3" Size="1" Section=".text" RVA="0x17C3" MemoryCode="C91D0300BAA30000" FileCode="A91D0300BAA30000"/>
<Patch Name="0x17D9" Size="1" Section=".text" RVA="0x17D9" MemoryCode="531D030041B8A086" FileCode="331D030041B8A086"/>
<Patch Name="0x17E6" Size="5" TargetVA="0xFFFFF8004385A333" Section=".text" RVA="0x17E6" Type="Inline hook"/>
<Patch Name="0x17EB" Size="1" Section=".text" RVA="0x17EB" MemoryCode="E8488B0542C20300" FileCode="9F0300C74424380E"/>
<Patch Name="0x1807" Size="3" TargetName="0x287D0" TargetModulePath="C:\WINDOWS\system32\DRIVERS\avgidsdrivera.sys" TargetModuleName="avgidsdrivera.sys" TargetVA="0xFFFFF800018287D0" Section=".text" RVA="0x1807" Type="Inline hook"/>
<Patch Name="0x182A" Size="2" Section=".text" RVA="0x182A" MemoryCode="02C203004885C074" FileCode="2A9F03004885C074"/>
<Patch Name="0x1840" Size="1" Section=".text" RVA="0x1840" MemoryCode="EC1C0300BAA80000" FileCode="CC1C0300BAA80000"/>
<Patch Name="0x1849" Size="3" TargetName="0x5130" TargetModulePath="C:\WINDOWS\system32\DRIVERS\avgidsdrivera.sys" TargetModuleName="avgidsdrivera.sys" TargetVA="0xFFFFF80001805130" Section=".text" RVA="0x1849" Type="Inline hook"/>
<Patch Name="0x1874" Size="3" TargetName="0x27B60" TargetModulePath="C:\WINDOWS\system32\DRIVERS\avgidsdrivera.sys" TargetModuleName="avgidsdrivera.sys" TargetVA="0xFFFFF80001827B60" Section=".text" RVA="0x1874" Type="Inline hook"/>
<Patch Name="0x1882" Size="2" Section=".text" RVA="0x1882" MemoryCode="AAC103004885C974" FileCode="D29E03004885C974"/>
<Patch Name="0x18A5" Size="2" Section=".text" RVA="0x18A5" MemoryCode="87C10300C7442438" FileCode="AF9E0300C7442438"/>
<Patch Name="0x18B9" Size="1" Section=".text" RVA="0x18B9" MemoryCode="731C0300BAB60000" FileCode="531C0300BAB60000"/>
<Patch Name="0x18DC" Size="3" TargetName="0x287D0" TargetModulePath="C:\WINDOWS\system32\DRIVERS\avgidsdrivera.sys" TargetModuleName="avgidsdrivera.sys" TargetVA="0xFFFFF800018287D0" Section=".text" RVA="0x18DC" Type="Inline hook"/>
<Patch Name="0x1916" Size="1" Section=".text" RVA="0x1916" MemoryCode="3E93030083F8050F" FileCode="0E93030083F8050F"/>
<Patch Name="0x1925" Size="1" Section=".text" RVA="0x1925" MemoryCode="32930300010F8389" FileCode="02930300010F8389"/>
<Patch Name="0x1933" Size="2" Section=".text" RVA="0x1933" MemoryCode="F9C003004885C074" FileCode="219E03004885C074"/>
<Patch Name="0x1948" Size="2" Section=".text" RVA="0x1948" MemoryCode="10930300C7442458" FileCode="E0920300C7442458"/>
<Patch Name="0x1957" Size="1" Section=".text" RVA="0x1957" MemoryCode="D51B030089442450" FileCode="B51B030089442450"/>
<Patch Name="0x1961" Size="1" Section=".text" RVA="0x1961" MemoryCode="F3920300C7442448" FileCode="C3920300C7442448"/>
<Patch Name="0x1974" Size="2" Section=".text" RVA="0x1974" MemoryCode="B8C00300C7442438" FileCode="E09D0300C7442438"/>
<Patch Name="0x19A4" Size="3" TargetName="0x287D0" TargetModulePath="C:\WINDOWS\system32\DRIVERS\avgidsdrivera.sys" TargetModuleName="avgidsdrivera.sys" TargetVA="0xFFFFF800018287D0" Section=".text" RVA="0x19A4" Type="Inline hook"/>
<Patch Name="0x19BD" Size="3" TargetName="0x1DDB0" TargetModulePath="C:\WINDOWS\system32\DRIVERS\avgidsdrivera.sys" TargetModuleName="avgidsdrivera.sys" TargetVA="0xFFFFF8000181DDB0" Section=".text" RVA="0x19BD" Type="Inline hook"/>
<Patch Name="0x19D3" Size="1511" Section=".text" RVA="0x19D3" MemoryCode="83EC5033C9E853D3" FileCode="81EC8000000033C9"/>
<Patch Name="0x1FCA" Size="1" Section=".text" RVA="0x1FCA" MemoryCode="62150300448BCEBA" FileCode="42150300448BCEBA"/>
<Patch Name="0x1FD2" Size="1" Section=".text" RVA="0x1FD2" MemoryCode="BF01000041B8801A" FileCode="8B01000041B8801A"/>
<Patch Name="0x1FE6" Size="5" TargetName="0x287D0" TargetModulePath="C:\WINDOWS\system32\DRIVERS\avgidsdrivera.sys" TargetModuleName="avgidsdrivera.sys" TargetVA="0xFFFFF800018287D0" Section=".text" RVA="0x1FE6" Type="Inline hook"/>
<Patch Name="0x1FEB" Size="677" Section=".text" RVA="0x1FEB" MemoryCode="E8E5670200488B0D" FileCode="E8F07F0100488B5C"/>
<Patch Name="0x22A1" Size="7015" Section=".text" RVA="0x22A1" MemoryCode="83EC38448B4A1841" FileCode="895C240848896C24"/>
<Patch Name="0x3E0D" Size="2" Section=".text" RVA="0x3E0D" MemoryCode="2F70030048890520" FileCode="976E030048890588"/>
<Patch Name="0x3E14" Size="5727" Section=".text" RVA="0x3E14" MemoryCode="20700300448825C1" FileCode="886E0300488D05E9"/>
<Patch Name="0x5480" Size="555" Section=".text" RVA="0x5480" MemoryCode="48895C241848896C" FileCode="E9BBFDFFFFCCCCCC"/>
<Patch Name="0x56B0" Size="315" Section=".text" RVA="0x56B0" MemoryCode="48895C2408574883" FileCode="CCCCCCCCCCCCCCCC"/>
<Patch Name="0x57F0" Size="3962" Section=".text" RVA="0x57F0" MemoryCode="4883EC28488B0D2D" FileCode="CCCCCCCCCCCCCCCC"/>
<Patch Name="0x6770" Size="13148" Section=".text" RVA="0x6770" MemoryCode="48895C241048894C" FileCode="4055415641574881"/>
<Patch Name="0x9AD3" Size="10268" Section=".text" RVA="0x9AD3" MemoryCode="89442468488B0552" FileCode="48898424A8000000"/>
<Patch Name="0xC2F6" Size="17901" Section=".text" RVA="0xC2F6" MemoryCode="01895DA848895DB0" FileCode="004C8B6D7833DB4D"/>
<Patch Name="0x108E8" Size="6" TargetName="ExAcquireResourceExclusiveLite" TargetModulePath="C:\WINDOWS\system32\ntoskrnl.exe" TargetModuleName="ntoskrnl.exe" TargetVA="0xFFFFF80293EB9C60" Section=".text" RVA="0x108E8" Type="Inline hook"/>
<Patch Name="0x108EE" Size="12585" Section=".text" RVA="0x108EE" MemoryCode="FF15CA280200EB15" FileCode="4424788B03C74424"/>
<Patch Name="0x13A20" Size="1197" Section=".text" RVA="0x13A20" MemoryCode="B8540001E0C3CCCC" FileCode="48895C240848896C"/>
<Patch Name="0x13ED2" Size="1941" Section=".text" RVA="0x13ED2" MemoryCode="484883C4205DC3CC" FileCode="30488B742438488B"/>
<Patch Name="0x14670" Size="2500" Section=".text" RVA="0x14670" MemoryCode="4889542410555641" FileCode="4C8BDC4883EC6883"/>
<Patch Name="0x15039" Size="20793" Section=".text" RVA="0x15039" MemoryCode="180100004885C90F" FileCode="80000000FF157DE0"/>
<Patch Name="0x1A177" Size="4249" Section=".text" RVA="0x1A177" MemoryCode="842488000000488D" FileCode="442430448D4F0148"/>
<Patch Name="0x1B215" Size="3374" Section=".text" RVA="0x1B215" MemoryCode="9C2470010000488B" FileCode="F04885C00F84DA00"/>
<Patch Name="0x1BF50" Size="7427" Section=".text" RVA="0x1BF50" MemoryCode="4885C97424534883" FileCode="4C8BDC53574883EC"/>
<Patch Name="0x1DC59" Size="2569" Section=".text" RVA="0x1DC59" MemoryCode="81F9220000C00F84" FileCode="48897C2460488D58"/>
<Patch Name="0x1E674" Size="8089" Section=".text" RVA="0x1E674" MemoryCode="0848897424104889" FileCode="1848896C24205741"/>
<Patch Name="0x20620" Size="1079" Section=".text" RVA="0x20620" MemoryCode="4885C90F84B60000" FileCode="40534881ECD00000"/>
<Patch Name="0x20A62" Size="10569" Section=".text" RVA="0x20A62" MemoryCode="7424185741564157" FileCode="5C24104C89442418"/>
<Patch Name="0x233B0" Size="24539" Section=".text" RVA="0x233B0" MemoryCode="CCCCCCCCCCCCCCCC" FileCode="448844241848894C"/>
<Patch Name="0x29390" Size="18017" Section=".text" RVA="0x29390" MemoryCode="CCCCCCCCCCCCCCCC" FileCode="4885C90F84B80000"/>
<Patch Name="0x2DA01" Size="4824" Section=".text" RVA="0x2DA01" MemoryCode="565741564883EC50" FileCode="534883EC20498BD8"/>
<Patch Name="0x2ECE0" Size="2" Section=".text" RVA="0x2ECE0" MemoryCode="C8000000FFCA0F84" FileCode="23010000FFCA0F85"/>
<Patch Name="0x2ECE7" Size="9168" Section=".text" RVA="0x2ECE7" MemoryCode="84E5000000FFCA0F" FileCode="85550200000FB60B"/>
<Patch Name="0x310C4" Size="4801" Section=".text" RVA="0x310C4" MemoryCode="1048897424185548" FileCode="08574883EC20488B"/>
<Patch Name="ntoskrnl.exe!ExDeleteResourceLite" Size="8" TargetName="IoCreateSymbolicLink" TargetModulePath="C:\WINDOWS\system32\ntoskrnl.exe" TargetModuleName="ntoskrnl.exe" TargetVA="0xFFFFF8029434B1B8" Section=".rdata" RVA="0x330D8" Type="IAT hook"/>
<Patch Name="ntoskrnl.exe!IoCreateSymbolicLink" Size="8" TargetName="PsGetCurrentThreadProcessId" TargetModulePath="C:\WINDOWS\system32\ntoskrnl.exe" TargetModuleName="ntoskrnl.exe" TargetVA="0xFFFFF80293EB72C8" Section=".rdata" RVA="0x330E0" Type="IAT hook"/>
<Patch Name="ntoskrnl.exe!PsGetCurrentProcessId" Size="8" TargetName="RtlCopyUnicodeString" TargetModulePath="C:\WINDOWS\system32\ntoskrnl.exe" TargetModuleName="ntoskrnl.exe" TargetVA="0xFFFFF80293EF8E5C" Section=".rdata" RVA="0x330E8" Type="IAT hook"/>
<Patch Name="ntoskrnl.exe!RtlCopyUnicodeString" Size="8" TargetName="ObfDereferenceObject" TargetModulePath="C:\WINDOWS\system32\ntoskrnl.exe" TargetModuleName="ntoskrnl.exe" TargetVA="0xFFFFF80293EF1FD0" Section=".rdata" RVA="0x330F0" Type="IAT hook"/>
<Patch Name="ntoskrnl.exe!ObfDereferenceObject" Size="8" TargetName="IoCreateDevice" TargetModulePath="C:\WINDOWS\system32\ntoskrnl.exe" TargetModuleName="ntoskrnl.exe" TargetVA="0xFFFFF80294303914" Section=".rdata" RVA="0x330F8" Type="IAT hook"/>
<Patch Name="ntoskrnl.exe!IoCreateDevice" Size="8" TargetName="ZwOpenKey" TargetModulePath="C:\WINDOWS\system32\ntoskrnl.exe" TargetModuleName="ntoskrnl.exe" TargetVA="0xFFFFF80293FD6C60" Section=".rdata" RVA="0x33100" Type="IAT hook"/>
<Patch Name="ntoskrnl.exe!ZwOpenKey" Size="8" TargetName="KeAcquireSpinLockRaiseToDpc" TargetModulePath="C:\WINDOWS\system32\ntoskrnl.exe" TargetModuleName="ntoskrnl.exe" TargetVA="0xFFFFF80293F1F270" Section=".rdata" RVA="0x33108" Type="IAT hook"/>
<Patch Name="ntoskrnl.exe!KeAcquireSpinLockRaiseToDpc" Size="8" TargetName="KeReleaseGuardedMutex" TargetModulePath="C:\WINDOWS\system32\ntoskrnl.exe" TargetModuleName="ntoskrnl.exe" TargetVA="0xFFFFF80293EAFF10" Section=".rdata" RVA="0x33110" Type="IAT hook"/>
<Patch Name="ntoskrnl.exe!ExReleaseFastMutex" Size="8" TargetName="KeAcquireGuardedMutex" TargetModulePath="C:\WINDOWS\system32\ntoskrnl.exe" TargetModuleName="ntoskrnl.exe" TargetVA="0xFFFFF80293F44D00" Section=".rdata" RVA="0x33118" Type="IAT hook"/>
<Patch Name="ntoskrnl.exe!ExAcquireFastMutex" Size="8" TargetName="KeSetEvent" TargetModulePath="C:\WINDOWS\system32\ntoskrnl.exe" TargetModuleName="ntoskrnl.exe" TargetVA="0xFFFFF80293ECE490" Section=".rdata" RVA="0x33120" Type="IAT hook"/>
<Patch Name="ntoskrnl.exe!KeSetEvent" Size="8" TargetName="ExDeleteResourceLite" TargetModulePath="C:\WINDOWS\system32\ntoskrnl.exe" TargetModuleName="ntoskrnl.exe" TargetVA="0xFFFFF80293F447B0" Section=".rdata" RVA="0x33128" Type="IAT hook"/>
<Patch Name="ntoskrnl.exe!RtlUpcaseUnicodeString" Size="8" TargetName="ExAcquireResourceExclusiveLite" TargetModulePath="C:\WINDOWS\system32\ntoskrnl.exe" TargetModuleName="ntoskrnl.exe" TargetVA="0xFFFFF80293EB9C60" Section=".rdata" RVA="0x331B8" Type="IAT hook"/>
<Patch Name="ntoskrnl.exe!_vsnwprintf" Size="8" TargetName="RtlUpcaseUnicodeString" TargetModulePath="C:\WINDOWS\system32\ntoskrnl.exe" TargetModuleName="ntoskrnl.exe" TargetVA="0xFFFFF802942E465C" Section=".rdata" RVA="0x331C0" Type="IAT hook"/>
<Patch Name="ntoskrnl.exe!RtlPrefixUnicodeString" Size="8" TargetName="KeLeaveCriticalRegion" TargetModulePath="C:\WINDOWS\system32\ntoskrnl.exe" TargetModuleName="ntoskrnl.exe" TargetVA="0xFFFFF80293EF3D60" Section=".rdata" RVA="0x331C8" Type="IAT hook"/>
<Patch Name="ntoskrnl.exe!PsSetLoadImageNotifyRoutine" Size="8" TargetName="RtlEqualUnicodeString" TargetModulePath="C:\WINDOWS\system32\ntoskrnl.exe" TargetModuleName="ntoskrnl.exe" TargetVA="0xFFFFF80294297D84" Section=".rdata" RVA="0x331D0" Type="IAT hook"/>
<Patch Name="ntoskrnl.exe!PsRemoveLoadImageNotifyRoutine" Size="8" TargetName="KeEnterCriticalRegion" TargetModulePath="C:\WINDOWS\system32\ntoskrnl.exe" TargetModuleName="ntoskrnl.exe" TargetVA="0xFFFFF80293F3AD10" Section=".rdata" RVA="0x331D8" Type="IAT hook"/>
<Patch Name="ntoskrnl.exe!ExAcquireResourceExclusiveLite" Size="8" TargetName="ZwWaitForSingleObject" TargetModulePath="C:\WINDOWS\system32\ntoskrnl.exe" TargetModuleName="ntoskrnl.exe" TargetVA="0xFFFFF80293FD6AA0" Section=".rdata" RVA="0x331E0" Type="IAT hook"/>
<Patch Name="ntoskrnl.exe!KeLeaveCriticalRegion" Size="8" TargetName="ExAcquireResourceSharedLite" TargetModulePath="C:\WINDOWS\system32\ntoskrnl.exe" TargetModuleName="ntoskrnl.exe" TargetVA="0xFFFFF80293EB9F70" Section=".rdata" RVA="0x331E8" Type="IAT hook"/>
</Module>
</Process>
</Report>
Kyle, Have a look @ this new form link (http://support.avg.com/support_contact_form) to get chat or phone support. Otherwise, When available, A member of the official AVG Community Support in Brno, Czech Rep.. will see your topic & respond.
AVG Guru
AVG Guru
Hi Kyle,
It is Identity component which handles behavioral detection, etc.
Thanks
It is Identity component which handles behavioral detection, etc.
Thanks