Sysinternals Rootkit Detector
Results 1 to 5 of 5

Thread: Sysinternals Rootkit Detector

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884

    Sysinternals Rootkit Detector

    I got this info from a mailing list. I tried out the tool and sure enough, it does what it says.

    http://www.sysinternals.com/ntw2k/fr...itreveal.shtml

    “RootkitRevealer is a an advanced root kit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects all rootkits published at www.rootkit.com, including AFX, Vanquish and HackerDefender.”

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Posts
    3,171
    Hi thehorse13,

    First you download the unit then scan...it displays discrepencies...do you then just delete the discrepencies and reboot ?
    And how do you tell which ones you should delete ?

    Thanks,

    Eg

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    You have to research the discrepencies and you have to know what a rootkit hook looks like. Think of this tool as the HijackThis for rootkits. You have to know what you're looking at.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Egal, make a backup before you play with that thing. To get the best result run it from a clean boot. Nice tool Master Jedi.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  5. #5
    Senior Member
    Join Date
    Nov 2002
    Posts
    339
    Rockstar TH. I want you to however take a look at the INI I inputed for hacker defender and look to see if there is anything I could have made more covert. This was the best I could do however since I don't have a whole lot of experiance with desiging rootkits ( I started messing with them about 2 years ago but never put any to use, hence why I say I don't have 'experiance') Nevertheless my best attempt was thwarted by rootkit revealer. As was said earlier, it does exactly what it says. Anyways, take a look at it and PM me with your words of wisdom. You know me. I like to play with this kinda stuff.

    [H<<id<<den <<Ta<<::ble]
    ftp.exe
    tftp.exe
    ftp.ex_
    tftp.ex_
    dllhost.exe
    dllhost.ini
    viapcidrv.sys
    net.exe
    net1.exe
    net.ex_
    net1.ex_
    ten.exe
    ten1.exe
    _data_
    _restore
    faxsrv
    msvagina.*
    mspslist.dll
    spoolsv.exe
    netmngr.exe
    ctfmon.exe
    dxdlg.exe
    smss.exe
    wget.exe
    hxdef*
    ioftpd.exe
    wget*
    senvices.exe
    senvices.ini
    mssvchost32.dll
    debug.exe
    smss.exe
    ntmngr.exe
    msvint.sys
    locator.ocx
    locator.dll
    autoconvert.dll
    services.exe
    services.ini

    [R<<::<t Pro<<ce<s<s<es]
    spoolsv.exe
    netmngr.exe
    ioftpd.exe
    ntmngr.exe
    ctfmon.exe

    [Hid<<den Services]
    Alerter
    Fax server
    Fax*
    Sysadm
    VIA-PCI
    msvagina.*
    Ntmngr
    Ctfmon
    RemoteRegistry
    Ha<c:ke<rDe:fe:nd:er*
    VIAPCI
    LEGACY_VIAPCI
    VIA-PCI
    VIA PCI Driver
    VIA*

    [Hidden RegKeys]
    msvagina.*
    ioftpd.exe
    Alerter
    VIAPCI
    LEGACY_VIAPCI
    VIA-PCI
    VIA PCI Driver
    VIA*
    MSVINT
    LEGACY_MSVINT
    VIAPCIDRV
    SYSADM
    R_SERVER
    msvagina.*

    [Hidden RegValues]
    ioftpd.exe

    [St<ar<t<up Run]
    c:\system~1\_restore\system\win\smss.exe

    [Free Space]

    [Hid::den Po<<>>rts]
    TCP: 41414,4899,4128,1111,1090,3200,999,63636,30336,48792,2112,2109,64896,65235,65234,65233,65232,65231
    UDP: 41414,4899,4128,1111,1090,3200,999,63636,30336,48792,2112,2109,64896,65235,65234,65233,65232,65231


    [Settings]
    Password=6969-$3rviceaccessP0int
    BackdoorShell=xcmd.exe
    FileMappingName=-Messenger-
    ServiceName=Messenger
    ServiceDisplayName=Messenger
    ServiceDescription=Sends and receives messages transmitted by administrators or by the Alerter service.
    DriverName=MSVINT
    DriverFileName=msvint.sys
    Don\'t be a bitch! Use Slackware.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •