Results 1 to 3 of 3

Thread: Prototype Rootkit Discovery Application

  1. #1
    AO Senior Cow-beller
    zencoder's Avatar
    Join Date
    Dec 2004
    Mountain standard tribe.

    Lightbulb Prototype Rootkit Discovery Application

    Bruce Schneier describes a prototype app to help discover persistent rootkits. This is a really cool idea.

    Basically, it's a CD based app that you pop in the drive while the system is up and running. It will examine the current state, stop all user programs, flush caches, and run a checksum of all files, as well as check the registry for keys that could 're-launch' certain infected programs and such. All data is written to a dump file on the harddrive.

    It then tells the user to "RESET" the system which then boots from the CD and repeats the process on the files and registry/hive files. Any differences indicate a rootkit or stealth software.

    Thats a pretty simple and cool idea.

    And the most amazing's a Microsoft prototype! They call it Ghostbuster, but don't have plans to sell or market. Here's hoping they don't hold the copyright, and let others take this great idea and run with it, if they don't want to.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  2. #2
    ********** |ceWriterguy
    Join Date
    Aug 2004
    Gawd there's nothing like a new wrench for the toolbox. Thanks for the clue-in and I'll check it out.
    Even a broken watch is correct twice a day.

    Which coder said that nobody could outcode Microsoft in their own OS? Write a bit and make a fortune!

  3. #3
    Senior Member
    Join Date
    Jan 2003
    Hey Hey,

    Looks very interesting.... I'm definately going to have to check it out.

    One of the things I've been looking into recently is VICE... only because I happened to come across an older ScreenSavers segment which had some guys from and covered VICE... It's a pretty nifty little rootkit hunter.

    VICE is a program that identifies hooks in API calls, functions, and
    function pointer tables. It has a user portion and a kernel portion.
    Usually anything it detects in the kernel is a rootkit or some form of
    third party software that uses "rootkit techniques". Third party
    products that may be detected by VICE in the kernel are things like
    personal firewalls and Host Based Intrusion Prevention Systems (HIPS)
    like ZoneAlarm, Cisco Security Agent, or Blink.
    The README_VICE.txt in the EXE folder of the zip has more information on it as well as related documentation.

    The software is available from the downloads page of however you need to register to access it (registration is free)... I'm also attaching the archive to this thread for anyone interested in it..


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts