|
-
February 23rd, 2005, 03:32 PM
#1
Sysinternals Rootkit Detector
I got this info from a mailing list. I tried out the tool and sure enough, it does what it says.
http://www.sysinternals.com/ntw2k/fr...itreveal.shtml
“RootkitRevealer is a an advanced root kit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects all rootkits published at www.rootkit.com, including AFX, Vanquish and HackerDefender.”
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
February 23rd, 2005, 04:33 PM
#2
Hi thehorse13,
First you download the unit then scan...it displays discrepencies...do you then just delete the discrepencies and reboot ?
And how do you tell which ones you should delete ?
Thanks,
Eg 
-
February 23rd, 2005, 04:51 PM
#3
You have to research the discrepencies and you have to know what a rootkit hook looks like. Think of this tool as the HijackThis for rootkits. You have to know what you're looking at.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
February 23rd, 2005, 05:00 PM
#4
Egal, make a backup before you play with that thing. To get the best result run it from a clean boot. Nice tool Master Jedi.
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
-
February 23rd, 2005, 06:14 PM
#5
Rockstar TH. I want you to however take a look at the INI I inputed for hacker defender and look to see if there is anything I could have made more covert. This was the best I could do however since I don't have a whole lot of experiance with desiging rootkits ( I started messing with them about 2 years ago but never put any to use, hence why I say I don't have 'experiance') Nevertheless my best attempt was thwarted by rootkit revealer. As was said earlier, it does exactly what it says. Anyways, take a look at it and PM me with your words of wisdom. You know me. I like to play with this kinda stuff.
[H<<id<<den <<Ta<<::ble]
ftp.exe
tftp.exe
ftp.ex_
tftp.ex_
dllhost.exe
dllhost.ini
viapcidrv.sys
net.exe
net1.exe
net.ex_
net1.ex_
ten.exe
ten1.exe
_data_
_restore
faxsrv
msvagina.*
mspslist.dll
spoolsv.exe
netmngr.exe
ctfmon.exe
dxdlg.exe
smss.exe
wget.exe
hxdef*
ioftpd.exe
wget*
senvices.exe
senvices.ini
mssvchost32.dll
debug.exe
smss.exe
ntmngr.exe
msvint.sys
locator.ocx
locator.dll
autoconvert.dll
services.exe
services.ini
[R<<: :<t Pro<<ce<s<s<es]
spoolsv.exe
netmngr.exe
ioftpd.exe
ntmngr.exe
ctfmon.exe
[Hid<<den Services]
Alerter
Fax server
Fax*
Sysadm
VIA-PCI
msvagina.*
Ntmngr
Ctfmon
RemoteRegistry
Ha<c:ke<rDe:fe:nd:er*
VIAPCI
LEGACY_VIAPCI
VIA-PCI
VIA PCI Driver
VIA*
[Hidden RegKeys]
msvagina.*
ioftpd.exe
Alerter
VIAPCI
LEGACY_VIAPCI
VIA-PCI
VIA PCI Driver
VIA*
MSVINT
LEGACY_MSVINT
VIAPCIDRV
SYSADM
R_SERVER
msvagina.*
[Hidden RegValues]
ioftpd.exe
[St<ar<t<up Run]
c:\system~1\_restore\system\win\smss.exe
[Free Space]
[Hid::den Po<<>>rts]
TCP: 41414,4899,4128,1111,1090,3200,999,63636,30336,48792,2112,2109,64896,65235,65234,65233,65232,65231
UDP: 41414,4899,4128,1111,1090,3200,999,63636,30336,48792,2112,2109,64896,65235,65234,65233,65232,65231
[Settings]
Password=6969-$3rviceaccessP0int
BackdoorShell=xcmd.exe
FileMappingName=-Messenger-
ServiceName=Messenger
ServiceDisplayName=Messenger
ServiceDescription=Sends and receives messages transmitted by administrators or by the Alerter service.
DriverName=MSVINT
DriverFileName=msvint.sys
Don\'t be a bitch! Use Slackware.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote