I use Port Explorer v1.700 to do forensic analysis of hacked machines. We've been noticing that obviously compromised machines with active outgoing network connections show no illegal processes.

Is there a rootkit technique to hide a process from PE? Will the newer version of PE detect these hidden processes?

Thanks!

-{ Quote: "I use Port Explorer v1.700 to do forensic analysis of hacked machines. We've been noticing that obviously compromised machines with active outgoing network connections show no illegal processes.

Is there a rootkit technique to hide a process from PE? Will the newer version of PE detect these hidden processes?

Thanks!" }-

Hi,
I don't think you can detect "Active" root kit as such besides finding what open ports are used by processes "Hooked into" and controlled by them since they would be cloaked. You can see "Hidden" processes but it is different than a cloaked process.

You may consider using a kernel hook scan to find which process are tapping into the kernel to begin looking for these cloaked devices.

Here is a possible tool to begin with: http://www.resplendence.com/hookanalyzer
It's quick and shows most hooks into the kernel. It is also 32 and X64 compatible.


Also I would consider that there are vulnerabilities solved in the current version: V2.150 that may not be in V1.7 of PE. Maybe consider upgrading to the latest tool since it would more than likely prove to provide a more "Reliable scope of activity". :)

Thanks for your reply. I'll definitely be checking out that other tool besides upgrading my version.