http://rootrepeal.googlepages.com/

According to some experts, the tools is pretty good, even EP has good comments about it on sysinternals. I was told that it,s on par with RKU and Gmer and seems under constant develpment.

http://forum.sysinternals.com/forum_posts.asp?TID=12914&PN=1

-{ Quote: "http://rootrepeal.googlepages.com/

According to some experts, the tools is pretty good, even EP has good comments about it on sysinternals. I was told that it,s on par with RKU and Gmer and seems under constant develpment.

http://forum.sysinternals.com/forum_posts.asp?TID=12914&PN=1" }-


Just ran the tool, simple to use, I like it....now what the hell is this?

Name: PCI_PNP6052
Image Path: \Driver\PCI_PNP6052
Address: 0x00000000 Size: 0 File Visible: No
Status: -

I can't even Google it.

I don,t know either. ;D

Better post at sysinternals.

-{ Quote: "I don,t know either. ;D

Better post at sysinternals." }-

Guess I should, lol. That's the only entry I couldn't look up.

Edit: Posted the entire log there, some conflicting opinions on some results maybe being from Daemon Tools and maybe not according to Google.

Wow, that was quick, lol. They told me it was in fact Daemon Tools drivers.

-{ Quote: "Just ran the tool, simple to use, I like it....now what the hell is this?

Name: PCI_PNP6052
Image Path: \Driver\PCI_PNP6052
Address: 0x00000000 Size: 0 File Visible: No
Status: -

I can't even Google it." }-

Because all available public ARK detectors todate do not offer the scope of detection as RR so this is why this is *new* data returned and not known by google search til now;)

Alcohol/Daemon tools RK techniques just got royally uncovered:thumb: ;D

-{ Quote: "Because all available public ARK detectors todate do not offer the scope of detection as RR so this is why this is *new* data returned and not known by google search til now;)

Alcohol/Daemon tools RK techniques just got royally uncovered:thumb: ;D" }-

Lol, true :) As long as Daemon doesn't try any other funny stuff it can stay. One false move and it's evicted!

Worked on one of my Windows 2000 Pro computers but crashed the other one instantly (repeatedly...on subsequent re-boots) when I pressed the scan drivers button.
It is still beta though...but just thought I'd mention it

Thank you aigle :)

U r welcome. Thanks to fcukdat by the way, for introducing it.

I tried it on XP Pro SP3: simple, fast, no conflict problem, and the same results as GMER on my pc: clean.

-{ Quote: "U r welcome. Thanks to fcukdat by the way, for introducing it." }-

Well is kudo's to the author ad_13 for his creation:thumb:

So far none of my zoo collection of malware RK's and POC's have defeated it so IMO opinion it capabilities as in range of detctions excede's GMER & IceSword latest build's as well as last available RKU public release:thumb:

Here's 2 malware RK's where GMER& last RKU are bypassed:ouch:

Sample 1 Latest DNS Trojan has a rootkit driver(inch.sys) that borks raw disk read of virtually all ARK tools in the public arena:'(

201736

Sample 2 The elusive Rustock C(Ntldrbot)

201734

-{ Quote: "ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2008/07/26 15:45
Program Version: Version 1.0.2.0
Windows Version: Windows XP SP1
==================================================

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\drivers\cdaudio.sys
Status: Size mismatch (API: 18688, Raw: 254912)" }-

201735

And here's a couple of advanced POC's RK's in the mix8)

Sample 1 Unreal

201739

201740

201741

Sample 2 Phide_ex

201789

Thanks for the tests fcukdat :).

Hi fcukdat! What is this phide.exe- a newer version of it?. I get only BSODs with it. In the past I managed to run it but never got a box like this. Do u need to run it via Command Prompt?

-{ Quote: "Hi fcukdat! What is this phide.exe- a newer version of it?. I get only BSODs with it. In the past I managed to run it but never got a box like this. Do u need to run it via Command Prompt?" }-
My bad<oops>

Is old phide tool hosted at VX heavens and nothing to do with PE386's Phide_ex POC...So my bad on testing as have 2 folders containing totally unrelated Phide samples....Gonna nip back...retest Phide_ex and edit previous post hopefully to include RR versus phide_ex test results!

Hmmm... that,s OK. Atleast I was able to play with phide. It,s interesting POC.

Thanks

AD has released a new version adding MBR detection and more.

Version 1.2.3 (link)

-Added: Stealth Objects scan (scans for hidden handles, threads, modules, kernel code and IRP handlers)
-Added: Hidden Services scan. -Improved: Initialization speed and compatibility.
-Added: RootRepeal can now fix MBR modifications caused by the Mebroot trojan.
-Improved: Files scan speed.
-Improved: Scan speed in the Drivers and Processes scan.
-Fixed: Display names in the SSDT scan.
-Fixed: Intermittant bug in the files scan.
-Fixed: Bugs in handling some FAT32 directories.
-Added crashdump reporting. If RootRepeal crashes, it will generate two files: a crash dump text file, and possibly a RootRepeal.dmp file. If you experience a crash, please send me those two files.

Any experiences with this tool? :P

Hi,

The experience with RootRepeal is very very good, yes.

Look on thread on Sysinternals here: http://forum.sysinternals.com/forum_posts.asp?TID=12914

But this does NOT seriously suggest that GMER do not see something. Not seriously, not professional.

Look on the examples of findings of GMER here: http://www.gmer.net/rootkit.php

... and here: http://www.gmer.net/rootkits.php

Yesss, PROROOTECT:thumb:

PROROOTECT,

GMER at the moment is byapssed by any RK that fakes the SSDT.
POC published back in November last year.
http://www.rootkit.com/newsread.php?newsid=922

Discovered being used by certain ITW rootkits by January this year:-[

Rootrepeal had been updated to handle this hiding technology shortly after publishing of POC at rootkit.com.

That is the definitive sign of a tool that is still under ongoing developement and really should give a pointer as to the effectiveness of it.

Alas the arms race goes on and no doubt another POC will come along or new RK hider ITW then it will be time once again for the tools to upgarde or be bypassed:-[

HTH:)