PDA

View Full Version : Does Runscanner show any Keylogger etc?

truthseeker
August 30th, 2008, 08:17 PM
When I run a program called RunScanner, it shows all running process.

If I was infected with a keylogger etc, would it show up on RunScanner?
RunScanner
August 31st, 2008, 10:58 AM
Most likely yes, except if it was an undetectable rootkit
Longboard
August 31st, 2008, 11:27 AM
{QUOTE-> Most likely yes, except if it was an undetectable rootkit <-QUOTE}
No offence intended ( I like RS :) )
Ow: heh : my brain hurts >> is that a logic bomb or just an inverted tautology ;)

On a more serious note: I had thought that RS was good at ferreting out hidden processes ??
truthseeker
September 1st, 2008, 06:36 AM
{QUOTE-> Most likely yes, except if it was an undetectable rootkit <-QUOTE}

So "undetectable rootkits" dont run in RAM? If not, then how can they do anything if they aren't running in memory?
truthseeker
September 1st, 2008, 06:37 AM
{QUOTE-> No offence intended ( I like RS :) )
Ow: heh : my brain hurts >> is that a logic bomb or just an inverted tautology ;)

On a more serious note: I had thought that RS was good at ferreting out hidden processes ?? <-QUOTE}

Whats RS?
Antarctica
September 1st, 2008, 06:48 AM
{QUOTE-> Whats RS? <-QUOTE}

I guess RunScanner.:)
BlueZannetti
September 1st, 2008, 06:52 AM
{QUOTE-> So "undetectable rootkits" dont run in RAM? If not, then how can they do anything if they aren't running in memory? <-QUOTE}They are running in RAM. The typical scenario: the information provided to you by the OS (say via Task Manager) has been filtered by the rootkit to eliminate references it itself.

Blue
truthseeker
September 1st, 2008, 06:56 AM
{QUOTE-> I guess RunScanner.:) <-QUOTE}

Yeah, i thought that too, but the way he used RS in that context sounded like he was disagreeing with RunScanner.
truthseeker
September 1st, 2008, 06:57 AM
{QUOTE-> They are running in RAM. The typical scenario: the information provided to you by the OS (say via Task Manager) has been filtered by the rootkit to eliminate references it itself.

Blue <-QUOTE}

can you please elaborate? Do you mean if I run RunScanner, it won't show as it somehow has made itself "invisible" in RAM?
BlueZannetti
September 1st, 2008, 07:15 AM
{QUOTE-> can you please elaborate? Do you mean if I run RunScanner, it won't show as it somehow has made itself "invisible" in RAM? <-QUOTE}First of all, take the time to read and understand what I wrote instead of popping off a few one liner questions without first digging deeper yourself.

My response was to your comment on "undetectable rootkits", not Runscanner. You had initially asked:{QUOTE-> When I run a program called RunScanner, it shows all running process.

If I was infected with a keylogger etc, would it show up on RunScanner? <-QUOTE}The initial response given was{QUOTE-> Most likely yes, except if it was an undetectable rootkit <-QUOTE}Which is a correct answer. If you are infected with a keylogger and said keylogger is a part of an "undetectable rootkit", RunScanner may not be able to provide a completely reliable reading of the processes running on your system. Rootkits hook into the OS system calls and will typically filter out self referential information. In a nutshell, that's how they hide.

Think of it this way - consider a simple operation, say a directory listing. Getting that directory listing generally involves calling the OS and information is passed back to you from the OS. If a process is inserted between you and the base OS, it can filter/alter the information that is provided back to you. Clear enough?

Blue