We've just released the beta version of a new tool called Packed Driver Detector.

Download: http://www.misec.net/products/PDD.exe (No installation required - simply run file)

203053

What does this thing do?

Drivers are system files that are used in kernel mode to execute system code. Rootkits use a driver (.sys) file to subvert the Windows kernel and hide their presence in the system. Recent rootkits have begun packing and/or encrypting their driver files to make them harder to detect.

This tool identifies packed driver files. On an uninfected system there should be no packed driver files. Use this tool to identify any packed driver files on your system.

How can I help?

This is the first beta release of Packed Driver Identifier. If you want to help out testing it, download and run it to scan your system. If the tool identifies any packed drivers, don't panic. This is the first release of the tool and the identified files are very likely legitimate. Please email the detected driver files to support@misec.net along with your scan log. We will analyze the files for you and tell you if they really are something to worry about.

It would be very helpful if you could post your scan report even if no packed drivers are identified. This is to help verify that the tool is actually not reporting any packed files on clean systems.

i just try it and this is the results:

Scanning C:\WINDOWS\system32\drivers\
No packed driver files were detected (270 files scanned).
what is this mean?

-{ Quote: "i just try it and this is the results:

Scanning C:\WINDOWS\system32\drivers\
No packed driver files were detected (270 files scanned).
what is this mean?" }-

That means that the tool scanned 270 driver files on your system and didn't find any packed ones. This is a good thing since a packed driver would very likely be a rootkit. Regular driver file authors would not encrypt or compress their drivers.

-{ Quote: "Scanning C:\Windows\system32\drivers\
Error: System Error. Code: 1006.
Der Datenträger einer Datei wurde extern so geändert, dass die geöffnete Datei nicht mehr gültig ist
Error: System Error. Code: 1006.
Der Datenträger einer Datei wurde extern so geändert, dass die geöffnete Datei nicht mehr gültig ist
No packed driver files were detected (7 files scanned).
" }-Results. Probably the 64 bit protection (which in fact looks like a rootkit behavior itself)

-{ Quote: "That means that the tool scanned 270 driver files on your system and didn't find any packed ones. This is a good thing since a packed driver would very likely be a rootkit. Regular driver file authors would not encrypt or compress their drivers." }-thanks for the value info,nice app.thats good to know that my H.I.P.S and Sandboxes programs are really doing their job.no antivirus here for long time:thumb:

-{ Quote: "Results." }-

What Windows/Service Pack version is this on?

I just tried it, not sure if the error means anything:


Scanning C:\WINDOWS\system32\drivers\
Error: This is not a PE format
Error: Unable to get read access to C:\WINDOWS\system32\drivers\sptd.sys
No packed driver files were detected (223 files scanned).

-{ Quote: "I just tried it, not sure if the error means anything:


Scanning C:\WINDOWS\system32\drivers\
Error: This is not a PE format
Error: Unable to get read access to C:\WINDOWS\system32\drivers\sptd.sys
No packed driver files were detected (223 files scanned)." }-

The first error means PDD tried to scan a file that was not a regular driver file. This is a harmless message - I will add code to show which file this happens on.

The second message means sptd.sys could not be accessed. sptd.sys is the driver for Daemon Tools - I'm guessing Daemon Tools takes additional steps to make sure its driver file cannot be read. This is good information; I will make sure this can be worked around so that all driver files are read.

-{ Quote: "What Windows/Service Pack version is this on?" }-
Windows Vista 64 bit Sp1.
I see PDD.exe Buffer Overflows (QueryNameInformationFile) in procmon for each called driver.

-{ Quote: "Windows Vista 64 bit Sp1.
I see PDD.exe Buffer Overflows (QueryNameInformationFile) in procmon for each called driver." }-

Ah, it's 64-bit, that's why you are getting that error. I'd have to say that this utility won't work on 64-bit for now then. Also explains why the program only found 7 driver files - those would be the 32-bit drivers.

-{ Quote: "Also explains why the program only found 7 driver files - those would be the 32-bit drivers." }-Ah okay good to know. I will try it asap in 32 bit. (Btw probably windows 64 bit protection could block forensic research for rootkits if rootkits bypass patchguard or nameinfo redirection that could prevent official or beta tools to scan for patched 64 bit regions (vista botch?))

There is now also a dedicated web page on our site for this utility. The latest version will always be available here:

http://www.misec.net/products/pdd/

-{ Quote: "There is now also a dedicated web page on our site for this utility. The latest version will always be available here:

http://www.misec.net/products/pdd/" }-
are you the maker of trojan hunter?

And here is the utility in action detecting the TDSServ rootkit that is used by Antivirus XP 2008:

203055

-{ Quote: "are you the maker of trojan hunter?" }-

Yes, that's right :)

-{ Quote: "Yes, that's right :)" }-

cool and welcome to wilders:thumb: :thumb:

Someone just emailed the file ctdvda2k.sys which is detected as packed. This is a Creative DVD driver that contains a large block of compressed data. So there are some legitimate driver files out there that contains this kind of data.

This file could easily be filtered out though since it is digitally signed by Creative Technology Ltd. If anyone else has any files that are being detected, please do email them to support@misec.net

Just downloaded and ran the program. I am running XP SP2. results:
Scanning C:\WINDOWS\system32\drivers\
No packed driver files were detected (360 files scanned).
Will this be included as a utility in TrojanHunter?

-{ Quote: "
Will this be included as a utility in TrojanHunter?" }-

It all depends on how much users requested it. I don't think it would be helpful for most home users as you'd have to be pretty tech savvy to interpret the results. Perhaps it should just be made available as a stand-alone tool - I'm not sure yet.

Scanning C:\WINDOWS\system32\drivers\
No packed driver files were detected (207 files scanned).
No problems.

Windows 2000

Scanning C:\WINDOWS\system32\drivers\
No packed driver files were detected (222 files scanned).

-{ Quote: "It all depends on how much users requested it. I don't think it would be helpful for most home users as you'd have to be pretty tech savvy to interpret the results. Perhaps it should just be made available as a stand-alone tool - I'm not sure yet.

" }-Can always use another tool. Thanks for making it available to test.

Windows XP SP2

Scanning C:\WINDOWS\system32\drivers\
Error: Unable to get read access to C:\WINDOWS\system32\drivers\sptd.sys
No packed driver files were detected (203 files scanned).

Vista SP1 (32-bit)
-{ Quote: "Scanning C:\Windows\system32\drivers\
Found packed driver file: C:\Windows\system32\drivers\spsys.sys
" }-

spsys.sys seems to be a Vista RTM driver for making kernel stops as part of their latest WGA program.

-{ Quote: "Vista SP1 (32-bit)


spsys.sys seems to be a Vista RTM driver for making kernel stops as part of their latest WGA program." }-

Correct - it's a legitimate file used to protect Vista against piracy. And they have huge blobs of binary data in there. If the day had 36 hours I would analyze it just to find out what it does...

-{ Quote: "Correct - it's a legitimate file used to protect Vista against piracy. And they have huge blobs of binary data in there. If the day had 36 hours I would analyze it just to find out what it does..." }-
Thanks for the feedback, Magnus and confirming thats its a legit file.:thumb:

Thanks will test...

Hi Magnus:)

I just love playing with ARK tools so was more than happy to put PDD through it paces 8)

First run created 0 falsePositives which is very promising:thumb: but i had installed a packed driver to test whether it could detect and unfortunetly it failed in this instance.

~VirusTotal link removed per policy. - Ron~

203066

203065

203067

Hoping to test shortly versus other malware rootkits from my extensive zoo collection but can also confirm that PDD does indeed detect CLB driver(Tdssserv):thumb:

Ok after further testing can confirm some limitations with this tool in its current form.

Stating the obvious many malware drivers live outside of the <driver> folder or sometimes loaded in ADS,so all samples dwelling in all other location automatically go unchecked.

So any plans Magnus to widen the targeting on this tool ?

Scanning C:\WINDOWS\system32\drivers\
Found packed driver file: C:\WINDOWS\system32\drivers\pxfsf.sys
Error: This is not a PE format


controler

I ran it and as expected No packet drivers were found.

Its good how it doesn,t need installing.

Might keep a copy of this.

Ok, i will give it a ride and report back.

Here we go:
Error message:
-{ Quote: "Scanning C:\WINDOWS\system32\drivers\
Error: Invalid floating point operation
No packed driver files were detected (321 files scanned)." }-

You will find my system configuration at the bottom.

No problems.
-{ Quote: "Scanning C:\WINDOWS\system32\drivers\
No packed driver files were detected (307 files scanned).
" }-

-{ Quote: "And here is the utility in action detecting the TDSServ rootkit that is used by Antivirus XP 2008:

203055" }-

Ok Magnus ...i'm going to beg to differ with you at this point:-[ and call into question the ARK capabilities within your tool!

Earliar when i tested versus CLB driver,it was a copy and paste of the driver sample to my drivers folder at which your tool detected it....So it was not a *live*test persay.
203074

I have now since had chance to test versus a loaded CLB driver infection and find the following results>>>

203073

Sample is available apon request but at this point your tool is fundementally very weak ARK at best(almost a joke:shifty: ) because it has yet another huge flaw:-[

It is blind to hidden CLB & other malware rootkit drivers when they are active and hiding themselves:ouch:

So a question i put to you is can this ARK tool of yours(your labelling in topic title) actually detect any packed drivers when they are active and hiding themselves ?

Fcukdat?

Are you able to see active packed DLLS with

http://peid.has.it/

controler

Fair question no doubt and i bet mutally coincides with Magnus would agree to this and other test results.
That being said it's agreed i would think to yield the floor to him for some reply, and as i repeat in other topics of different tools and utilities, what better place to receive honest & full scrutiny of any new introduction, and i would venture a guess this will prove useful for improving this tool.

Let the re-building begin.............

In my system ( XP Pro SP3 ):

Scanning C:\WINDOWS\system32\drivers\
No packed driver files were detected (188 files scanned).

-{ Quote: "Correct - it's a legitimate file used to protect Vista against piracy. And they have huge blobs of binary data in there. If the day had 36 hours I would analyze it just to find out what it does..." }-Agree its incredible time consuming to look into windows abysm. Unimaginable that someone can survey this binary chaos.

Scanning C:\WINDOWS\system32\drivers\
No packed driver files were detected (317 files scanned).

This is my result.I am using winXP SP3.

-{ Quote: "Fair question no doubt and i bet mutally coincides with Magnus would agree to this and other test results.
That being said it's agreed i would think to yield the floor to him for some reply, and as i repeat in other topics of different tools and utilities, what better place to receive honest & full scrutiny of any new introduction, and i would venture a guess this will prove useful for improving this tool.

Let the re-building begin............." }-

lol Easter8)

Now can confirm that every malware rooter i have in my extensive zoo collection that hides it driver from WinAPI enumeration bypass's this tool....in laymens terms if the driver is'nt visible in windows explorer then it will not be checked by this tool:ouch:

Since we know that the bulk of advanced rootkits utilize hiding technology to subvert WinAPI operations/output then this really does question the quality of this tool as an ARK:'(

That said Magnus there might be something in your *approach* if you could mate this to raw disk read ...quite possibly a basecamp for a new genre of heuristic detection8) ;D

-{ Quote: "We've just released the beta version of a new tool called Packed Driver Detector.

Download: http://www.misec.net/products/PDD.exe (No installation required - simply run file)..." }-

How can I be certain that this Anti-Rookit tool isn't infected by the programmer to be a rootkit or trojan or spyware etc?

Why would it? Good to be cautious but I'm sure the author of Trojan Hunter doesn't want to ruin his business like that:) . Try out in a vm or sandbox.

Btw this board has endorsed Magnus with a 'security expert' tag.

All of you do realize, you are doing someone elses work here.:-\

Scanning C:\WINDOWS\system32\drivers\
Error: Unable to get read access to C:\WINDOWS\system32\drivers\SnopFree.sys
No packed driver files were detected (261 files scanned).

WINXP+SP3
SnopFree.sys is a legit driver for SnoopFree Privacy Shield.

xtree

-{ Quote: "Why would it? Good to be cautious but I'm sure the author of Trojan Hunter doesn't want to ruin his business like that:) . Try out in a vm or sandbox.

Btw this board has endorsed Magnus with a 'security expert' tag." }-

Yeah but he done his software *rep* no favours releasing such a *useless* tool.

Well i'm not going to apologize for being cynical but any software engineer worth their salt will know if they had constructed this tool about it major limitations as ARK tool.

So in the absense of responce solicited from Magnus i can only assume this tool was just a brand awareness launch(thankyou for coming along for the ride:dry: ) and not serious attempt at ARK tool as topic titling suggests:thumbd:

This being the first (beta) release it does not include the necessary driver required to see packed files of cloaked (running) rootkits. I just wanted to test the reliability of the code that detects packed drivers without people having to worry about possible bluescreens from including the required driver, and so far it's worked perfectly. Almost all of the packed files that were detected that aren't rootkits have a digital signature and can easily be filtered out.

Fear not, the driver will be added shortly and this will be a proper working tool. I'm actually surprised at how well this thing is working - it's even detecting Microsoft's packed Vista driver which is the only kernel-level component on Vista that is using compressed and encrypted code.

Windows XP SP2
-{ Quote: "Scanning C:\WINDOWS\system32\drivers\
No packed driver files were detected (306 files scanned)." }-

I told you Magnus would assume the floor and indicate what he intends with this new program, and i have no doubt as neither anyone else should, he will be adding more to it's capability as he weighs the results of it during this progression.

Keep up the good work Magnus. We're chomping at the bits in wait for your more stronger detections your tool will be registering as matters continue to return satisfactory for you and results are improved.

EASTER

-{ Quote: "I told you Magnus would assume the floor and indicate what he intends with this new program, and i have no doubt as neither anyone else should, he will be adding more to it's capability as he weighs the results of it during this progression.

Keep up the good work Magnus. We're chomping at the bits in wait for your more stronger detections your tool will be registering as matters continue to return satisfactory for you and results are improved.

EASTER" }-

I agree with you. Reading comments about how its inneffective and "what if its infected" is just silly with how early in development it is.

I used it and nothing was found. Waiting on next release.

I found this tonight.

Scanning C:\WINDOWS\system32\drivers\
Found packed driver file: C:\WINDOWS\system32\drivers\ctdvda2k.sys

You can probably forget about this one. I checked in WINDOWS and it is a Creative file for DVD created in 07/2005. I have Creative Soundblaster on this system.

Magnus, how is this project coming along?

It's coming along quietly I guess. http://www.wilderssecurity.com/images/smilies/confused.gif

XP Pro SP3 a default home PC with office and some Music/DVD/Media software (really a joe average or rather a jane average setup, since it is my wife's PC)

Scanning C:\WINDOWS\system32\drivers\
No packed driver files were detected (266 files scanned).

Vista64 gaming box of son gave same error as posted earlier

No problem here running Winodws XP Pro SP3 -

-{ Quote: "

Scanning C:\WINDOWS\system32\drivers\
No packed driver files were detected (285 files scanned).

" }-

-{ Quote: "Scanning C:\WINDOWS\system32\drivers\
No packed driver files were detected (292 files scanned)." }-
Windows XP Home, SP3.

The scan is quick. Probably ~20seconds.
I also look forward to watching the evolution of this tool, and especially to the time when it can peer into the ADS.
Thanks for making it available, Magnus.

And to the guy that said -{ Quote: "All of you do realize, you are doing someone elses work here. :-\ " }-
hey, trjam, this is a forum for folk who are interested in and support computer security.(Betcha you knew that, though.)Frankly, I don't mind at all if a developer should gain value from anything I may learn about it, however little that may be. And I reckon the other folk posting here, many of whom can offer much more info than myself, probably feel the same way.