I was wondering how the Anti-Rootkit tools are at detecting quasi rootkits that hide information from the user but is still visible to the system.
An example would be the PoC Kitkat: A Poor Mans Rootkit (http://www.codeproject.com/KB/threads/Kitkat.aspx)
Tools:
RKU
GMER
Radix
Rootrepeal
and any others...

Hi Searching,

HideProc ?...
HideProc is a tool that allows you to hide processes ( from Windows Task Manager ...):
http://www.iterati.org/Developers/HideProc/Default.aspx

Hello Prorootect,

That would qualify as a Quasi Rootkit.

I wanted to know how Anti-Rootkit tools are at detecting them.


Thanks for the reply. I guess there could be a few variations of this type.


Searching

Yes Searching,

HideProc: a toy is not bad for a little fun ...

For my exemple : sched.exe ( Antivirus Scheduler from AVIRA AntiVir ) - hidden by HideProc :

# RootAlyzer: Quick Scan : Invisible processes ( from handles );

#GMER: Warning!!! Gmer has found system modification, which might have been caused by ROOTKIT activity.

# KX-Ray: Processes: tab: sched.exe is black ... SSDT: Module HideProcDrv.sys is black;

#SREng: I see near the clock on System Tray, in Red: Warning: System Repair Engineer found 1 hidden processes. Smart Scan: Warning ( yellow ): System Repair Engineer has detected a valid 3rd-party upload plug-in which have valid digital signatures in Upload sub-directory.:argh: When you use " Copy Suspicious Files sub-directory automatically " function ...;D Hidden Process: C\Program Files\Avira .../sched.exe .:argh:

Other toy to divert itself:: www.SemanticHacker.com/ ...
Other: http://personal-computer-tutor.com/rot13.htm ...
And: ESCAPA ?:P

PS. Look to thread: Detection of hiding a process by HIPS - last post: September 2nd, 2008.

Your PROROOTECT ( Beta )

Searching, how will your tests with anti-rootkits?

Thanks, PROROOTECT