New Anti-Rootkit Tool: Packed Driver Detector [Beta, Testers Needed!]

Thanks for the feedback, Magnus and confirming thats its a legit file.

 

Thanks will test...

 

Hi Magnus

I just love playing with ARK tools so was more than happy to put PDD through it paces

First run created 0 falsePositives which is very promising but i had installed a packed driver to test whether it could detect and unfortunetly it failed in this instance.

~VirusTotal link removed per policy. - Ron~







Hoping to test shortly versus other malware rootkits from my extensive zoo collection but can also confirm that PDD does indeed detect CLB driver(Tdssserv)

 

Ok after further testing can confirm some limitations with this tool in its current form.

Stating the obvious many malware drivers live outside of the <driver> folder or sometimes loaded in ADS,so all samples dwelling in all other location automatically go unchecked.

So any plans Magnus to widen the targeting on this tool ?

 

Scanning C:\WINDOWS\system32\drivers\
Found packed driver file: C:\WINDOWS\system32\drivers\pxfsf.sys
Error: This is not a PE format


controler

 

I ran it and as expected No packet drivers were found.

Its good how it doesn,t need installing.

Might keep a copy of this.

 

Ok, i will give it a ride and report back.

Here we go:
Error message:

You will find my system configuration at the bottom.

 

No problems.

 

Ok Magnus ...i'm going to beg to differ with you at this point and call into question the ARK capabilities within your tool!

Earliar when i tested versus CLB driver,it was a copy and paste of the driver sample to my drivers folder at which your tool detected it....So it was not a *live*test persay.


I have now since had chance to test versus a loaded CLB driver infection and find the following results>>>



Sample is available apon request but at this point your tool is fundementally very weak ARK at best(almost a joke ) because it has yet another huge flaw

It is blind to hidden CLB & other malware rootkit drivers when they are active and hiding themselves

So a question i put to you is can this ARK tool of yours(your labelling in topic title) actually detect any packed drivers when they are active and hiding themselves ?

 

Fcukdat?

Are you able to see active packed DLLS with

http://peid.has.it/

controler

 

Fair question no doubt and i bet mutally coincides with Magnus would agree to this and other test results.
That being said it's agreed i would think to yield the floor to him for some reply, and as i repeat in other topics of different tools and utilities, what better place to receive honest & full scrutiny of any new introduction, and i would venture a guess this will prove useful for improving this tool.

Let the re-building begin.............

 

In my system ( XP Pro SP3 ):

Scanning C:\WINDOWS\system32\drivers\
No packed driver files were detected (188 files scanned).

 

Agree its incredible time consuming to look into windows abysm. Unimaginable that someone can survey this binary chaos.

 

Scanning C:\WINDOWS\system32\drivers\
No packed driver files were detected (317 files scanned).

This is my result.I am using winXP SP3.

 

lol Easter

Now can confirm that every malware rooter i have in my extensive zoo collection that hides it driver from WinAPI enumeration bypass's this tool....in laymens terms if the driver is'nt visible in windows explorer then it will not be checked by this tool

Since we know that the bulk of advanced rootkits utilize hiding technology to subvert WinAPI operations/output then this really does question the quality of this tool as an ARK

That said Magnus there might be something in your *approach* if you could mate this to raw disk read ...quite possibly a basecamp for a new genre of heuristic detection

 

How can I be certain that this Anti-Rookit tool isn't infected by the programmer to be a rootkit or trojan or spyware etc?

 

Why would it? Good to be cautious but I'm sure the author of Trojan Hunter doesn't want to ruin his business like that . Try out in a vm or sandbox.

Btw this board has endorsed Magnus with a 'security expert' tag.

 

All of you do realize, you are doing someone elses work here.

 

Scanning C:\WINDOWS\system32\drivers\
Error: Unable to get read access to C:\WINDOWS\system32\drivers\SnopFree.sys
No packed driver files were detected (261 files scanned).

WINXP+SP3
SnopFree.sys is a legit driver for SnoopFree Privacy Shield.

xtree

 

Yeah but he done his software *rep* no favours releasing such a *useless* tool.

Well i'm not going to apologize for being cynical but any software engineer worth their salt will know if they had constructed this tool about it major limitations as ARK tool.

So in the absense of responce solicited from Magnus i can only assume this tool was just a brand awareness launch(thankyou for coming along for the ride ) and not serious attempt at ARK tool as topic titling suggests

 

This being the first (beta) release it does not include the necessary driver required to see packed files of cloaked (running) rootkits. I just wanted to test the reliability of the code that detects packed drivers without people having to worry about possible bluescreens from including the required driver, and so far it's worked perfectly. Almost all of the packed files that were detected that aren't rootkits have a digital signature and can easily be filtered out.

Fear not, the driver will be added shortly and this will be a proper working tool. I'm actually surprised at how well this thing is working - it's even detecting Microsoft's packed Vista driver which is the only kernel-level component on Vista that is using compressed and encrypted code.

 

I told you Magnus would assume the floor and indicate what he intends with this new program, and i have no doubt as neither anyone else should, he will be adding more to it's capability as he weighs the results of it during this progression.

Keep up the good work Magnus. We're chomping at the bits in wait for your more stronger detections your tool will be registering as matters continue to return satisfactory for you and results are improved.

EASTER

 

I agree with you. Reading comments about how its inneffective and "what if its infected" is just silly with how early in development it is.

I used it and nothing was found. Waiting on next release.

 

I found this tonight.

Scanning C:\WINDOWS\system32\drivers\
Found packed driver file: C:\WINDOWS\system32\drivers\ctdvda2k.sys

You can probably forget about this one. I checked in WINDOWS and it is a Creative file for DVD created in 07/2005. I have Creative Soundblaster on this system.