Open Source Powerful Anti-Rootkit [New Toy!]

PowerTool is a free anti-virus & anti-rootkit utility. It offers you the ability to detect, analyze and fix various kernel structure modifications and gives you a wide scope of the kernel. It will detect, analyze and fix various kernel structure modifications and gives you a wide scope of the kernel, then to fix virus or trojan in your computer manually. PowerTool has strong anti-rootkit abilities: System, Process, Kernel Module, Kernel, Hooks, Application, File, Registry, Offline, Startup, Services, NetWork, Loophole, Hardware. Use PowerTool to force kill process, force delete files, force delete registry entries and force delete services.

What’s new in this version:

• Detect VBR Bootkit(such as Rootkit.Win32.Cidox)
• Detecting/Memory Forging Attempt by a Rootkit(such as TDL4 variants)
• Enhance Detect IDT Hook
• Analyze Disk/Register File without load Driver
• Fix some Offline Analyze BUG.

Download PowerTool 4.2 (PowerToolV4.2_en.zip)
https://code.google.com/p/powertool-google/downloads/list
https://code.google.com/p/powertool-google/

Screenshots:
http://imgur.com/a/E7YqT

 

nice find, gonna play with it a little see what its capable of.

 

Reminds me of one of my favorite Windows XP security tools (IceSword)

 

Unfortunately, PowerTool is a known prolific BSOD generator & system crasher



If i allow the driver to "try" & install, every version has always resulted in instantly crashing & rebooting my comp

As long as you don't install the drivers, it will run, for me it does anyway. Initially it tries to install kEvP.sys, followed by a number of randomly generated ones.





Having said that, even without the driver installed, it's capable of showing you quite a number of things.

"IF" you can get it run, are you going to test it with Actual RK's etc, or just analyise your comp ?

Yes, IceSword has proven to be one of several nice ARK's for a number of years. Shame it hasn't been updated for ages though, but still worth using

 

I havent tried PowerTool yet, but I hate crashes and now I'm wary. Even so, I appreciate that there are spiritual successors of IceSword out there. I wish there was an IceSword windows 7 edition.

 

The x64 is not yet in English!

 

Are you saying that there's a version of IceSword that works on Windows 7 x64 but it's not in English?

 

Why would you need an anti-rootkit on x64? You know Kernel Patch Protection prevent rootkits right? The only thing you'd need to be afraid of is a bootkit.

 

becasue of x64 Rootkits

there are rootkits for x64 more than one go Look at kernalmode
and those just the known ones

i think there is 0day rootkits for x64

only two good scanners
sanitycheck and truex64
there are others like sophos but not that good at detecting stuff
nor gmer /gmer is useless on x64/

there is a tool didn't try it yet called wincheck
on Kernalmode forum

 

x64 rootkits exist, although not many.

 

As far as I'm aware those are bootkits, NOT rootkits. You cannot load unsigned code on x64 without taking advantage of a bug in the boot process.

In other words, unless your PC has BSOD/shut down on it's own recently, you have no chance of having a rootkit. So such a tool is useless.

 

I was discussing about PowerTools, which has in x64 but the version is still in infancy and not yet translated. It is on the download site as v1.1

Best regards,

 

@elapsed it has rootkits other than bootkit

for instace in security now episode i don't exactly remember the number
wich use a mode in the system that was for testing softerware before signing them

also i can lead you to Removal topic where i did get a x64 Rootkit and it was undetected by the removal process

 

Very true!

And, for this reason the author PowerTools is making a x64 version.

Best regards,

 

hi
As pointed out by CloneRanger, the last AR tools from China are not mature...
and this is the case of Win64AST, one of the rare WIN64 antirootkit
http://www.m5home.com/bbs/thread-5154-1-1.html

At last, the most reliable detection is still Live CD and forensic memory analysis.

Rgds

 

You're partially correct: many of the methods involve a bootkit, but they are with the purpose of installing the rootkit in order to disguise the activities of the trojan.

One method used to bypass patchguard involves the TESTSIGNING mode, which is not a bug but a feature left by Microsoft to allow developers to test unsigned drivers.

Unsigned drivers stick out like a sore thumb when examining a system offline e.g. using an OTL LiveCD - unless they are hidden in an encrypted filesystem, such as with TLD4/Alureon. TDL4 was easy to spot though using simple diskpart, but I don't know if this is still the case. Sometimes it's easier to spot a rootkit by its behaviour, which is where tools like this and GMER come in.


Zero-Access rootkit no longer bothers overwriting Windows system drivers with unsigned drivers, or using bootkits, and now is entirely user-mode so that it works for both 32-bit and 64-bit versions of Windows. It hijacks two registry entries so that Windows loads malware DLLs instead of legitimate Windows DLLs. These malware DLLs aren't found in the system32 folder as with most rootkits, but in the %windir%\Installer and Local Application Data folders:
http://nakedsecurity.sophos.com/2012/06/06/zeroaccess-rootkit-usermode/

Here's a section of an interesting article which mentions various methods of bypassing Patchguard:
http://www.securelist.com/en/analysis/204792235/XPAJ_Reversing_a_Windows_x64_Bootkit

 

Interesting, thanks.

 

There are 2 ways that I know of to gain root privileges on x64:

1) Direct disk access (write to MBR or create a new boot partition). This lets the malware control the hard drive before the OS loads, and it can then do what it likes because it can fool the OS into believing anything.

2) The user grants admin privileges via UAC to install some driver, or to switch the system to TESTSIGNING mode.

So if you protect against direct disk access and don't approve UAC requests willy-nilly, AFAIK you can not get a rootkit on x64.

I don't know why we're talking about ZeroAccess, on x64 the thing does not attempt to gain root privileges at all (but can do plenty of harm as User). It's a rootkit only on x86.

 

PowerTool Newest x64 Version is 1.2

This is English version
-http://powertool-google.googlecode.com/files/PowerTool%20x64%20V1.2%20%28EnglishVersion%29.zip-

 

This is quite an extensive ARK software, and afaik by far the most extensive on 64 bit. Weird that it is not more discussed here.

 

avast behabiour blocker went nuts when i try to install it

 

PowerTool v4.3

-http://code.google.com/p/powertool-google/downloads/list-

 

Seems a very unstable program.Crashing and BSOD,S etc.
Giving it a miss as i dont want junk on my computer.

 

What exactly did you notice when you ran this tool?

 

I remeber using rootrepeal, dark spy, other weird unknown tools to detect rootkits.

back in 2007 i was infected with poison ivy rat...nothing detected it, i had to reformat, i downloaded a trainer for an online game and i clicked the .exe and nothing happened, i thought nothing of it..my mistake

2 months later i knew i was compromised when i logged into my rapidshare account and checked the IP log and saw a user from quebec cannada downloading files with my account and uploading software and a file of the same game i played...

the person was spying on me, no idea i was rooted but thanks to the ip log i got a clue.

everyone on the forum said their online accounts were "Hacked"

eh...