Can Port Explorer detect services hidden by rootkits

Discussion in 'Port Explorer' started by kaneh, Dec 15, 2006.

Thread Status:
Not open for further replies.
  1. kaneh

    kaneh Registered Member

    Joined:
    Dec 15, 2006
    Posts:
    2
    I use Port Explorer v1.700 to do forensic analysis of hacked machines. We've been noticing that obviously compromised machines with active outgoing network connections show no illegal processes.

    Is there a rootkit technique to hide a process from PE? Will the newer version of PE detect these hidden processes?

    Thanks!
     
  2. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Hi,
    I don't think you can detect "Active" root kit as such besides finding what open ports are used by processes "Hooked into" and controlled by them since they would be cloaked. You can see "Hidden" processes but it is different than a cloaked process.

    You may consider using a kernel hook scan to find which process are tapping into the kernel to begin looking for these cloaked devices.

    Here is a possible tool to begin with: http://www.resplendence.com/hookanalyzer
    It's quick and shows most hooks into the kernel. It is also 32 and X64 compatible.


    Also I would consider that there are vulnerabilities solved in the current version: V2.150 that may not be in V1.7 of PE. Maybe consider upgrading to the latest tool since it would more than likely prove to provide a more "Reliable scope of activity". :)
     
    Last edited: Dec 18, 2006
  3. kaneh

    kaneh Registered Member

    Joined:
    Dec 15, 2006
    Posts:
    2
    Thanks for your reply. I'll definitely be checking out that other tool besides upgrading my version.
     
Thread Status:
Not open for further replies.