Detecting hidden rootkit files..

Discussion in 'malware problems & news' started by evilrabbi, Jul 31, 2006.

Thread Status:
Not open for further replies.
  1. evilrabbi

    evilrabbi Registered Member

    Joined:
    Jul 30, 2006
    Posts:
    6
    Seeing how I haven't really seen this discussed here I thought I'd share a little info. I didn't write any of this myself so I'll be using the quote feature :p. I'm still learning win32 kernel programming, but I hope this helps someone.

    below is an english translation of http://ms-rem.dot-link.net/hiddndt/hiddndt.htm
     
    Last edited by a moderator: Jul 31, 2006
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Hello evilrabbi,

    Given the fact a quote needed to span 2 longgggg posts would be very hard to discuss....I have taken the liberty to shorten the quote drastically and ask that those wishing to see the same article in English visit the rootkit dot com site and in particular rootkit dot com/newsread.php?newsid=434

    Regards,
    Bubba
     
  3. controler

    controler Guest

    Where is the program for detection of hidden processes that the author mentioned?

    Con
     
  4. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    This tool is vailable since a few month in a russian site.

    Process Hunter is available here: http://ms-rem.dot-link.net/hiddndt/files/

    Tks for your contribution Ms-Rem.

    The option Base driver is enough for detecting most hidden object (see the image).

    regards
     

    Attached Files:

  5. controler

    controler Guest

    kareldjag

    Did you also get the two hidden with no names at the end by selecting the usermode tab?

    controler
     
  6. controler

    controler Guest

    Hidden
     

    Attached Files:

  7. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    All of my entries are visible no matter which tab I choose. Is something hidden necessarily malware?
     
  8. controler

    controler Guest

    I don't think so but I now have 5 no-name hidden. they are growing expotentialy
     
  9. controler

    controler Guest

    Ok figured out that in usermode the entries show as hidden but if doing a scan with Base driver selected they entries show what they are and that they are deleted which is strange.
     

    Attached Files:

  10. controler

    controler Guest

    You will notice only the PID with usermode selected.
     

    Attached Files:

  11. ravin

    ravin Registered Member

    Joined:
    May 2, 2003
    Posts:
    241
    Location:
    South Carolina
  12. controler

    controler Guest

    thanks ravin but I am well aware of Blacklight, this however is another new russian Hidden process detector we are trying out here.
     
  13. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks: this product may interest you:
    HiddenFinder, d/l from www.wenpoint.com
     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    controler would that be RkUnhooker Rootkit Unhooker you are using ?

    ~snip....removed Malware link....Bubba~
     
    Last edited by a moderator: Aug 3, 2006
  15. controler

    controler Guest

    CloneRanger

    Nope it is this one
    ~snip....removed malware link....Bubba~
    but the site you posted looks interesting and I might give it a try.

    Thanks

    controler
     
    Last edited by a moderator: Aug 3, 2006
  16. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Thats the one we pm'd about
     
  17. controler

    controler Guest

    Ahh ok sorry, somehow I ended up with thr Russian program

    Have you tried RKunhooker?
     
  18. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I wish i had time to try everything ! I have it and many other programs tucked away for testing when I get some spare time. If you test it please say what you think about it
     
  19. controler

    controler Guest

    Also have you looked the team projects over? clicking on that seems to lock up my computer
     
  20. controler

    controler Guest

    Jetico definitly does not like the team project page.
     
  21. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Yes i have they are fine. It's run by two very talented guys EP_X0FF and MP_ART who post a lot on system internals website. The reason you may be getting alerts is due to the zoo samples and poc pages on there
     
  22. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi controler,

    The developers of Rootkit Unhooker have an interesting topic in progress at Sysinternals' Malware forum: Rootkit Detectors Bypassing/Overview. DarkSpy's developer has been participating in the thread as well.

    Nick
     
  23. controler

    controler Guest

    Nick

    I did not read the intire thread yet since I am pushed for time today but this
    statement worries me.

    Posted by EP_X0FF

     
  24. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    ...not the sort of post (or thread for that matter) you would expect to find at, what is now, a Microsoft "sponsored" forum.

    Nick
     
  25. controler

    controler Guest

    nick

    I agree and dought it would last long here.
     
Loading...
Thread Status:
Not open for further replies.