Detecting hidden rootkit files..

Seeing how I haven't really seen this discussed here I thought I'd share a little info. I didn't write any of this myself so I'll be using the quote feature . I'm still learning win32 kernel programming, but I hope this helps someone.

below is an english translation of http://ms-rem.dot-link.net/hiddndt/hiddndt.htm

 

Hello evilrabbi,

Given the fact a quote needed to span 2 longgggg posts would be very hard to discuss....I have taken the liberty to shorten the quote drastically and ask that those wishing to see the same article in English visit the rootkit dot com site and in particular rootkit dot com/newsread.php?newsid=434

Regards,
Bubba

 

Where is the program for detection of hidden processes that the author mentioned?

Con

 

Hi,

This tool is vailable since a few month in a russian site.

Process Hunter is available here: http://ms-rem.dot-link.net/hiddndt/files/

Tks for your contribution Ms-Rem.

The option Base driver is enough for detecting most hidden object (see the image).

regards

 

kareldjag

Did you also get the two hidden with no names at the end by selecting the usermode tab?

controler

 

Hidden

 

All of my entries are visible no matter which tab I choose. Is something hidden necessarily malware?

 

I don't think so but I now have 5 no-name hidden. they are growing expotentialy

 

Ok figured out that in usermode the entries show as hidden but if doing a scan with Base driver selected they entries show what they are and that they are deleted which is strange.

 

You will notice only the PID with usermode selected.

 

might be off topic, but you can try using F-secure BlackLight Scanner.
Link below.

https://europe.f-secure.com/blacklight/

 

thanks ravin but I am well aware of Blacklight, this however is another new russian Hidden process detector we are trying out here.

 

Hi, folks: this product may interest you:
HiddenFinder, d/l from www.wenpoint.com

 

controler would that be RkUnhooker Rootkit Unhooker you are using ?

~snip....removed Malware link....Bubba~

 

CloneRanger

Nope it is this one
~snip....removed malware link....Bubba~
but the site you posted looks interesting and I might give it a try.

Thanks

controler

 

Thats the one we pm'd about

 

Ahh ok sorry, somehow I ended up with thr Russian program

Have you tried RKunhooker?

 

I wish i had time to try everything ! I have it and many other programs tucked away for testing when I get some spare time. If you test it please say what you think about it

 

Also have you looked the team projects over? clicking on that seems to lock up my computer

 

Jetico definitly does not like the team project page.

 

Yes i have they are fine. It's run by two very talented guys EP_X0FF and MP_ART who post a lot on system internals website. The reason you may be getting alerts is due to the zoo samples and poc pages on there

 

Hi controler,

The developers of Rootkit Unhooker have an interesting topic in progress at Sysinternals' Malware forum: Rootkit Detectors Bypassing/Overview. DarkSpy's developer has been participating in the thread as well.

Nick

 

Nick

I did not read the intire thread yet since I am pushed for time today but this
statement worries me.

Posted by EP_X0FF

 

...not the sort of post (or thread for that matter) you would expect to find at, what is now, a Microsoft "sponsored" forum.

Nick

 

nick

I agree and dought it would last long here.