New Rootkit Tool

Discussion in 'other anti-trojan software' started by StevieO, Jun 9, 2005.

Thread Status:
Not open for further replies.
  1. StevieO

    StevieO Guest

    Hi there, Joanna from invisiblethings.com has just released another new tool for the detection of rootkits that you may be interested in checking out. If you do use it then it would be great to hear about your experiences with it.

    modGREPER

    modGREPER is a hidden module detector for Windows 2000/XP/2003. It searches through whole kernel memory (0x80000000 – 0xffffffff) in order to find structures which looks like a valid module description objects. Currently two most important objects type are recognized: well known _DRIVER_OBJECT and _MODULE_DESCRIPTION. GREPER has some sort of artificial intelligence built in, which allows it recognize if the given bytes actually describe a module-specific object. The term AI for this algorithm is probably a little bit exaggerated, since it is just a few bunches of logical rules which should be satisfied by the potential fields of the structure in question...

    http://.org/tools.html#modgreper


    StevieO
     
  2. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    ".org" could not be found - You can download it from here: http://invisiblethings.org/tools.html

    **edit - opps I forgot about process guard

    C:\>modgreper.exe -v
    modGREPER 0.1, written by Joanna Rutkowska (June 2005)
    http://invisiblethings.org
    modgreper.exe [options]
    -a show information about ALL loaded modules
    -v show detailed module information
    -u include unloaded modules list
    -h show only hidden and suspected modules

    C:\>modgreper.exe -h
    modGREPER 0.1, written by Joanna Rutkowska (June 2005)
    http://invisiblethings.org
    WARNING: cannot create driver entry in SCM database!
    ERROR: cannot load modgrepus helper module!
    WARNING: cannot open driver!



    C:\>modgreper.exe -a
    modGREPER 0.1, written by Joanna Rutkowska (June 2005)
    http://invisiblethings.org
    WARNING: cannot create driver entry in SCM database!
    ERROR: cannot load modgrepus helper module!
    WARNING: cannot open driver!

    C:\>modgreper.exe - u
    modGREPER 0.1, written by Joanna Rutkowska (June 2005)
    http://invisiblethings.org
    ERROR: Argument - not recognized!

    WARNING: cannot open driver!

    C:\>[/quote]
     
    Last edited: Jun 9, 2005
  3. StevieO

    StevieO Guest

    Hi lynchknot, yes thanx for that. I must have clicked on cut instead of copy when used invisiblethings in the intro ! It happens sometimes lol.

    Have you actually tried it out ?


    StevieO
     
  4. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    Now I've got problems. It was running fine until I enabled tay's Application Firewall ghst file. Everything froze including cursor. I has to reset. Now I have this problem:



    C:\>modgreper.exe -h
    modGREPER 0.1, written by Joanna Rutkowska (June 2005)
    http://invisiblethings.org
    WARNING: cannot create driver entry in SCM database!
    ERROR: cannot load modgrepus helper module!
    WARNING: Cannot stop driver!

    C:\>modgreper.exe - h
    modGREPER 0.1, written by Joanna Rutkowska (June 2005)
    http://invisiblethings.org
    ERROR: Argument - not recognized!

    WARNING: Cannot stop driver!

    C:\>modgreper.exe -a
    modGREPER 0.1, written by Joanna Rutkowska (June 2005)
    http://invisiblethings.org
    WARNING: cannot create driver entry in SCM database!
    ERROR: cannot load modgrepus helper module!
    WARNING: Cannot stop driver!

    C:\>
     
  5. controler

    controler Guest

    I had read some of Johanna's work before but untill today, I didn't know Johanna had done work with suckit rootkits to detect VMwear.
    Does Johanna also write C code to detect Deepfreeze & Shadowuser running on a machine?

    Next what is the point of knowing if VMwear is running or not?

    controler
     
  6. controler

    controler Guest

    I have to say this is one of the most interesting threads.

    Why? well normaly when a product like this comes out everybody rushes to download it and post. This time all is silent. I am surprised :eek:
    Am I missing something?

    I thought I would wait a few days to see all the posts but nada.

    controler
     
  7. controler

    controler Guest

    OK now I see why there is no interest after reading the readme file on this program.

    When asked why she released this program, she answered, "To stimulate people to write more subtle rootkits :)


    Why would anyone want people to write better rootkits?
    IS this some kind of fetish? LOL

    controler
     
  8. controler

    controler Guest

    Well it has been a while now & so has anyone looked into this program besides lynchknot?


    controler
     
  9. Pollmaster

    Pollmaster Guest

    You're kidding right?
     
  10. controlmind

    controlmind Registered Member

    Joined:
    Jun 18, 2005
    Posts:
    19
    Location:
    USA
    Why isnt there rootkit tools for Window98 SE?

    controlmind
     
  11. controler

    controler Guest

    I never heard of them working on 98 systems. I don't remember for sure but don't think 98 used a kernel that a rootkit could target.
    It has been ages since I used 98. And no that doesn't make 98 better LOL
    It still crashes way too much for my uses. Now I just reformat all the time if I think I have a nasty none are detecting yet.

    controler
     
  12. You'll need to check out ther's where the biggest names in rootkit developers and trackers are.. YOu should check out valerinos and hoglunds posts they are the ****
    URL to malware site removed==bigc
     
    Last edited by a moderator: Jun 23, 2005
  13. Cain

    Cain Guest

    This is why they are one step ahead of us, becuase they are really smart.
    URL to malware site removed==bigc
     
    Last edited by a moderator: Jun 23, 2005
  14. controler

    controler Guest

    well I love how someone actualy went thru the trouble of creating a username close to mine, right down to the One L.
    And I always like guest posters feedback.

    Why would they be always ahead?

    You really don't think there has been programmers areound since the dawn of computers?

    Yes it is true people are at the mercy of Windows And various Linuz versions.
    but that is why The Linux crew keeps releasing more different makes.
    My God, there must be at least 100 by now.

    controler ( the original ) LOL
     
Thread Status:
Not open for further replies.