Open Source Powerful Anti-Rootkit [New Toy!]

Discussion in 'other anti-malware software' started by PaulBB, Jun 23, 2012.

Thread Status:
Not open for further replies.
  1. PaulBB

    PaulBB Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    708
    PowerTool is a free anti-virus & anti-rootkit utility. It offers you the ability to detect, analyze and fix various kernel structure modifications and gives you a wide scope of the kernel. It will detect, analyze and fix various kernel structure modifications and gives you a wide scope of the kernel, then to fix virus or trojan in your computer manually. PowerTool has strong anti-rootkit abilities: System, Process, Kernel Module, Kernel, Hooks, Application, File, Registry, Offline, Startup, Services, NetWork, Loophole, Hardware. Use PowerTool to force kill process, force delete files, force delete registry entries and force delete services.

    What’s new in this version:
    • Detect VBR Bootkit(such as Rootkit.Win32.Cidox)
    • Detecting/Memory Forging Attempt by a Rootkit(such as TDL4 variants)
    • Enhance Detect IDT Hook
    • Analyze Disk/Register File without load Driver
    • Fix some Offline Analyze BUG.

    Download PowerTool 4.2 (PowerToolV4.2_en.zip)
    https://code.google.com/p/powertool-google/downloads/list
    https://code.google.com/p/powertool-google/

    Screenshots:
    http://imgur.com/a/E7YqT
     
  2. woomera

    woomera Registered Member

    Joined:
    May 21, 2004
    Posts:
    211
    nice find, gonna play with it a little see what its capable of.
     
  3. Fox Mulder

    Fox Mulder Registered Member

    Joined:
    Jun 2, 2011
    Posts:
    203
    Reminds me of one of my favorite Windows XP security tools (IceSword)
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Unfortunately, PowerTool is a known prolific BSOD generator & system crasher :eek:

    kern.gif

    If i allow the driver to "try" & install, every version has always resulted in instantly crashing & rebooting my comp :(

    As long as you don't install the drivers, it will run, for me it does anyway. Initially it tries to install kEvP.sys, followed by a number of randomly generated ones.

    pg.gif

    pt drv.gif

    Having said that, even without the driver installed, it's capable of showing you quite a number of things.

    "IF" you can get it run, are you going to test it with Actual RK's etc, or just analyise your comp ?

    Yes, IceSword has proven to be one of several nice ARK's for a number of years. Shame it hasn't been updated for ages though, but still worth using :thumb:
     
  5. Fox Mulder

    Fox Mulder Registered Member

    Joined:
    Jun 2, 2011
    Posts:
    203
    I havent tried PowerTool yet, but I hate crashes and now I'm wary. :p Even so, I appreciate that there are spiritual successors of IceSword out there. I wish there was an IceSword windows 7 edition.
     
  6. aladdin

    aladdin Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    2,986
    Location:
    Oman
    The x64 is not yet in English!
     
  7. Fox Mulder

    Fox Mulder Registered Member

    Joined:
    Jun 2, 2011
    Posts:
    203
    Are you saying that there's a version of IceSword that works on Windows 7 x64 but it's not in English?
     
  8. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    Why would you need an anti-rootkit on x64? You know Kernel Patch Protection prevent rootkits right? The only thing you'd need to be afraid of is a bootkit.
     
  9. Ranget

    Ranget Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    846
    Location:
    Not Really Sure :/
    becasue of x64 Rootkits

    there are rootkits for x64 more than one go Look at kernalmode
    and those just the known ones

    i think there is 0day rootkits for x64

    only two good scanners
    sanitycheck and truex64
    there are others like sophos but not that good at detecting stuff
    nor gmer /gmer is useless on x64/

    there is a tool didn't try it yet called wincheck
    on Kernalmode forum
     
  10. Fox Mulder

    Fox Mulder Registered Member

    Joined:
    Jun 2, 2011
    Posts:
    203
    x64 rootkits exist, although not many.
     
  11. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    As far as I'm aware those are bootkits, NOT rootkits. You cannot load unsigned code on x64 without taking advantage of a bug in the boot process.

    In other words, unless your PC has BSOD/shut down on it's own recently, you have no chance of having a rootkit. So such a tool is useless.
     
  12. aladdin

    aladdin Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    2,986
    Location:
    Oman
    I was discussing about PowerTools, which has in x64 but the version is still in infancy and not yet translated. It is on the download site as v1.1

    Best regards,
     
  13. Ranget

    Ranget Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    846
    Location:
    Not Really Sure :/
    @funkydude it has rootkits other than bootkit

    for instace in security now episode i don't exactly remember the number
    wich use a mode in the system that was for testing softerware before signing them

    also i can lead you to Removal topic where i did get a x64 Rootkit and it was undetected by the removal process
     
  14. aladdin

    aladdin Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    2,986
    Location:
    Oman
    Very true!

    And, for this reason the author PowerTools is making a x64 version.

    Best regards,
     
  15. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    hi
    As pointed out by CloneRanger, the last AR tools from China are not mature...
    and this is the case of Win64AST, one of the rare WIN64 antirootkit
    http://www.m5home.com/bbs/thread-5154-1-1.html

    At last, the most reliable detection is still Live CD and forensic memory analysis.

    Rgds
     
  16. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    You're partially correct: many of the methods involve a bootkit, but they are with the purpose of installing the rootkit in order to disguise the activities of the trojan.

    One method used to bypass patchguard involves the TESTSIGNING mode, which is not a bug but a feature left by Microsoft to allow developers to test unsigned drivers.

    Unsigned drivers stick out like a sore thumb when examining a system offline e.g. using an OTL LiveCD - unless they are hidden in an encrypted filesystem, such as with TLD4/Alureon. TDL4 was easy to spot though using simple diskpart, but I don't know if this is still the case. Sometimes it's easier to spot a rootkit by its behaviour, which is where tools like this and GMER come in.


    Zero-Access rootkit no longer bothers overwriting Windows system drivers with unsigned drivers, or using bootkits, and now is entirely user-mode so that it works for both 32-bit and 64-bit versions of Windows. It hijacks two registry entries so that Windows loads malware DLLs instead of legitimate Windows DLLs. These malware DLLs aren't found in the system32 folder as with most rootkits, but in the %windir%\Installer and Local Application Data folders:
    http://nakedsecurity.sophos.com/2012/06/06/zeroaccess-rootkit-usermode/


    Here's a section of an interesting article which mentions various methods of bypassing Patchguard:
    http://www.securelist.com/en/analysis/204792235/XPAJ_Reversing_a_Windows_x64_Bootkit
     
    Last edited: Jun 24, 2012
  17. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    Interesting, thanks.
     
  18. Melf

    Melf Registered Member

    Joined:
    Sep 7, 2010
    Posts:
    105
    There are 2 ways that I know of to gain root privileges on x64:

    1) Direct disk access (write to MBR or create a new boot partition). This lets the malware control the hard drive before the OS loads, and it can then do what it likes because it can fool the OS into believing anything.

    2) The user grants admin privileges via UAC to install some driver, or to switch the system to TESTSIGNING mode.

    So if you protect against direct disk access and don't approve UAC requests willy-nilly, AFAIK you can not get a rootkit on x64.

    I don't know why we're talking about ZeroAccess, on x64 the thing does not attempt to gain root privileges at all (but can do plenty of harm as User). It's a rootkit only on x86.
     
  19. ithurricane

    ithurricane Registered Member

    Joined:
    Dec 25, 2011
    Posts:
    1
    Location:
    china

    PowerTool Newest x64 Version is 1.2

    This is English version
    -http://powertool-google.googlecode.com/files/PowerTool%20x64%20V1.2%20%28EnglishVersion%29.zip-
     
    Last edited by a moderator: Aug 17, 2012
  20. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,770
    Location:
    Outer space
    This is quite an extensive ARK software, and afaik by far the most extensive on 64 bit. Weird that it is not more discussed here.
     
  21. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    avast behabiour blocker went nuts when i try to install it:)
     
  22. PaulBB

    PaulBB Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    708
    PowerTool v4.3

    -http://code.google.com/p/powertool-google/downloads/list-
     
  23. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,872
    Seems a very unstable program.Crashing and BSOD,S etc.
    Giving it a miss as i dont want junk on my computer.:ninja:
     
  24. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    What exactly did you notice when you ran this tool?
     
  25. Noodle

    Noodle Registered Member

    Joined:
    Oct 30, 2012
    Posts:
    3
    I remeber using rootrepeal, dark spy, other weird unknown tools to detect rootkits.

    back in 2007 i was infected with poison ivy rat...nothing detected it, i had to reformat, i downloaded a trainer for an online game and i clicked the .exe and nothing happened, i thought nothing of it..my mistake

    2 months later i knew i was compromised when i logged into my rapidshare account and checked the IP log and saw a user from quebec cannada downloading files with my account and uploading software and a file of the same game i played...

    the person was spying on me, no idea i was rooted but thanks to the ip log i got a clue.

    everyone on the forum said their online accounts were "Hacked"

    eh...
     
Loading...
Thread Status:
Not open for further replies.