ProcessGuard and RootkitRevealer

Discussion in 'ProcessGuard' started by richardw2, Mar 23, 2005.

Thread Status:
Not open for further replies.
  1. richardw2

    richardw2 Guest

    I tried to install RootkitRevealer from Sysinternals while ProcessGuard was active. Every time I tried to do this a ProcessGuard Alert was generated of which the following is an example:

    [DRIVER/SERVICE] c:\windows\system32\ynuihcm.exe [2884] Tried to install a driver/service named RKREVEAL110

    Each time I tried to install RootkitRevealer the name of the file that tried to install RKREVEAL110 was different, other filenames given in the Alerts included:

    lvuedeilm.exe
    fws.exe

    On the ProcessGuard Alert tab, the button labelled "Allow Driver/Service" did not appear to do anything when clicked.

    My question is, why is it not possible to "Allow Driver/Service" in this instance?

    Thanks
     
  2. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    Apparently this new version of RootkitRevealer spawns a randomly named executable which then launches, installs the driver/service and does the scanning.

    They did this because a known rootkit was hiding when rootkitrevealer launched or something along that lines.

    Did you try learningmode? I ran it yesterday, but disabled ProcessGuard's protection to run it when I saw what was happening. I didn't try learning mode yet.

    Try turning learning on so it could learn in the second launched randomly named exe and allow it the rights it wants.
     
  3. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi richardw2,

    The pre-1.3* builds of RootkitRevealer were being circumvented by adding the RootkitRevealer executable (rootkitrevealer.exe) as a "root" process to the Hacker Defender config file. Since nothing is hidden from "root" processes, RootkitRevealer could not find the hidden components of the rootkit. With 1.30/1.31, RootkitRevealer creates and executes randomly named copies of itself in \system32.

    In normal mode, PG blocks the first attempt to install a driver/service. After that, you have the option to allow driver/service install for that executable. Unfortunately, the next time you run RootkitRevealer, the name of the executable changes and the old executable is deleted.

    At minimum, you have to disable driver/service protection (in PG's Main tab) in order scan with RootkitRevealer.

    Nick
     
  4. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    So Nick S,

    PG's learning mode won't work? I just disabled PG momentarily while scanning.

    Of course if it did work, you'd end up with learned settings that will only be used once since the exe name changes each time.
     
  5. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi rickontheweb,

    I disable it as well. Learning Mode won't work because the name of the executable changes even though the driver/service name, rkreveal110.sys, stays the same.

    Nick
     
  6. richardw2

    richardw2 Guest

    Thanks guys for the prompt replies, that has cleared things up,

    You are right, Learning Mode does not work. However, I was able to install OK by disabling protection in ProcessGuard.

    One other thing I don't understand; I run TDS as well as ProcessGuard. If both are active, it is ProcessGuard that stops the installation of RootkitRevealer, but if I try to run Steve Gibson's Leaktest it is TDS that stops the execution of that program, NOT ProcessGuard.

    Why is this so?

    Regards,

    Richard
     
  7. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi richardw2,

    The LeakTest executable will not execute until TDS's Execution Protection allows it. With Execution Protection enabled, when you double-click LeakTest.exe, execprot.exe executes first:

    Wed 23 - 21:21:01 [EXECUTION] "c:\dcs\tds3\ext.sys\execprot.exe" was allowed to run
    [EXECUTION] Started by "c:\windows\explorer.exe" [940]
    [EXECUTION] Commandline - [ c:\dcs\tds3\ext.sys\execprot.exe tds|tdsdll-test:c:\program files\leaktest\leaktest.exe ]


    Nick
     
Thread Status:
Not open for further replies.