ProcessGuard and RootkitRevealer

I tried to install RootkitRevealer from Sysinternals while ProcessGuard was active. Every time I tried to do this a ProcessGuard Alert was generated of which the following is an example:

[DRIVER/SERVICE] c:\windows\system32\ynuihcm.exe [2884] Tried to install a driver/service named RKREVEAL110

Each time I tried to install RootkitRevealer the name of the file that tried to install RKREVEAL110 was different, other filenames given in the Alerts included:

lvuedeilm.exe
fws.exe

On the ProcessGuard Alert tab, the button labelled "Allow Driver/Service" did not appear to do anything when clicked.

My question is, why is it not possible to "Allow Driver/Service" in this instance?

Thanks

 

Apparently this new version of RootkitRevealer spawns a randomly named executable which then launches, installs the driver/service and does the scanning.

They did this because a known rootkit was hiding when rootkitrevealer launched or something along that lines.

Did you try learningmode? I ran it yesterday, but disabled ProcessGuard's protection to run it when I saw what was happening. I didn't try learning mode yet.

Try turning learning on so it could learn in the second launched randomly named exe and allow it the rights it wants.

 

Hi richardw2,

The pre-1.3* builds of RootkitRevealer were being circumvented by adding the RootkitRevealer executable (rootkitrevealer.exe) as a "root" process to the Hacker Defender config file. Since nothing is hidden from "root" processes, RootkitRevealer could not find the hidden components of the rootkit. With 1.30/1.31, RootkitRevealer creates and executes randomly named copies of itself in \system32.

In normal mode, PG blocks the first attempt to install a driver/service. After that, you have the option to allow driver/service install for that executable. Unfortunately, the next time you run RootkitRevealer, the name of the executable changes and the old executable is deleted.

At minimum, you have to disable driver/service protection (in PG's Main tab) in order scan with RootkitRevealer.

Nick

 

So Nick S,

PG's learning mode won't work? I just disabled PG momentarily while scanning.

Of course if it did work, you'd end up with learned settings that will only be used once since the exe name changes each time.

 

Hi rickontheweb,

I disable it as well. Learning Mode won't work because the name of the executable changes even though the driver/service name, rkreveal110.sys, stays the same.

Nick

 

Thanks guys for the prompt replies, that has cleared things up,

You are right, Learning Mode does not work. However, I was able to install OK by disabling protection in ProcessGuard.

One other thing I don't understand; I run TDS as well as ProcessGuard. If both are active, it is ProcessGuard that stops the installation of RootkitRevealer, but if I try to run Steve Gibson's Leaktest it is TDS that stops the execution of that program, NOT ProcessGuard.

Why is this so?

Regards,

Richard

 

Hi richardw2,

The LeakTest executable will not execute until TDS's Execution Protection allows it. With Execution Protection enabled, when you double-click LeakTest.exe, execprot.exe executes first:

Wed 23 - 21:21:01 [EXECUTION] "c:\dcs\tds3\ext.sys\execprot.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [940]
[EXECUTION] Commandline - [ c:\dcs\tds3\ext.sys\execprot.exe tds|tdsdll-test:c:\program files\leaktest\leaktest.exe ]

Nick