Rootkit Unhooker

I don´t think RkU is dangerous, I´m doing regular research about malware and I doubt that RkU is malware. Actually it´s the coolest SDTRestorer and Unhooker.

Many commercial ARKs disabled the general unhook function, e.g. Trend Micro.
(boring boys)

It´s very important that independent tools like gmer and rku comes out to damp the
pride of commercial security companies.

[But a driver which is to hard to knock out for RkU is Symantecs SPBHook.]

 

RkU V3.31 is unstable, it crashes. Damn, guys make it better as before.

 

Hello,

@halcyon

There are some limits of paranoia, since nobody can't proof that RkU is malicious tool, it is not malicious. With the same success everybody can speak that every disk cleaner/disk fixer tool is malicious because it have access to files on users disks.

Yes, scan speed is lost due to obvious reasons. RkU uses direct disk.sys reading, so it bypasses not only rootkits but ntfs.sys/fastfat.sys caches also which optimizes reading/writing speed. It can read faster, but then it will be unable to scan locked driver/libraries files. New malware rootkits strategy - lock system components on disk, so they can't be normally opened for scan (for example for inline hooks). Also processes memory now reading directly from kernel mode, without using API calls, this will bypass all rootkits that are using inline-patch protection methods.

Next version will probably fix this.

New developers team will try to fix archaic RkU bugs (like ntfs parsing issues), and add some new features like:
- direct (S)ATA disk controller ports reading/writing (that will bypass all kind of file hiders and inline-patch protectors, including "invincible and unseen" chinese rootkits =) )
- new detection methods for Hidden Drivers Detector, which will be able to conceptually (and without faking like in Avira/AVG) detect phide_ex, Rustock.C, rkdemo v1.3, and "rkdemo_mod by Cardmagic" driver hidding methods.
- Vista 32bit compatibility, actually its done already

Preliminary release date - summer 2007.

 

Very important to know the reasons so we can more easily absorb the loss of speed.

Very good to hear! Great news! Yes, these damn chinese rootkits.. devils work.

 

Exactly my point. I used RKU just as an example. The same could be said of any other such tool coming from non-corporate site (i.e. not a publicly listed big well-known security company which would commit suicide by releasing a rootkit). Of course, the antirootkits from big corporations suck for the most part, so one has to revert to antirootkits from anonymous individual researchers.

And with the big money being in for-pay rootkits/stealth/zombie malware writing, I'm sure the number of "fake security" software that infects one's system will just grow and grow in number.

For now, I personally trust RKU and its ilk, but I cannot prove to anyone that it's worth trusting 100%

That's what I was aiming for : how can we know for sure software like this is trustworthy (I don't think we can).

 

I know what you are getting at, but take a step back:

LOL
Would that be Symantec or Sony or any bloody DRM eg Vista

That war is already lost.

How can we know any software is trustworthy ??
M$: LOL: the web has been destroyed as a safe place by 20 years of exploits.
Any soft that phones home could be looking at you. !!

In some ways I am happier trusting EP_XOFF than many others (apart from the odd BSOD ) As per above we can only hope he and his friends stay on our side. No doubt there are many with comparable skills who are not on our side.

I was happy to let Russinovich and Cogswell have access to everything.
Russinovich single handedly pulled rootkits into a more public exposure after the SONY debacle.

EP_XOFF has almost single-handedly restructured the Rootkit detection industry. As you are aware RkU was rated the BEST antirootkit tool and is still being developed. It may come to pass that the "hobby" will be outstripped by the big boys with $ and personnell, but for the moment: the benchmark.

Keep your powder dry.
Google is your friend
to paraphrase the greatest physician who ever lived : you must rush to use the latest software while it still works.

 

Ah, touche!

Thankfully we still don't have a major security corp releasing malicious rootkits. Then I'll stop using Windows completely

I agree, for the most part.

I don't think we can for 100%. However, the more a piece of software is exposed to peer review from all sorts of security experts who work in public and who put their credibility on the line, the higher the likelihood of finding out fake ones.

Yes, and Wilders

 

Yes, that´s it.

 

Rootkit Unhooker v3.7 LE

Sysinternals

 

Thanks Meriadoc for the update

 

Be a shame if it really is the last 'free version".

Also note the update to process walker.

EP_XOFF and cohorts have made my web experience a lot more interesting and challenging over the last year

 

Hello!

It is really a shame that it is going to be last public version . Thank you EP_XOFF and team!

 

PS; not for the faint hearted.
Much more stable now with enhanced functions to boot. SEE BELOW

Uninstall previous versions ( might not be neccessary)
Turn off any other real time tools that might have an interest
eg
SSM
DW
PrevX
other flavours of HIPS.
BOClean
Antivirus
etc

EDIT: not as stable as I'd hoped
Froze my system twice even with all other "anti" tools disabled.
Needed power reboot
No dump file to attach

Hopefully EP_XOFF or colleague will comment.

Amazing tool.
Wish I knew enough to utilise it fully; maybe later lol

 

Sysinternals

 

Hello,

RkUnhooker v3.7 updated version will be available in few days. Changes:
*fixed glitch with Process dlls view redraw
*fixed bug with code hooks detector behaviour

 

@pushick et al
thankyou for continuing devt

 

Great news!

 

thanks guys

3.7.300.502 released

http://rku.nm.ru
http://rkunhooker1.narod.ru

 

Hello,

I'm a novice when it comes to understanding rootkits and what RKU reveals.

However, I'm sorry that problems have caused you to decide to no longer issue new versions of RKU to the public. I think there needs to be more independent software writers like yourself.

Following the threads here shows me that you are very responsive to any glitches or conflicts with other software and isuue revisions promptly [unlike most commercial purveyors of any type of software]. You also have very loyal and knowledgeable supporters.

Good luck and think about changing your mind in the near future.

raiderfan47

 

Without a doubt RKU is been very useful and i second the encouragement and desire to see it continue at some point in meeting the needs of users everywhere.

It's deep diagnostics and functions is been a welcome utility for many the world over since it's first inception onward and continues to prove a vital instrument in the hands of those who can accurately make best use of it.

 

Hello,

RkUnhooker v3.7.300.506 has been released

http://rku.nm.ru/rkunhooker_v3/RkU3.7.300.506.zip
Size: ~160 Kb
MD5 for installation .exe file a0c9603487dd0f33a0c626e33e406392

Changes from the 3.7.300.503(4)

fixed main window GUI bug
fixed inline hook detector bugs
fixed syscall detection bug
fixed several vulnerabilities
from this version driver is unloading itself at program exit, but only if RkU is not set to work in extended mode.

Currently we are thinking about next public release version. But I can't tell more yet.

 

Congrats EP_X0FF& team

Glad to see your tool keeping pace with malware rootkits being seen in the wild at the moment

Loaded up my poor victim/research pc with a good collection of recent rootkit trojans to see what your ARK could uncover and as with previous versions the results are unparralled

Malware rootkit/trojan samples used-

1)Rustock B(Lzx32.sys)
2)Wincom32(wincom32.sys)
3)Trojan injector aka All-In-One(VideoAti0.dll,VideoAti0.exe,VideoAti0.sys)
4)Cutwail/Bulknet+Pandex(Runtime.sys,Runtime2.sys,smtpdrv.sys)
5)Haxdoor+ Wopla (ntio256.sys,protector.exe)
and finally the current and most advanced rootkit trojan
http://www.symantec.com/enterprise/...g/2007/07/spam_from_the_kernel_fullkerne.html
6)Srizbi (Mni41.sys)

Here's the the output log generated by RKU scan.I have edited out all legitmate objects/data to leave only malware related entries/data

Code:

RkUnhooker report generator v0.7
==============================================
Rootkit Unhooker kernel version: 3.7.300.506
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
>SSDT State
NtClose


Actual Address 0xF94D44D8
Hooked by: C:\WINDOWS\system32\drivers\runtime2.sys
NtEnumerateKey
Actual Address 0xF94D400A
Hooked by: C:\WINDOWS\system32\drivers\runtime2.sys
NtEnumerateValueKey
Actual Address 0xF94D41CA
Hooked by: C:\WINDOWS\system32\drivers\runtime2.sys
NtFsControlFile
Actual Address 0xF94D3F5A
Hooked by: C:\WINDOWS\system32\drivers\runtime2.sys
NtOpenSection
Actual Address 0xF0993546
Hooked by: C:\WINDOWS\System32\wincom32.sys
NtReadVirtualMemory
Actual Address 0xF94D438A
Hooked by: C:\WINDOWS\system32\drivers\runtime2.sys
NtSuspendProcess
==============================================
>Processes
!!!!!!!!!!!Hidden process: C:\WINDOWS\system32\protector.exe
Process Id: 168
EPROCESS Address: 0xFF10E8A8

==============================================
>Drivers


Driver: Mni41.sys
Address: 0xF9218000
Size: 167936 bytes


!!!!!!!!!!!Hidden driver: C:\WINDOWS\System32:lzx32.sys
Address: 0xF0C3C000
Size: 73728 bytes



Driver: C:\WINDOWS\System32\wincom32.sys
Address: 0xF0993000
Size: 49152 bytes


!!!!!!!!!!!Hidden driver: C:\WINDOWS\system32\drivers\runtime2.sys
Address: 0xF94D2000
Size: 36864 bytes


!!!!!!!!!!!Hidden driver: ntio256.sys
Loaded from: 
Address: 0xF9622000
Size: 20480 bytes


Driver: C:\WINDOWS\System32\DRIVERS\smtpdrv.sys
Address: 0xF95BA000
Size: 20480 bytes


!!!!!!!!!!!Hidden driver: VideoAti0.sys
Loaded from: 
Address: 0xF9582000
Size: 20480 bytes


Driver: C:\WINDOWS\System32\drivers\runtime.sys
Address: 0xF9794000
Size: 8192 bytes




==============================================
>Stealth

Unknown page with executable code
Address: 0xFF7DAB85
Size: 1147

Unknown page with executable code
Address: 0xFF7EDA1B
Size: 1509

Unknown page with executable code
Address: 0xFF7D6F30
Size: 208

Unknown page with executable code
Address: 0xFF7EB55E
Size: 2722

Unknown page with executable code
Address: 0xFF7D5517
Size: 2793

Unknown page with executable code
Address: 0xFF7DB14A
Size: 3766

Unknown page with executable code
Address: 0xFF7DC121
Size: 3807

Unknown page with executable code
Address: 0xFF7F3CBE
Size: 834
==============================================
>Files

Suspect File: C:\WINDOWS\system32:lzx32.sys:$DATA Status: Hidden


Suspect File: C:\WINDOWS\system32\drivers\Mni41.sys Status: Hidden


Suspect File: C:\WINDOWS\system32\drivers\runtime2.sys Status: Hidden


Suspect File: C:\WINDOWS\system32\drivers\runtime2.sy_ Status: Hidden


Suspect File: C:\WINDOWS\system32\drivers\VideoAti0.sys Status: Hidden


Suspect File: C:\WINDOWS\system32\ntio256.sys Status: Hidden


Suspect File: C:\WINDOWS\system32\protector.exe Status: Hidden


Suspect File: C:\WINDOWS\system32\VideoAti0.dll Status: Hidden


Suspect File: C:\WINDOWS\system32\VideoAti0.exe Status: Hidden


Suspect File: C:\WINDOWS\system32\wincom32.ini Status: Hidden


Suspect File: C:\WINDOWS\system32\wincom32.sys Status: Hidden



==============================================
>Hooks

ntoskrnl.exe-->IofCallDriver, Type: Address change at address 0x80544480 hook handler located in [lzx32.sys]
ntoskrnl.exe-->NtEnumerateKey, Type: Inline - RelativeJump at address 0x8057D323 hook handler located in [Mni41.sys]
ntoskrnl.exe-->NtOpenKey, Type: Inline - RelativeJump at address 0x8058272F hook handler located in [Mni41.sys]
SYSENTER/Int 2E, Type: System Call & Inline at address 0x804DA04F hook handler located in [lzx32.sys]
tcpip.sys+0x000036A2, Type: Inline - RelativeCall at address 0xF0BAF6A2 hook handler located in [lzx32.sys]
tcpip.sys+0x0000D0C2, Type: Inline - RelativeCall at address 0xF0BB90C2 hook handler located in [lzx32.sys]
tcpip.sys+0x0001786C, Type: Inline - RelativeCall at address 0xF0BC386C hook handler located in [lzx32.sys]
tcpip.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification at address 0xF0BE5A04 hook handler located in [lzx32.sys]
tcpip.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification at address 0xF0BE5A10 hook handler located in [lzx32.sys]
tcpip.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification at address 0xF0BE5A0C hook handler located in [smtpdrv.sys]
wanarp.sys+0x000050C1, Type: Inline - RelativeCall at address 0xF94B70C1 hook handler located in [lzx32.sys]
wanarp.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification at address 0xF94B77CC hook handler located in [smtpdrv.sys]
wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification at address 0xF94B779C hook handler located in [smtpdrv.sys]
wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification at address 0xF94B77BC hook handler located in [smtpdrv.sys]
wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification at address 0xF94B77A8 hook handler located in [smtpdrv.sys]

Just a subnote to say thanks again for a forensic ark tool that has greatly assisted me in my malware hunting/infection recovery missions.The wipe/copy file tool is the bomb

 

Thanks for testing!

I'm little surprised with lzx32.sys result

That is something new. Can we get the copy of this Rustock variant?

 

Early buggy B build possibly but no probs on forwarding the sample.You have a PM @ sysinternals with a download URL for the dropper of this variant

 

Got it, thanks. This rustock variant is old buggy B, but with some new early not seen hook inside wanarp.sys, interesting...

What about Mni41.sys, it additionaly hooks some IRP in ntfs.sys, (see Drivers->References for ntfs.sys), for hiding file I guess.