Rootkit Unhooker

Discussion in 'other anti-malware software' started by Z0mBiE, Dec 11, 2006.

Thread Status:
Not open for further replies.
  1. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I don´t think RkU is dangerous, I´m doing regular research about malware and I doubt that RkU is malware. Actually it´s the coolest SDTRestorer and Unhooker.

    Many commercial ARKs disabled the general unhook function, e.g. Trend Micro.
    (boring boys)

    It´s very important that independent tools like gmer and rku comes out to damp the
    pride of commercial security companies.

    [But a driver which is to hard to knock out for RkU is Symantecs SPBHook.]
     
  2. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    RkU V3.31 is unstable, it crashes. Damn, guys make it better as before.
     
  3. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Hello,

    @halcyon

    There are some limits of paranoia, since nobody can't proof that RkU is malicious tool, it is not malicious. With the same success everybody can speak that every disk cleaner/disk fixer tool is malicious because it have access to files on users disks.

    Yes, scan speed is lost due to obvious reasons. RkU uses direct disk.sys reading, so it bypasses not only rootkits but ntfs.sys/fastfat.sys caches also which optimizes reading/writing speed. It can read faster, but then it will be unable to scan locked driver/libraries files. New malware rootkits strategy - lock system components on disk, so they can't be normally opened for scan (for example for inline hooks). Also processes memory now reading directly from kernel mode, without using API calls, this will bypass all rootkits that are using inline-patch protection methods.

    Next version will probably fix this.

    New developers team will try to fix archaic RkU bugs (like ntfs parsing issues), and add some new features like:
    - direct (S)ATA disk controller ports reading/writing (that will bypass all kind of file hiders and inline-patch protectors, including "invincible and unseen" chinese rootkits =) )
    - new detection methods for Hidden Drivers Detector, which will be able to conceptually (and without faking like in Avira/AVG) detect phide_ex, Rustock.C, rkdemo v1.3, and "rkdemo_mod by Cardmagic" driver hidding methods.
    - Vista 32bit compatibility, actually its done already :)

    Preliminary release date - summer 2007.
     
  4. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Very important to know the reasons so we can more easily absorb the loss of speed.

    Very good to hear! Great news! Yes, these damn chinese rootkits.. devils work.
     
  5. halcyon

    halcyon Registered Member

    Joined:
    May 14, 2003
    Posts:
    373
    Exactly my point. I used RKU just as an example. The same could be said of any other such tool coming from non-corporate site (i.e. not a publicly listed big well-known security company which would commit suicide by releasing a rootkit). Of course, the antirootkits from big corporations suck for the most part, so one has to revert to antirootkits from anonymous individual researchers.

    And with the big money being in for-pay rootkits/stealth/zombie malware writing, I'm sure the number of "fake security" software that infects one's system will just grow and grow in number.

    For now, I personally trust RKU and its ilk, but I cannot prove to anyone that it's worth trusting 100% :(

    That's what I was aiming for : how can we know for sure software like this is trustworthy (I don't think we can).
     
  6. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,229
    Location:
    Sydney, Australia
    I know what you are getting at, but take a step back:
    LOL
    Would that be Symantec or Sony or any bloody DRM eg Vista ;)

    That war is already lost. :(

    How can we know any software is trustworthy ??
    M$: LOL: the web has been destroyed as a safe place by 20 years of exploits.
    Any soft that phones home could be looking at you. !! :cautious:

    In some ways I am happier trusting EP_XOFF than many others (apart from the odd BSOD :eek: ) As per above we can only hope he and his friends stay on our side. No doubt there are many with comparable skills who are not on our side.

    I was happy to let Russinovich and Cogswell have access to everything. :eek:
    Russinovich single handedly pulled rootkits into a more public exposure after the SONY debacle.

    EP_XOFF has almost single-handedly restructured the Rootkit detection industry. As you are aware RkU was rated the BEST antirootkit tool and is still being developed. It may come to pass that the "hobby" will be outstripped by the big boys with $ and personnell, but for the moment: the benchmark.

    Keep your powder dry. ;)
    Google is your friend
    to paraphrase the greatest physician who ever lived : you must rush to use the latest software while it still works. :cautious:
     
    Last edited: Apr 20, 2007
  7. halcyon

    halcyon Registered Member

    Joined:
    May 14, 2003
    Posts:
    373
    Ah, touche! :)

    Thankfully we still don't have a major security corp releasing malicious rootkits. Then I'll stop using Windows completely :)

    I agree, for the most part.

    I don't think we can for 100%. However, the more a piece of software is exposed to peer review from all sorts of security experts who work in public and who put their credibility on the line, the higher the likelihood of finding out fake ones.

    Yes, and Wilders :)
     
  8. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Yes, that´s it.
     
  9. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Rootkit Unhooker v3.7 LE
    Sysinternals
     
  10. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Thanks Meriadoc for the update:thumb:
     
  11. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,229
    Location:
    Sydney, Australia
    Be a shame if it really is the last 'free version".

    Also note the update to process walker.

    EP_XOFF and cohorts have made my web experience a lot more interesting and challenging over the last year :D
     
  12. Bio-Hazard

    Bio-Hazard Registered Member

    Joined:
    Jan 10, 2007
    Posts:
    529
    Location:
    Cornwall, UK
    Hello!

    It is really a shame that it is going to be last public version :'( . Thank you EP_XOFF and team! :thumb:
     
  13. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,229
    Location:
    Sydney, Australia
    PS; not for the faint hearted.
    Much more stable now with enhanced functions to boot. :) SEE BELOW

    Uninstall previous versions ( might not be neccessary)
    Turn off any other real time tools that might have an interest
    eg
    SSM
    DW
    PrevX
    other flavours of HIPS.
    BOClean
    Antivirus
    etc

    EDIT: not as stable as I'd hoped :ouch:
    Froze my system twice even with all other "anti" tools disabled.
    Needed power reboot
    No dump file to attach :(


    Hopefully EP_XOFF or colleague will comment.

    Amazing tool.
    Wish I knew enough to utilise it fully; maybe later lol
     
    Last edited: Jul 1, 2007
  14. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Sysinternals
     
  15. pushick

    pushick Registered Member

    Joined:
    Jul 21, 2007
    Posts:
    3
    Hello,

    RkUnhooker v3.7 updated version will be available in few days. Changes:
    *fixed glitch with Process dlls view redraw
    *fixed bug with code hooks detector behaviour
     
  16. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,229
    Location:
    Sydney, Australia
    @pushick et al
    thankyou for continuing devt
     
  17. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    Great news! :D
     
  18. pushick

    pushick Registered Member

    Joined:
    Jul 21, 2007
    Posts:
    3
  19. raiderfan47

    raiderfan47 Registered Member

    Joined:
    Dec 6, 2006
    Posts:
    9
    Location:
    Connecticut
    Hello,

    I'm a novice when it comes to understanding rootkits and what RKU reveals.

    However, I'm sorry that problems have caused you to decide to no longer issue new versions of RKU to the public. I think there needs to be more independent software writers like yourself.

    Following the threads here shows me that you are very responsive to any glitches or conflicts with other software and isuue revisions promptly [unlike most commercial purveyors of any type of software]. You also have very loyal and knowledgeable supporters.

    Good luck and think about changing your mind in the near future.

    raiderfan47 :) :thumb:
     
  20. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,868
    Location:
    U.S.A. (South)
    Without a doubt RKU is been very useful and i second the encouragement and desire to see it continue at some point in meeting the needs of users everywhere.

    It's deep diagnostics and functions is been a welcome utility for many the world over since it's first inception onward and continues to prove a vital instrument in the hands of those who can accurately make best use of it.
     
  21. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Hello,

    RkUnhooker v3.7.300.506 has been released

    http://rku.nm.ru/rkunhooker_v3/RkU3.7.300.506.zip
    Size: ~160 Kb
    MD5 for installation .exe file a0c9603487dd0f33a0c626e33e406392

    Changes from the 3.7.300.503(4)

    fixed main window GUI bug
    fixed inline hook detector bugs
    fixed syscall detection bug
    fixed several vulnerabilities
    from this version driver is unloading itself at program exit, but only if RkU is not set to work in extended mode.

    Currently we are thinking about next public release version. But I can't tell more yet.
     
  22. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Congrats EP_X0FF& team:cool:

    Glad to see your tool keeping pace with malware rootkits being seen in the wild at the moment:thumb:

    Loaded up my poor victim/research pc with a good collection of recent rootkit trojans to see what your ARK could uncover and as with previous versions the results are unparralled:cool:

    Malware rootkit/trojan samples used-

    1)Rustock B(Lzx32.sys)
    2)Wincom32(wincom32.sys)
    3)Trojan injector aka All-In-One(VideoAti0.dll,VideoAti0.exe,VideoAti0.sys)
    4)Cutwail/Bulknet+Pandex(Runtime.sys,Runtime2.sys,smtpdrv.sys)
    5)Haxdoor+ Wopla (ntio256.sys,protector.exe)
    and finally the current and most advanced rootkit trojan:blink:
    http://www.symantec.com/enterprise/...g/2007/07/spam_from_the_kernel_fullkerne.html
    6)Srizbi (Mni41.sys)

    Here's the the output log generated by RKU scan.I have edited out all legitmate objects/data to leave only malware related entries/data:)
    Code:
    RkUnhooker report generator v0.7
    ==============================================
    Rootkit Unhooker kernel version: 3.7.300.506
    ==============================================
    Windows Major Version: 5
    Windows Minor Version: 1
    Windows Build Number: 2600
    ==============================================
    >SSDT State
    NtClose
    
    
    Actual Address 0xF94D44D8
    Hooked by: C:\WINDOWS\system32\drivers\runtime2.sys
    NtEnumerateKey
    Actual Address 0xF94D400A
    Hooked by: C:\WINDOWS\system32\drivers\runtime2.sys
    NtEnumerateValueKey
    Actual Address 0xF94D41CA
    Hooked by: C:\WINDOWS\system32\drivers\runtime2.sys
    NtFsControlFile
    Actual Address 0xF94D3F5A
    Hooked by: C:\WINDOWS\system32\drivers\runtime2.sys
    NtOpenSection
    Actual Address 0xF0993546
    Hooked by: C:\WINDOWS\System32\wincom32.sys
    NtReadVirtualMemory
    Actual Address 0xF94D438A
    Hooked by: C:\WINDOWS\system32\drivers\runtime2.sys
    NtSuspendProcess
    ==============================================
    >Processes
    !!!!!!!!!!!Hidden process: C:\WINDOWS\system32\protector.exe
    Process Id: 168
    EPROCESS Address: 0xFF10E8A8
    
    ==============================================
    >Drivers
    
    
    Driver: Mni41.sys
    Address: 0xF9218000
    Size: 167936 bytes
    
    
    !!!!!!!!!!!Hidden driver: C:\WINDOWS\System32:lzx32.sys
    Address: 0xF0C3C000
    Size: 73728 bytes
    
    
    
    Driver: C:\WINDOWS\System32\wincom32.sys
    Address: 0xF0993000
    Size: 49152 bytes
    
    
    !!!!!!!!!!!Hidden driver: C:\WINDOWS\system32\drivers\runtime2.sys
    Address: 0xF94D2000
    Size: 36864 bytes
    
    
    !!!!!!!!!!!Hidden driver: ntio256.sys
    Loaded from: 
    Address: 0xF9622000
    Size: 20480 bytes
    
    
    Driver: C:\WINDOWS\System32\DRIVERS\smtpdrv.sys
    Address: 0xF95BA000
    Size: 20480 bytes
    
    
    !!!!!!!!!!!Hidden driver: VideoAti0.sys
    Loaded from: 
    Address: 0xF9582000
    Size: 20480 bytes
    
    
    Driver: C:\WINDOWS\System32\drivers\runtime.sys
    Address: 0xF9794000
    Size: 8192 bytes
    
    
    
    
    ==============================================
    >Stealth
    
    Unknown page with executable code
    Address: 0xFF7DAB85
    Size: 1147
    
    Unknown page with executable code
    Address: 0xFF7EDA1B
    Size: 1509
    
    Unknown page with executable code
    Address: 0xFF7D6F30
    Size: 208
    
    Unknown page with executable code
    Address: 0xFF7EB55E
    Size: 2722
    
    Unknown page with executable code
    Address: 0xFF7D5517
    Size: 2793
    
    Unknown page with executable code
    Address: 0xFF7DB14A
    Size: 3766
    
    Unknown page with executable code
    Address: 0xFF7DC121
    Size: 3807
    
    Unknown page with executable code
    Address: 0xFF7F3CBE
    Size: 834
    ==============================================
    >Files
    
    Suspect File: C:\WINDOWS\system32:lzx32.sys:$DATA Status: Hidden
    
    
    Suspect File: C:\WINDOWS\system32\drivers\Mni41.sys Status: Hidden
    
    
    Suspect File: C:\WINDOWS\system32\drivers\runtime2.sys Status: Hidden
    
    
    Suspect File: C:\WINDOWS\system32\drivers\runtime2.sy_ Status: Hidden
    
    
    Suspect File: C:\WINDOWS\system32\drivers\VideoAti0.sys Status: Hidden
    
    
    Suspect File: C:\WINDOWS\system32\ntio256.sys Status: Hidden
    
    
    Suspect File: C:\WINDOWS\system32\protector.exe Status: Hidden
    
    
    Suspect File: C:\WINDOWS\system32\VideoAti0.dll Status: Hidden
    
    
    Suspect File: C:\WINDOWS\system32\VideoAti0.exe Status: Hidden
    
    
    Suspect File: C:\WINDOWS\system32\wincom32.ini Status: Hidden
    
    
    Suspect File: C:\WINDOWS\system32\wincom32.sys Status: Hidden
    
    
    
    ==============================================
    >Hooks
    
    ntoskrnl.exe-->IofCallDriver, Type: Address change at address 0x80544480 hook handler located in [lzx32.sys]
    ntoskrnl.exe-->NtEnumerateKey, Type: Inline - RelativeJump at address 0x8057D323 hook handler located in [Mni41.sys]
    ntoskrnl.exe-->NtOpenKey, Type: Inline - RelativeJump at address 0x8058272F hook handler located in [Mni41.sys]
    SYSENTER/Int 2E, Type: System Call & Inline at address 0x804DA04F hook handler located in [lzx32.sys]
    tcpip.sys+0x000036A2, Type: Inline - RelativeCall at address 0xF0BAF6A2 hook handler located in [lzx32.sys]
    tcpip.sys+0x0000D0C2, Type: Inline - RelativeCall at address 0xF0BB90C2 hook handler located in [lzx32.sys]
    tcpip.sys+0x0001786C, Type: Inline - RelativeCall at address 0xF0BC386C hook handler located in [lzx32.sys]
    tcpip.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification at address 0xF0BE5A04 hook handler located in [lzx32.sys]
    tcpip.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification at address 0xF0BE5A10 hook handler located in [lzx32.sys]
    tcpip.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification at address 0xF0BE5A0C hook handler located in [smtpdrv.sys]
    wanarp.sys+0x000050C1, Type: Inline - RelativeCall at address 0xF94B70C1 hook handler located in [lzx32.sys]
    wanarp.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification at address 0xF94B77CC hook handler located in [smtpdrv.sys]
    wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification at address 0xF94B779C hook handler located in [smtpdrv.sys]
    wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification at address 0xF94B77BC hook handler located in [smtpdrv.sys]
    wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification at address 0xF94B77A8 hook handler located in [smtpdrv.sys]
    Just a subnote to say thanks again for a forensic ark tool that has greatly assisted me in my malware hunting/infection recovery missions.The wipe/copy file tool is the bomb :D
     

    Attached Files:

  23. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Thanks for testing!

    I'm little surprised with lzx32.sys result

    That is something new. Can we get the copy of this Rustock variant? :)
     
  24. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Early buggy B build possiblyo_O but no probs on forwarding the sample.You have a PM @ sysinternals with a download URL for the dropper of this variant:thumb:
     
  25. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Got it, thanks. This rustock variant is old buggy B, but with some new early not seen hook inside wanarp.sys, interesting...

    What about Mni41.sys, it additionaly hooks some IRP in ntfs.sys, (see Drivers->References for ntfs.sys), for hiding file I guess.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.