Rootkit Unhooker

Re: RkUnhooker RC3 released

f3x say :

Then how you detect VM?

 

Re: RkUnhooker RC3 released

Instruction execution timing comparing. In normal situation between two instructions like rdtsc should be no more 5 tact's. VM gives > 300-5000 tact's. Unfortunately things like SSM and other real-timers dramaticaly reduces computer performance and it's become really slow (>3000 tact's between two instructions). That is unacceptable.

 

Re: RkUnhooker RC3 released

Ah, I'm interested that is all, I use special VM not because it is parasite but because the environment is clean, and anything VMWare software and hardware related. I thought it check LDT like RedPill or Scooby-Doo.

Yes undesirable.

 

Re: RkUnhooker RC3 released

We found that this issue with degrated performance (where normal computers detected as Virtual Machines) can be related also to Intel processors with Hyper Threading.

This testing programs will show you how many tacts between two rdtsc instructions on your computer. Enjoy and watch the consequences of "security tools overload".

http://rku.xell.ru/dl/Test2.rar

 

Re: RkUnhooker RC3 released

Hi EP_XOFF

Congratulations on a very good Tool.Especially the ability to dump/wipe malware files out of ADS is very good trick,kudo's

~removed un-necessary virustotal scan....Bubba~

Aditional Information
File size: 69490 bytes
MD5: 2118623523528bda022a27dddc371c0c
SHA1: 3b1ae674c3cb8d64317c756dcef217cefa5eab3f



Rustock A,B have no hiding place now where is C hiding

 

Re: RkUnhooker RC3 released

Thank you fcukdat.

Probably soon we will release something that will answer on your question

 

Re: RkUnhooker RC3 released

I dont think i can trust this software when it uses names like that. Maybe after it comes out of RC and people have used it. But i personally wanted to see what its like and people say it dont work in vmware + this file name ah eh nope noway. Not running on my system

 

Re: RkUnhooker RC3 released

LOL!

Hi, TECHWG.

RkZombie.exe - this is service which are used to create random name of Rootkit Unhooker executable after it finish it's installation. After it renames RkUnhooker it deletes itself. Don't spread panic, if we wanted create malware then it will be impossible to detect by such things like ProSecurity.

I understand that everybody here loves their security tools, but they are really annoying when something is just trying to do it legal job.

About RC in title.
Our program is more stable then most of SpywareXXXXXX tools that listed here.

 

Re: RkUnhooker RC3 released

@TECHWG

Easy man It is simple zombie application. You will be really surprised when will see what's happening in prosecurity internals

rkzombie.exe deletes itself, i can approve that. it renames rkunhooker.exe and creates shortcut for it in "Start" menu, nothing else, so no panic here look on Ssm - real malware

 

Re: RkUnhooker RC3 released

LMAO err what are you implying lol maybe i am just in a funny mind set today but that comment makes me smile

 

Re: RkUnhooker RC3 released

Well a) why would they/you whoever name it as this ? Its obviously going to set alarms and bells going on in peoples heads that monitor executions. Especially to people like my self that have had dealings with zombie bot nets and their idiot creators. Also if you hyperthetically to develope a malware, and would be IMPOSSIBLE to detect, then why dont you help the community by making a proof of concept to further the security of us all. Then SSM, Prosecurity and all the other HIPS softwares can be inoculated against a wider ammount of threats.

 

Re: RkUnhooker RC3 released

Renamer service will sound crazy. You should never see that file. Look on NAV - its contains "dodgy" dll inside it's binaries. It's not joke =)

We already created such PoC more than six month ago. It is called RkDemo and detectable only by DarkSpy/GMER/RkUnhooker.

 

Re: RkUnhooker RC3 released

I don't think it's a good idea to speak such way at Wilders. Some not advanced user could misunderstand that. For most user SSM does a good job.

 

Re: RkUnhooker RC3 released

Ok, let's forget about SSM? We have a totally polar opinions about it and it's behaviour.

 

Re: RkUnhooker RC3 released

I´m interested in the "dodgy" DLLs of NAV

 

Re: RkUnhooker RC3 released

I remember that sowhere in that thread we discussed some problems with NAV and dodgy dll/application inside.

http://forum.sysinternals.com/forum_posts.asp?TID=5726

 

Re: RkUnhooker RC3 released

off topic posts removed

To all,

Technical discussion and opinions in regards to RkUnhooker RC3 being released are Welcome. This back and forth commentary between members is not....nor will it continue. That's about as plain as it gets.

Thanks,
Bubba

 

Re: RkUnhooker RC3 released

@EP_X0FF

Is the any chance that VM/viruses false positive warnings will be fixed in next release? Such kind of messages really annoying peoples

btw, nice cleaning up here. yNc been moderated

 

Re: RkUnhooker RC3 released

Yes, all are fixed in RC4. Just wait few days for release.

 

Re: RkUnhooker RC3 released

RKUnhooker has to be the most thought provoking invention to surface in many years if ever. Allow me to bring attention that MANY formidable malware designs deliberately devise disabling CMD shell which will render command line tools/detectorss of non effect, so in that. Modgreper/SVV and etc. are of no effect whatsoever. That eliminates chances being able to contribute to finding data to revealing the malware leaving only the GUI detectors as last resprt to uncover to find hidden intrudors..
So GUI programds

Keep in mind commline line tools are easily LIMITIED and if your inventory uses those hey are simple to becvome disabled.

 

Re: RkUnhooker RC3 released

This topic is little out-of-date, we published RC4

list of changes:

improved: overall speed of all scanning engines
fixed: some bugs in hooks detection engine
further internal optimisation
VM detection moved to separate function in "Tools" menu
updated: program help file

Free and still available from www.rku.xell.ru

 

Re: RkUnhooker RC3 released

just installed Rkuhooker

how to know what to unhook?

newbie here !!!

 

Re: RkUnhooker RC3 released

That's depends on what are you searching. If you sure that you have rootkit then carefully analyse any information from RkUnhooker. Do scan (on Report page) and watch results.

I see that you have installed SSM, so probably you already got "parasite" message - let RkUnhooker kill parasite, it is normal and related to SSM behaviour. Also any others real-time scanners/defense can affect work of RkUnhooker, take care. SSM will gather many false positives during scan, because it fully hooks SSDT. Do not unhook entries with safemon.sys -> it is SSM driver.

 

Re: RkUnhooker RC3 released

lol it was not out of date yesterday when i downloaded rc3

 

Re: RkUnhooker RC3 released

well ProSecurity blocked 2 actions that the demo tried to do, but it finally gave me a reason to clean this puppy off and reformat lovely adn clean because it clashed with PS on reboot and rather than fix it at 3 AM i decided to format and make a nice new ghost image

But PS detected it trying to make 2 changes including in the registry about services or driver or something.

WG