SysReveal v1.0.0.70 released

SysReveal is yet another anti rootkit tool for rootkit detection and removal. It could check following items:
Hidden process
Hidden driver
Hidden module
SSDT hook
Shadow SSDT hook
IDT
System Notify
Windows hook
Driver hook
Object hook
FSD hook
DPC
System thead
Dispatch hook
Attach devices
etc.

snapshot:
http://www.sysreveal.com/images/sysreveal-en.png
download address:
http://www.sysreveal.com/download/SysReveal.zip
version history: (Sorry, most in Chinese now.)
http://www.sysreveal.com/sysreveal-history/

 

thanks but is it chinese?
Edit :

oh sorry i didnt notice that
yet i will try it

 

Now there's an interesting quote:


"We are from ToSR (Team of System Revealer). We are interested in anti-virus, anti-rootkit and other security related technologies. We provide our tools for free, please use at your own risks."

 

i would not read much into that.
playing with the system at the kernel level is not for Joe Average and could cause much problems if it is done by an apprentice wizard.

 

ooh ...its english ...it has some cool features..now i just need to put it under real test and let's see

 

i hope you get back to us SUPERIOR and let us know how you like it!

 

um.... it was alittle bit disappointed i run stuxnet and sysreveal coundnt reveal anything suspicious except when i run the file manager which showed the hidden shortcut file
but on the other hand, showing strings in memory was very good thing helping to find some suspicious strings in memory

 

Let me explain why this tool should use at your own risk.
1. As we all know, combating with rootkit is always tough and risky.
2. SysReveal is an anti-rootkit tool for advanced users, it integrates many anti-rootkit technologies, and supports various kernel mode ways to unhook and cleanup rootkit/malware. If you did not understand all concepts of rootkits technologies, you should be very careful when trying SysReveal (and maybe other anti-rootkit tools).
3. We provide this tool for free, it has been released for more than one year since its first version, all major bugs and BSODs are fixed. But we could not promise that it could always run properly under your system.

So why not have a try(maybe in your vmware or virtualbox) and give me your advices? At lease it is already downloaded over 30,000 times, and I have my confidence that it surely has some good functions worth trying.

 

OT Sysreveal with cloud query - ThreatenReveal .

 

Hi, SUPERIOR. thank you for trying SysReveal. I just tried a stuxnet sample(md5: dd1952a118f578754a6626098072a2f7).
VirusTotal link:
~ VirusTotal Results URL Removed per Policy ~
Testing OS: Windows XP SP2

mrxcls.sys and mrxnet.sys dropped by stuxnet could be shown in the "Driver" tab, but since both of them have digital signatures, they are maybe hidden by default, please click "Hide normal drivers" in the toolbar above to show all drivers.
Both file explorer and registry explorer of SysReveal use low level technologies to avoid items being hidden by rootkits, all dropped items could be shown.

 

@niucool
thanks for your respond ... actually i said that nothing suspicious found
i will take a deeper look and see
how about hooked services and processes ...sysreveal couldnt see any
one more question ...showing string function displays the strings in all memory or just the process i have choose?

PS : i got 32 suspicious processes and only one trusted? how can i distinguish between them(no color difference or any hint to make that difference clear)

PSS: interesting thing that when i checked stuxnet drivers for signature verification ...i got error which states that those drivers arent truly legit :O

 

thanks for your respond ... actually i said that nothing suspicious found
i will take a deeper look and see
how about hooked services and processes ...sysreveal couldnt see any

You mean detection of hidden process and services?
SysReveal has some low level ways to detect them, but maybe not including your samples.

one more question ...showing string function displays the strings in all memory or just the process i have choose?

Just the process you choose. You may also notice there also exists a disasm view to check the entry code quickly.


PS : i got 32 suspicious processes and only one trusted? how can i distinguish between them(no color difference or any hint to make that difference clear)

Maybe word "suspicious" is not suitable here, a more precise word is unknown process. If you want to verify processes automatically, please check the option: "Auto verify digital signatures" in the preference dialog. Then a background thread will auto check digital signatures of process files. Process dialog will refresh when ready.

The meaning of the process color:
Black: The process and all its modules are from M$. (Absolutely safe)
Blue: The process file is not from M$, but they have digital signatures or set trusted by users. (Basically safe)
Red: The process file is not from M$,and it does not have digital signature.
Pink: The process file is from M$, but it contains module(s) which does not have digital signature or not set trusted by users.
Grey: The process is hidden.

PSS: interesting thing that when i checked stuxnet drivers for signature verification ...i got error which states that those drivers arent truly legit :O

I only right clicked the driver files in the explorer and found a tab of digital signature, I did not verify if it is true or fake. I will check this if I have time.

 

Thanks again for ur quick reply

i didnt choose the "suspicious" word by myself if u have a closer look at the picture i posted in my earlier reply

if so, why all the processes are red in the same picture for my earlier post though most of them are microsoft signatured

i will test more samples and give feedback

 

if so, why all the processes are red in the same picture for my earlier post though most of them are microsoft signatured

I think there may have two reasons:
1. You did not check the "Auto verify digital signatures" option.
2. You have checked the "Auto verify digital signatures" option, but it took some time for the background thread to verify all files, colors will change automatically after processes are verified.

 

ok i tested many samples and seems like working perfectly so far
just one request
can you please add feature "search" in string function for memory ...that would be awesome

Thanks alot for support

 

ok i tested many samples and seems like working perfectly so far

I'm glad to here that.

can you please add feature "search" in string function for memory ...that would be awesome

"Ctrl+F" and "F3" should work in all list views, but there are no corresponding menu items now