SysReveal v1.0.0.70 released

Discussion in 'other anti-malware software' started by niucool, Mar 24, 2011.

Thread Status:
Not open for further replies.
  1. niucool

    niucool Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    6
    SysReveal is yet another anti rootkit tool for rootkit detection and removal. It could check following items:
    Hidden process
    Hidden driver
    Hidden module
    SSDT hook
    Shadow SSDT hook
    IDT
    System Notify
    Windows hook
    Driver hook
    Object hook
    FSD hook
    DPC
    System thead
    Dispatch hook
    Attach devices
    etc.

    snapshot:
    http://www.sysreveal.com/images/sysreveal-en.png
    download address:
    http://www.sysreveal.com/download/SysReveal.zip
    version history: (Sorry, most in Chinese now.)
    http://www.sysreveal.com/sysreveal-history/
     
    Last edited: Mar 24, 2011
  2. SUPERIOR

    SUPERIOR Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    161
    Location:
    Syria
    thanks but is it chinese?
    Edit :

    oh sorry i didnt notice that
    yet i will try it
     
  3. henryg

    henryg Registered Member

    Joined:
    Dec 13, 2005
    Posts:
    293
    Now there's an interesting quote:


    "We are from ToSR (Team of System Revealer). We are interested in anti-virus, anti-rootkit and other security related technologies. We provide our tools for free, please use at your own risks."
     
  4. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i would not read much into that.
    playing with the system at the kernel level is not for Joe Average and could cause much problems if it is done by an apprentice wizard. ;)
     
  5. SUPERIOR

    SUPERIOR Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    161
    Location:
    Syria
    ooh ...its english ...it has some cool features..now i just need to put it under real test and let's see
     
  6. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i hope you get back to us SUPERIOR and let us know how you like it! :)
     
  7. SUPERIOR

    SUPERIOR Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    161
    Location:
    Syria
    um.... it was alittle bit disappointed i run stuxnet and sysreveal coundnt reveal anything suspicious except when i run the file manager which showed the hidden shortcut file
    but on the other hand, showing strings in memory was very good thing helping to find some suspicious strings in memory
     
  8. niucool

    niucool Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    6
    :p Let me explain why this tool should use at your own risk.
    1. As we all know, combating with rootkit is always tough and risky.
    2. SysReveal is an anti-rootkit tool for advanced users, it integrates many anti-rootkit technologies, and supports various kernel mode ways to unhook and cleanup rootkit/malware. If you did not understand all concepts of rootkits technologies, you should be very careful when trying SysReveal (and maybe other anti-rootkit tools).
    3. We provide this tool for free, it has been released for more than one year since its first version, all major bugs and BSODs are fixed. But we could not promise that it could always run properly under your system.

    So why not have a try(maybe in your vmware or virtualbox) and give me your advices? At lease it is already downloaded over 30,000 times, and I have my confidence that it surely has some good functions worth trying.
     
  9. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Last edited: Mar 24, 2011
  10. niucool

    niucool Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    6
    Hi, SUPERIOR. thank you for trying SysReveal. I just tried a stuxnet sample(md5: dd1952a118f578754a6626098072a2f7).
    VirusTotal link:
    ~ VirusTotal Results URL Removed per Policy ~
    Testing OS: Windows XP SP2

    mrxcls.sys and mrxnet.sys dropped by stuxnet could be shown in the "Driver" tab, but since both of them have digital signatures, they are maybe hidden by default, please click "Hide normal drivers" in the toolbar above to show all drivers.
    Both file explorer and registry explorer of SysReveal use low level technologies to avoid items being hidden by rootkits, all dropped items could be shown.
     
    Last edited by a moderator: Mar 24, 2011
  11. SUPERIOR

    SUPERIOR Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    161
    Location:
    Syria
    @niucool
    thanks for your respond ... actually i said that nothing suspicious found
    i will take a deeper look and see
    how about hooked services and processes ...sysreveal couldnt see any
    one more question ...showing string function displays the strings in all memory or just the process i have choose?

    PS : i got 32 suspicious processes and only one trusted? how can i distinguish between them(no color difference or any hint to make that difference clear)

    PSS: interesting thing that when i checked stuxnet drivers for signature verification ...i got error which states that those drivers arent truly legit :O
     

    Attached Files:

    • 1.JPG
      1.JPG
      File size:
      162.4 KB
      Views:
      39
    Last edited: Mar 25, 2011
  12. niucool

    niucool Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    6
    thanks for your respond ... actually i said that nothing suspicious found
    i will take a deeper look and see
    how about hooked services and processes ...sysreveal couldnt see any

    You mean detection of hidden process and services?
    SysReveal has some low level ways to detect them, but maybe not including your samples.

    one more question ...showing string function displays the strings in all memory or just the process i have choose?

    Just the process you choose. You may also notice there also exists a disasm view to check the entry code quickly.


    PS : i got 32 suspicious processes and only one trusted? how can i distinguish between them(no color difference or any hint to make that difference clear)

    Maybe word "suspicious" is not suitable here, a more precise word is unknown process. If you want to verify processes automatically, please check the option: "Auto verify digital signatures" in the preference dialog. Then a background thread will auto check digital signatures of process files. Process dialog will refresh when ready.

    The meaning of the process color:
    Black: The process and all its modules are from M$. (Absolutely safe)
    Blue: The process file is not from M$, but they have digital signatures or set trusted by users. (Basically safe)
    Red: The process file is not from M$,and it does not have digital signature.
    Pink: The process file is from M$, but it contains module(s) which does not have digital signature or not set trusted by users.
    Grey: The process is hidden.

    PSS: interesting thing that when i checked stuxnet drivers for signature verification ...i got error which states that those drivers arent truly legit :O

    I only right clicked the driver files in the explorer and found a tab of digital signature, I did not verify if it is true or fake. I will check this if I have time.
     

    Attached Files:

    • pref.png
      pref.png
      File size:
      18.7 KB
      Views:
      596
  13. SUPERIOR

    SUPERIOR Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    161
    Location:
    Syria
    Thanks again for ur quick reply
    i didnt choose the "suspicious" word by myself if u have a closer look at the picture i posted in my earlier reply :D

    if so, why all the processes are red in the same picture for my earlier post though most of them are microsoft signatured o_O

    i will test more samples and give feedback
     
  14. niucool

    niucool Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    6
    if so, why all the processes are red in the same picture for my earlier post though most of them are microsoft signatured

    I think there may have two reasons:
    1. You did not check the "Auto verify digital signatures" option.
    2. You have checked the "Auto verify digital signatures" option, but it took some time for the background thread to verify all files, colors will change automatically after processes are verified.
     
  15. SUPERIOR

    SUPERIOR Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    161
    Location:
    Syria
    ok i tested many samples and seems like working perfectly so far
    just one request
    can you please add feature "search" in string function for memory ...that would be awesome

    Thanks alot for support
     
  16. niucool

    niucool Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    6
    ok i tested many samples and seems like working perfectly so far

    :D I'm glad to here that.

    can you please add feature "search" in string function for memory ...that would be awesome

    "Ctrl+F" and "F3" should work in all list views, but there are no corresponding menu items now
     
Loading...
Thread Status:
Not open for further replies.