Sponsored by: █ Sparkhost - Hosting Without Compromises! █ Hybrid Performance Web Hosting █ Spark Host Stream Hosting █ Hybrid IRC & IRCd Server Shell Accounts
Posted 16 February 2005 - 02:47 PM
Also, what about using trick like these:
Do they work? Do you know of any free software that implements them?
Posted 16 February 2005 - 03:03 PM
Win2K/XP SDT Restore 0.2 (Proof-Of-Concept)
Win32 Kernel Rootkits modify the behaviour of the system by Kernel Native API hooking. This technique is typically implemented by modifying the ServiceTable entries in the Service Descriptor Table (SDT). This allows kernel rootkits to hide files, processes, and to prevent process termination. This proof-of-concept tool demonstrates the possibility of defeating such rootkits by removing Kernel Native APIs hooks and restoring the SDT back to its original state.
ApiHookCheck Version 1.01 (API Hook Check)
API hooking is a useful technique that can be used to monitor API calls used by Win32 programs. This allows understanding of the programs' functionalities based on the APIs that are called and their input parameters. However, API hooking is also used by rootkits and other malicious code to modify the behaviour of certain APIs to hide files, network ports, processes and services. This tool can help to detect the presence of system-wide API hooks that are implemented based on import/export table modifications and insertion of JMP instructions at the start of the real API.
when used together...
but this doesnt cover interrupt hooks which is used by Fu:
The FU rootkit can hide processes, elevate process privileges, fake out the Windows Event Viewer so that forensics is impossible, and even hide device drivers (NEW!) All this without any hooking.
The FU rootkit can hide processes, elevate process privileges, fake out the Windows Event Viewer so that forensics is impossible, and even hide device drivers (NEW!). (Look, Mom, no hands!) It does all this by Direct Kernel Object Manipulation ; no hooking! This project has been evolving other time. It was originally conceived as a proof-of-concept. FU is a play on words from the UNIX program "su" used to elevate privilege.
However, if instead you use Vice and Klister:
VICE - Catch hookers!
VICE is a tool to find hookers!
VICE is a tool to find hooks.
1. Looks for people hooking IAT's.
2. Looks for people hooking functions in-line aka detouring.
3. Looks for hooks in the System Call Table. Thanks to Tan perhaps it will fix the table in the future.
4. Looks for detour hooks in the System Call Table functions themselves.
5. Looks for people hooking IRP_MJ table in drivers. This is configurable by driver.ini.
klister is a simple set of utilities for Windows 2000, designed to read the internal kernel data structures, in order to get reliable information about the system state (like list of all processes, including those "hidden" by rootkits, even by 'fu').
klister is a simple set of utilities for Windows 2000, designed to read the internal kernel data structures, in order to get reliable information about the system state (including list of all processes, including those "hidden" by some rootkits).
klister consists of a kernel module and some exemplary userland programs which communicate with the kernel module in order to display some internal kernel data structures. The most interesting ones are thread lists which are used by kernel dispatcher (scheduler) code. When reading such internal list we can be (almost;)) sure that we're getting list of all threads in the system (including those which belong to hidden process) and it also means that we can create complete list of ALL PROCESSESS in the system.
I think you will be just fine...
Moral of story...to beat rootkits ask the experts.
Posted 17 February 2005 - 01:52 AM
I used to have something similar on my linux, but can't remember the name (help!). Since I don't have any linux running at this time I can't find it . sounded somethink like rkdetect or so..
Read the rules before you post
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users