Swatkat's rants

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 20 February 2006

Detecting Rootkits using "normal" tools

Posted on 10:39 by Unknown
Most of the Rootkits hide their processes, files and folders using API hooking techniques. Normal system tools like Windows Task Manager, Windows Explorer etc. use some Windows APIs to get the list of running processes or to show the files and folders in the system, respectively. Rootkits hook these APIs and manipulate the results so as to hide themselves. As a result, Windows Task Manager, Windows Explorer and similar tools don't "see" the rooted files.

But, there's an ingenious tool called AntiHookExec, which runs a specified program with all the hooks removed. AntiHookExec tries to find out the API hooks present in the system and if it finds any, then it "restores" the original APIs. So, the program which is started from AntiHookExec will not be affected by the API hooks of the Rootkit. AntiHookExec is an easy to use command line tool. The syntax is as shown below:

AntiHookExec ProgramName

where ProgramName is the name of the program (with its path) which needs to be started through AntiHookExec.

For example, to start Windows Task Manager through AnitHookExec, the command would be:

AntiHookExec Taskmgr.exe

Similarly, to start HijackThis through AntiHookExec, the command would be:

AntiHookExec C:\HJT\HijackThis.exe

assuming that HijackThis.exe is present in the folder C:\HJT\.

Below screenshots show the HackerDefender Rootkit's process and files visible in Windows Task Manager and Agent Ransack, a search tool, both of which started through AntiHookExec.

Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Ax Video Plugin
    Ax Video Plugin is one of the latest fake codec/plugin in the block. The site http://axvideodownload.com/ uses the same old fake "Vide...
  • Spyware Guard 2008
    Spyware Guard 2008 is a new rogue application. Does that name sound familiar? Well, yes, there is a legitimate application named SpywareGuar...
  • Javacool EULAlyzer!
    Have you ever read those ultra-long EULA (End User License Agreement) pages while you are installing any software? I think no one will read ...
  • Zlob brings back fake MP3s!
    Last August, I had blogged about Zlob gang using fake MP3 download sites to push their malware (link here ). Afterwards, we started to see m...
  • Myphonegames.co.uk hacked?!
    It seems that some pages of a mobile-phone games website www.myphonegames.co.uk have been hacked to execute malicious looking Javascript. A...
  • twitcurl - C++ twitter API library
    twitcurl is an open-source pure C++ library for twitter REST APIs. Currently, it has support for most of the twitter APIs and it will be upd...
  • DomPlayer - Rogue Multimedia Player
    DomPlayer is a new rogue multimedia player on the loose. The gang behind DomPlayer is making use of fake video files (available as torrents)...
  • Some new malware - a.exe, gop.exe etc
    We have some "new" malware this time, ranging from trojans to rootkits. One of them is a trojan which detected by some of the AVs ...
  • ThinkPoint rogue antivirus
    ThinkPoint is a new addition to the long list of rogue antivirus programs. ThinkPoint uses fake codec download tricks for its distribution. ...
  • Removing Mailbot.AZ (aka Rustok.A) Rootkit
    Mailbot.AZ (also known as PE386 or Rustock.A) is a kernel mode rootkit backdoor virus. It contains only one file-its driver-and it is stored...

Categories

  • a.exe
  • Autohotkey
  • C++
  • fake mp3 downloads
  • gop.exe
  • NewMediaCodec
  • OAuth
  • Orkut hating virus
  • Privacy Protector
  • rootkit
  • SysProt AntiRootkit
  • TDSServ rootkit removal
  • twitCurl
  • twitter
  • Udefender
  • Ultimate Cleaner
  • vdo_
  • Zlob
  • Zlob rootkit

Blog Archive

  • ►  2013 (1)
    • ►  June (1)
  • ►  2010 (6)
    • ►  October (2)
    • ►  September (2)
    • ►  July (1)
    • ►  April (1)
  • ►  2009 (12)
    • ►  September (1)
    • ►  May (1)
    • ►  April (1)
    • ►  March (4)
    • ►  January (5)
  • ►  2008 (44)
    • ►  December (6)
    • ►  November (6)
    • ►  October (4)
    • ►  September (15)
    • ►  August (2)
    • ►  June (2)
    • ►  May (1)
    • ►  April (1)
    • ►  March (6)
    • ►  January (1)
  • ►  2007 (38)
    • ►  December (1)
    • ►  November (2)
    • ►  October (9)
    • ►  September (2)
    • ►  August (8)
    • ►  July (11)
    • ►  June (3)
    • ►  March (2)
  • ▼  2006 (6)
    • ►  September (1)
    • ►  August (2)
    • ►  May (1)
    • ▼  February (2)
      • Detecting Rootkits using "normal" tools
      • Rootkit detection, removal and prevention!
  • ►  2005 (30)
    • ►  December (2)
    • ►  November (2)
    • ►  October (4)
    • ►  September (5)
    • ►  August (11)
    • ►  July (6)
Powered by Blogger.

About Me

Unknown
View my complete profile