RootkitRevealer

  • Thread starter Thread starter Paul R. Sadowski [MVP]
  • Start date Start date
P

Paul R. Sadowski [MVP]

Hello, All!
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

RootkitRevealer is an advanced root kit detection utility. It runs on
Windows NT
4 and higher and its output lists Registry and file system API discrepancies
that
may indicate the presence of a user-mode or kernel-mode rootkit.
RootkitRevealer successfully detects all persistent rootkits published at
www.rootkit.com, including AFX, Vanquish and HackerDefender (note:
RootkitRevealer is not intended to detect memory-based rootkits like Fu that
don't survive reboots).


With best regards, Paul R. Sadowski [MVP]. E-mail: (e-mail address removed)
 
Hey thats great! It seems that Windows based rootkits have been really
increasing in popularity among the less savvy script kiddies lately.

The only problem that I can see is that I am sure someone will write a
snippet of code that you can add to your rootkit that will allow it to fool
this tool from sysinternals and then sysinternals will have to update their
tool, repeat cycle.
 
Hello, megascout29:
On Fri, 25 Feb 2005 13:23:05 -0800: you wrote...

m> Hey thats great! It seems that Windows based rootkits have been really
m> increasing in popularity among the less savvy script kiddies lately.
m>
m> The only problem that I can see is that I am sure someone will write a
m> snippet of code that you can add to your rootkit that will allow it to
m> fool this tool from sysinternals and then sysinternals will have to
m> update their tool, repeat cycle.

Well, it's just a new tool and the first. We'll have to see what comes of
it.

Regards, Paul R. Sadowski [MVP].
 
In microsoft.public.win2000.cmdprompt.admin Paul R. Sadowski [MVP]
wrote:
Hello, megascout29:
On Fri, 25 Feb 2005 13:23:05 -0800: you wrote...

m> Hey thats great! It seems that Windows based rootkits have
been really m> increasing in popularity among the less savvy
script kiddies lately. m>
m> The only problem that I can see is that I am sure someone
will write a m> snippet of code that you can add to your
rootkit that will allow it to m> fool this tool from
sysinternals and then sysinternals will have to m> update their
tool, repeat cycle.

Well, it's just a new tool and the first. We'll have to see what
comes of it.

Right. A first effort using particular techniques that is clearly
indicated as both "no guaranty" and potentially fool-able. I'm happy
to have it as a useful tool while knowing that no such tool is
invincible or perfect.
 
Back
Top