Page 1 of 5 12345 LastLast
Results 1 to 10 of 43

Thread: Here's a preview...

  1. #1
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,385

    Default Here's a preview...

    newest version here

    Purpose: detecting rootkits.

    Quick overview: when you start RootAlyzer, it performs a very quick scan of a few important places, taking about a second on modern machines. To check the full system, click on the Deep Scan tab.

    Background: Rootkits like to hide by blending into system functions and avoiding that they get listed themselves. Windows systems are quite complex though, and files and registry entries can be listed using various ways, processes are referred to in different places, and many rootkits just don't hide from all of them, but only the standard ones that hide them from the regular user. RootAlyzer goes through the file system, the registry and process related lists using various different methods, and compares the results.

    Some screenshots: to see what I'm talking about, here are some screenshots:
    • The Quick Scan screen shown when starting the appplication:

    • The drive selection when switching to the Deep Scan:

    • The Deep scan itself:

    • Properties shown for a hidden file:

    • Properties shown for a hidden registry key:

    • Properties for a hidden process:

    • More properties for a hidden process:

    The property sheets are actually a bit newer inside the release version, offering Delete/Terminate buttons.

    It's a work-in-progress (with a new project tools category available here to track bugs and feature requests), but it's already helping to easily locate some of the current malware rootkits.
    Last edited by PepiMK; 2008-03-22 at 10:46. Reason: updated from 0.1.1.13 to 0.1.2.21
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  2. #2
    Senior Member honda12's Avatar
    Join Date
    Nov 2007
    Location
    UK
    Posts
    683

    Default

    wow, it looks great! Is it vista compatible?

    btw there is a small typo

    Some screenshots: to see what I'm taking about
    "to see what i'm talking about"
    -honda12

  3. #3
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    32,905

    Default

    Quote Originally Posted by honda12 View Post
    btw there is a small typo
    "to see what i'm talking about"
    Microsoft MVP. Consumer Security 2006-2014


  4. #4
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,385

    Default

    Ah yes, compatibility, should've mentioned that somewhere

    The whole file/registry stuff is NT/2000/XP/2k3/Vista only, since it compars NT native mode function results against Win32 subsystem results (no NT would mean nothing to compare against). Process stuff could work on 9x as well.

    The screenshots show XP, admitted Wouldn't see why it wouldn't work on Vista, though I didn't test it a lot there.
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  5. #5
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,385

    Default

    Screenshots of log in next version (ignore the results shown, those are fake entries to have something visible while debugging):





    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  6. #6
    Malware Team-Emeritus
    Join Date
    Jul 2007
    Location
    Little Red Dot
    Posts
    528

    Default

    Deleted.
    Last edited by ndmmxiaomayi; 2008-02-27 at 06:25. Reason: Should have read properly.
    扎西德勒 微笑中有阳光 不放弃的人都拥有希望

    Please do not message me for help. Create a new topic in the Malware Removal room instead.

  7. #7
    Malware Team-Emeritus
    Join Date
    Jul 2007
    Location
    Little Red Dot
    Posts
    528

    Default

    Does RootAlyzer use a driver?

    The last time I tested a rootkit scanner, it crashed my Vista so badly that I had to re-image my Vista back.
    扎西德勒 微笑中有阳光 不放弃的人都拥有希望

    Please do not message me for help. Create a new topic in the Malware Removal room instead.

  8. #8
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,385

    Default

    No, it does not
    Though a file system filter service/driver might be something to look at in a future version. But if it does, then not permanently installed, but just for the moment.
    What it does now is it just communicates more directly with the NT level of the Operating System, instead of using the Win32 subsystem.
    If rootkits would hide on the NT level as well (not the standard rootkit current malware ), that would indeed ask for a filesystem filter. Or that other solution in the coming Spybot-S&D plugins update
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  9. #9
    Malware Team-Emeritus
    Join Date
    Jul 2007
    Location
    Little Red Dot
    Posts
    528

    Default

    Thanks.
    扎西德勒 微笑中有阳光 不放弃的人都拥有希望

    Please do not message me for help. Create a new topic in the Malware Removal room instead.

  10. #10
    Junior Member
    Join Date
    Mar 2008
    Posts
    2

    Default

    With Windows 2000 the Rootalyzer does not look like the screenshot. The icons are missing as well as the detailed information in the quick scan window (see my attachment).

    While testing the deep scan I wondered if the Rootalyzer would find objects with a broken ACL. Obviously it does not.

    The background is: Some time ago I screwed up the windows installer. First I didn't know how I've done it, but then I became clear that I likely messed it up with a reg cleaning utility. After a lot of searching I found out that there were some installer related registry keys that couldn't be accessed (with rededit). With regedt32 I found out that the keys didn't have any account authorised on them. (Later I've been told that this is called "broken ACL".) After taking over ownership and authorising the keys the installer was working again.

    Accidentally I found another key with a broken ACL in my registry and I guess that there are some more.

    I did some tests. Regedit shows this key, but cannot access it. Regalyzer doesn't show this key.

    I would be glad if there would be a tool which is able to find objects with a broken ACL.

    cu, Robo
    Attached Images Attached Images

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •