Page 1 of 2 12 LastLast
Results 1 to 10 of 43

Thread: Here's a preview...

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,601

    Default Here's a preview...

    newest version here

    Purpose: detecting rootkits.

    Quick overview: when you start RootAlyzer, it performs a very quick scan of a few important places, taking about a second on modern machines. To check the full system, click on the Deep Scan tab.

    Background: Rootkits like to hide by blending into system functions and avoiding that they get listed themselves. Windows systems are quite complex though, and files and registry entries can be listed using various ways, processes are referred to in different places, and many rootkits just don't hide from all of them, but only the standard ones that hide them from the regular user. RootAlyzer goes through the file system, the registry and process related lists using various different methods, and compares the results.

    Some screenshots: to see what I'm talking about, here are some screenshots:
    • The Quick Scan screen shown when starting the appplication:

    • The drive selection when switching to the Deep Scan:

    • The Deep scan itself:

    • Properties shown for a hidden file:

    • Properties shown for a hidden registry key:

    • Properties for a hidden process:

    • More properties for a hidden process:

    The property sheets are actually a bit newer inside the release version, offering Delete/Terminate buttons.

    It's a work-in-progress (with a new project tools category available here to track bugs and feature requests), but it's already helping to easily locate some of the current malware rootkits.
    Last edited by PepiMK; 2008-03-22 at 10:46. Reason: updated from 0.1.1.13 to 0.1.2.21
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  2. #2
    Senior Member honda12's Avatar
    Join Date
    Nov 2007
    Location
    UK
    Posts
    682

    Default

    wow, it looks great! Is it vista compatible?

    btw there is a small typo

    Some screenshots: to see what I'm taking about
    "to see what i'm talking about"

  3. #3
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,956

    Default

    Quote Originally Posted by honda12 View Post
    btw there is a small typo
    "to see what i'm talking about"
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  4. #4
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,601

    Default

    Ah yes, compatibility, should've mentioned that somewhere

    The whole file/registry stuff is NT/2000/XP/2k3/Vista only, since it compars NT native mode function results against Win32 subsystem results (no NT would mean nothing to compare against). Process stuff could work on 9x as well.

    The screenshots show XP, admitted Wouldn't see why it wouldn't work on Vista, though I didn't test it a lot there.
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  5. #5
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,601

    Default

    Screenshots of log in next version (ignore the results shown, those are fake entries to have something visible while debugging):





    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  6. #6
    Malware Team-Emeritus
    Join Date
    Jul 2007
    Location
    Little Red Dot
    Posts
    507

    Default

    Deleted.
    Last edited by ndmmxiaomayi; 2008-02-27 at 06:25. Reason: Should have read properly.
    扎西德勒 微笑中有阳光 不放弃的人都拥有希望

    Please do not message me for help. Create a new topic in the Malware Removal room instead.

  7. #7
    Member Becky's Avatar
    Join Date
    Mar 2008
    Posts
    37

    Question With W98, what are the features I shouldn't use?

    Quote Originally Posted by PepiMK View Post
    Ah yes, compatibility, should've mentioned that somewhere

    The whole file/registry stuff is NT/2000/XP/2k3/Vista only, since it compars NT native mode function results against Win32 subsystem results (no NT would mean nothing to compare against). Process stuff could work on 9x as well.

    The screenshots show XP, admitted Wouldn't see why it wouldn't work on Vista, though I didn't test it a lot there.
    I have W98, what are the "Process stuff"? Are there any features that could be dangerous to execute under W98?

    Thanks

  8. #8
    Member Becky's Avatar
    Join Date
    Mar 2008
    Posts
    37

    Unhappy

    Quote Originally Posted by Becky View Post
    I have W98, what are the "Process stuff"? Are there any features that could be dangerous to execute under W98?

    Thanks
    Just starting it and... Access Violation....
    Any ideas to use it on W98?

    I'll copy here the bug report

    date/time : 2008-04-17, 22:44:53, 740ms
    computer name : AST COMPUTER
    user name : user2
    registered owner : My Self
    operating system : Windows 98 SE build 2222
    system language : English
    system up time : 1 hour 19 minutes
    program up time : 10 seconds
    physical memory : 348/510 MB (free/total)
    system resources : 80/71 (gdi/user)
    free disk space : (C 3.36 GB
    display mode : 800x600, 24 bit
    process id : $ffe50f69
    allocated memory : 22.89 MB
    executable : ROOTALYZER.EXE
    exec. date/time : 2008-03-31 12:16
    version : 0.1.3.26
    compiled with : BCB 2006
    madExcept version : 3.0e
    callstack crc : $00000000, $17bcefc0, $17bcefc0
    count : 2
    exception number : 1
    exception class : EAccessViolation
    exception message : Access violation at address 00000000. Read of address FFFFFFFF.

    main thread ($ffe50ee9):
    00000000 +000 ???
    304f3a41 +0ed ROOTALYZER.EXE snlFilesListWinNative 92 +8 TNTFileEnumerator.EnumNTPathFileNames
    30532f97 +073 ROOTALYZER.EXE snlRootKitsNTFiles 49 +8 TRootKitIndicatorNTFiles.ExecuteTests
    3053354f +023 ROOTALYZER.EXE snlRootKitsList 75 +3 TRootKitIndicatorList.Process
    30536752 +03a ROOTALYZER.EXE FrameUnitRKScanSimple 135 +5 TframeRKScanSimpleBase.Process
    3053e069 +019 ROOTALYZER.EXE FormUnitRKIndicators 235 +3 TformRKIndicators.FormPaint
    304ad6d9 +015 ROOTALYZER.EXE Forms 4471 +1 TCustomForm.Paint
    304ad768 +068 ROOTALYZER.EXE Forms 4486 +5 TCustomForm.PaintWindow
    30499b71 +055 ROOTALYZER.EXE Controls 7306 +4 TWinControl.PaintHandler
    3049a153 +03f ROOTALYZER.EXE Controls 7462 +6 TWinControl.WMPaint
    304ad88d +02d ROOTALYZER.EXE Forms 4523 +4 TCustomForm.WMPaint
    30495c8f +2bb ROOTALYZER.EXE Controls 5143 +83 TControl.WndProc
    304999d5 +499 ROOTALYZER.EXE Controls 7246 +105 TWinControl.WndProc
    304ab1f5 +4c1 ROOTALYZER.EXE Forms 3284 +125 TCustomForm.WndProc
    30499160 +02c ROOTALYZER.EXE Controls 7021 +3 TWinControl.MainWndProc
    3046bb88 +014 ROOTALYZER.EXE Classes 11572 +8 StdWndProc
    304b2834 +0fc ROOTALYZER.EXE Forms 7670 +23 TApplication.ProcessMessage
    304b286e +00a ROOTALYZER.EXE Forms 7689 +1 TApplication.HandleMessage
    304b2a8e +096 ROOTALYZER.EXE Forms 7773 +16 TApplication.Run
    30540c70 +064 ROOTALYZER.EXE RootAlyzer 29 +5 initialization

    thread $ffe7eccd:
    bff99b32 KERNEL32.DLL

  9. #9
    Junior Member
    Join Date
    Mar 2008
    Posts
    1

    Default Mebroot

    Greetings,

    Just wondering if Rootalyzer will be looking for Mebroot at some point?
    Last edited by bobisbob; 2008-03-21 at 20:53.

  10. #10
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,601

    Default

    @robo: while I did expect only one line of text to show up next to each icon, no icons at all shouldn't be. I'll look at it, planing a new release regarding the post by Coronamaker this weekend.

    Regarding the broken ACL thing, that's probably not exactly a rootkit method (unless it would give itself temporary access rights while reading/writing only, and withdraw it again immediately afterwards... interesting thought...), but I'll see if I can "corrupt" an ACL in a way I could expect in the way described above, and how to report it.

    @129260: Spybot-S&D always had some basic rootkit detection mechanisms, but the latest updates improved on three important fronts there.

    Spybot-S&D usually detects threats in our database only; RootAlyzer just shows any things it identified as hidden, without relating them to known malware. So you could use RootAlyzer to detect even rootkits that are not known yet; but one of the new plugins for Spybot-S&D includes kind of a rootkit heuristics (which is not as generic though).

    In summary: use RootAlyzer if Spybot-S&D hasn't found the culprit and you're suspecting an unlisted malware.

    @bobisbob: I'll ask our samples juggler whether he has some samples of it, would have to take a look to say.
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •