Finding rootkits: 2 plugins for Total Commander users

[PepiMK]

What do I need this for?

Well, you probably don't. Anyway... as you might have noticed from the title, this is for NT based Windows operating systems, which currently include Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 and Windows Vista. XP and Vista in both 32 and 64 bit flavours.

Windows NT systems have been created to support multiple hardware platforms, and even applications for other software platforms, at least in early versions. This means that at the very bottom of Windows NT, there's the native Windows NT system, and above that, there's a layer for windows 32 applications as known from Windows 95 upwards.

The main usage of this plugins are probably hunting down rootkits. Rootkits try to hide from your system. And usually, they do this on the Windows 32 layer mentioned above, since every Windows software uses that. Hide a file in that layer, and Explorer and most other applications won't show it any more. The Windows 32 layer internally uses the Windows Native functions though. These plugins allow you to browse the file system, and your registry, using Windows Native functions, allowing you to see files that rootkits may have hidden in the Windows 32 layer.

Still don't understand? Rootkits hide their files, and standard rootkits usually hide it only on the surface, while these plugins allow you to take a look behind the surface.

If you're not hunting rootkits, this is very probably useless to you, sorry!
And since these are not stand-alone products, you can only use them if you use Total Commander.

Installation instructions

1. Locate your Total Commander directory, e.g.
   C:\Apps\TotalCmd\
2. Find your file system plugin folder, which then would be
   C:\Apps\TotalCmd\Plugins\wfx\
3. Create a folder to keep our files in, e.g.
   C:\Apps\TotalCmd\Plugins\wfx\snlTCNTplugins\
4. Copy NTFiles.wfx and NTRegistry.wfx into that folder
5. Start Total Commander
6. Main menu: Configuration -> Options
7. Left overview: Operation -> Plugins -> File system plugins
8. Press Add button, navigate to NTFiles.wfx, press OK.
9. Press Add button, navigate to NTRegistry.wfx, press OK.
10. Close the file system plugins window by pressing OK
11. Close the configuration windows by pressing OK

To difficult to follow? We might create an installer to automate this, but then, these tools are designed to help tracking down rootkits, and if you're able to do this, you're also able to follow those instructions

Usage instructions

• Browse to your network neighbour inside Total Commander
• Browse into NTFiles to start browing your file system
• Browse into NTRegistry to start browsing your registry

Download

Since the servers should handle the 1.5.2 release currently, I didn't want to burden them with these files So here is a rapidshare link. Just click the Free download button, ignore the payment options offered on the next page and wait until the ca. one minute countdown is down, type in the captcha and download. As soon as the servers have sorted out the heavy Spybot-S&D 1.5.2 traffic, I'll probably put it where it belongs Wanted to provide it as a goodie for the community now though, since this was kind of a playground for testing some things that'll reappear in a different application...

[ianidragonfly]

Quote:

Originally Posted by PepiMK

What do I need this for?

Please REUp the Plugins. I get an error trying to open NTFiles.wfx and NTRegistry.wfx files from the zip. I am trying to get rid of Command Service Malware that hijacks me to ads. Thanks for your help. Happy New Year!






Well, you probably don't. Anyway... as you might have noticed from the title, this is for NT based Windows operating systems, which currently include Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 and Windows Vista. XP and Vista in both 32 and 64 bit flavours.

Windows NT systems have been created to support multiple hardware platforms, and even applications for other software platforms, at least in early versions. This means that at the very bottom of Windows NT, there's the native Windows NT system, and above that, there's a layer for windows 32 applications as known from Windows 95 upwards.

The main usage of this plugins are probably hunting down rootkits. Rootkits try to hide from your system. And usually, they do this on the Windows 32 layer mentioned above, since every Windows software uses that. Hide a file in that layer, and Explorer and most other applications won't show it any more. The Windows 32 layer internally uses the Windows Native functions though. These plugins allow you to browse the file system, and your registry, using Windows Native functions, allowing you to see files that rootkits may have hidden in the Windows 32 layer.

Still don't understand? Rootkits hide their files, and standard rootkits usually hide it only on the surface, while these plugins allow you to take a look behind the surface.

If you're not hunting rootkits, this is very probably useless to you, sorry!
And since these are not stand-alone products, you can only use them if you use Total Commander.

Installation instructions

1. Locate your Total Commander directory, e.g.
   C:\Apps\TotalCmd\
2. Find your file system plugin folder, which then would be
   C:\Apps\TotalCmd\Plugins\wfx\
3. Create a folder to keep our files in, e.g.
   C:\Apps\TotalCmd\Plugins\wfx\snlTCNTplugins\
4. Copy NTFiles.wfx and NTRegistry.wfx into that folder
5. Start Total Commander
6. Main menu: Configuration -> Options
7. Left overview: Operation -> Plugins -> File system plugins
8. Press Add button, navigate to NTFiles.wfx, press OK.
9. Press Add button, navigate to NTRegistry.wfx, press OK.
10. Close the file system plugins window by pressing OK
11. Close the configuration windows by pressing OK

To difficult to follow? We might create an installer to automate this, but then, these tools are designed to help tracking down rootkits, and if you're able to do this, you're also able to follow those instructions

Usage instructions

• Browse to your network neighbour inside Total Commander
• Browse into NTFiles to start browing your file system
• Browse into NTRegistry to start browsing your registry

Download

Since the servers should handle the 1.5.2 release currently, I didn't want to burden them with these files So here is a rapidshare link. Just click the Free download button, ignore the payment options offered on the next page and wait until the ca. one minute countdown is down, type in the captcha and download. As soon as the servers have sorted out the heavy Spybot-S&D 1.5.2 traffic, I'll probably put it where it belongs Wanted to provide it as a goodie for the community now though, since this was kind of a playground for testing some things that'll reappear in a different application...

Please ReUp the Plugins. I get an error trying to open NTFiles.wfx and NTRegistry.wfx files from the zip. I am trying to get rid of Command Service Malware that hijacks me to ads. Thanks for your help. Happy New Year!