Here's a preview... - Safer-Networking Forums

**PepiMK** · 2008-02-12, 14:05

newest version here

Purpose: detecting rootkits.

Quick overview: when you start RootAlyzer, it performs a very quick scan of a few important places, taking about a second on modern machines. To check the full system, click on the Deep Scan tab.

Background: Rootkits like to hide by blending into system functions and avoiding that they get listed themselves. Windows systems are quite complex though, and files and registry entries can be listed using various ways, processes are referred to in different places, and many rootkits just don't hide from all of them, but only the standard ones that hide them from the regular user. RootAlyzer goes through the file system, the registry and process related lists using various different methods, and compares the results.

Some screenshots: to see what I'm talking about, here are some screenshots:

The Quick Scan screen shown when starting the appplication:
The drive selection when switching to the Deep Scan:
The Deep scan itself:
Properties shown for a hidden file:
Properties shown for a hidden registry key:
Properties for a hidden process:
More properties for a hidden process:

The property sheets are actually a bit newer inside the release version, offering Delete/Terminate buttons.

It's a work-in-progress (with a new project tools category available here to track bugs and feature requests), but it's already helping to easily locate some of the current malware rootkits.

honda12 · 2008-02-12, 18:52

wow, it looks great! Is it vista compatible?

btw there is a small typo

Quote:

Some screenshots: to see what I'm taking about

"to see what i'm talking about"

**tashi** · 2008-02-12, 19:27

Quote:

Originally Posted by honda12

btw there is a small typo
"to see what i'm talking about"

**PepiMK** · 2008-02-12, 20:47

Ah yes, compatibility, should've mentioned that somewhere

The whole file/registry stuff is NT/2000/XP/2k3/Vista only, since it compars NT native mode function results against Win32 subsystem results (no NT would mean nothing to compare against). Process stuff could work on 9x as well.

The screenshots show XP, admitted

Wouldn't see why it wouldn't work on Vista, though I didn't test it a lot there.

**PepiMK** · 2008-02-13, 10:49

Screenshots of log in next version (ignore the results shown, those are fake entries to have something visible while debugging):

**ndmmxiaomayi** · 2008-02-27, 05:25

Deleted.

**ndmmxiaomayi** · 2008-02-27, 05:28

Does RootAlyzer use a driver?

The last time I tested a rootkit scanner, it crashed my Vista so badly that I had to re-image my Vista back.

**PepiMK** · 2008-02-27, 10:37

No, it does not

Though a file system filter service/driver might be something to look at in a future version. But if it does, then not permanently installed, but just for the moment.
What it does now is it just communicates more directly with the NT level of the Operating System, instead of using the Win32 subsystem.
If rootkits would hide on the NT level as well (not the standard rootkit current malware

), that would indeed ask for a filesystem filter. Or that other solution in the coming Spybot-S&D plugins update

**ndmmxiaomayi** · 2008-02-27, 14:23

Thanks.

robo_ · 2008-03-21, 00:14

With Windows 2000 the Rootalyzer does not look like the screenshot. The icons are missing as well as the detailed information in the quick scan window (see my attachment).

While testing the deep scan I wondered if the Rootalyzer would find objects with a broken ACL. Obviously it does not.

The background is: Some time ago I screwed up the windows installer. First I didn't know how I've done it, but then I became clear that I likely messed it up with a reg cleaning utility. After a lot of searching I found out that there were some installer related registry keys that couldn't be accessed (with rededit). With regedt32 I found out that the keys didn't have any account authorised on them. (Later I've been told that this is called "broken ACL".) After taking over ownership and authorising the keys the installer was working again.

Accidentally I found another key with a broken ACL in my registry and I guess that there are some more.

I did some tests. Regedit shows this key, but cannot access it. Regalyzer doesn't show this key.

I would be glad if there would be a tool which is able to find objects with a broken ACL.

cu, Robo

2008-02-12, 14:05	#1
PepiMK Member of Team Spybot Join Date: Oct 2005 Location: Planet Earth Posts: 3,156 Blog Entries: 15 Rated LASSHes: 9,186	Here's a preview... newest version here Purpose: detecting rootkits. Quick overview: when you start RootAlyzer, it performs a very quick scan of a few important places, taking about a second on modern machines. To check the full system, click on the Deep Scan tab. Background: Rootkits like to hide by blending into system functions and avoiding that they get listed themselves. Windows systems are quite complex though, and files and registry entries can be listed using various ways, processes are referred to in different places, and many rootkits just don't hide from all of them, but only the standard ones that hide them from the regular user. RootAlyzer goes through the file system, the registry and process related lists using various different methods, and compares the results. Some screenshots: to see what I'm talking about, here are some screenshots: The Quick Scan screen shown when starting the appplication: The drive selection when switching to the Deep Scan: The Deep scan itself: Properties shown for a hidden file: Properties shown for a hidden registry key: Properties for a hidden process: More properties for a hidden process: The property sheets are actually a bit newer inside the release version, offering Delete/Terminate buttons. It's a work-in-progress (with a new project tools category available here to track bugs and feature requests), but it's already helping to easily locate some of the current malware rootkits. __________________ Just remember, love is life, and hate is living death. Treat your life for what it's worth, and live for every breath (Black Sabbath: A National Acrobat) Last edited by PepiMK; 2008-03-22 at 09:46. Reason: updated from 0.1.1.13 to 0.1.2.21

2008-02-12, 20:47	#4
PepiMK Member of Team Spybot Join Date: Oct 2005 Location: Planet Earth Posts: 3,156 Blog Entries: 15 Rated LASSHes: 9,186	Ah yes, compatibility, should've mentioned that somewhere The whole file/registry stuff is NT/2000/XP/2k3/Vista only, since it compars NT native mode function results against Win32 subsystem results (no NT would mean nothing to compare against). Process stuff could work on 9x as well. The screenshots show XP, admitted Wouldn't see why it wouldn't work on Vista, though I didn't test it a lot there. __________________ Just remember, love is life, and hate is living death. Treat your life for what it's worth, and live for every breath (Black Sabbath: A National Acrobat)

2008-02-13, 10:49	#5
PepiMK Member of Team Spybot Join Date: Oct 2005 Location: Planet Earth Posts: 3,156 Blog Entries: 15 Rated LASSHes: 9,186	Screenshots of log in next version (ignore the results shown, those are fake entries to have something visible while debugging): __________________ Just remember, love is life, and hate is living death. Treat your life for what it's worth, and live for every breath (Black Sabbath: A National Acrobat)

2008-02-27, 05:25	#6
ndmmxiaomayi Visiting Staff Join Date: Jul 2007 Location: Little Red Dot Posts: 528	Deleted. __________________ 扎西德勒微笑中有阳光不放弃的人都拥有希望 Please do not message me for help. Create a new topic in the Malware Removal room instead. Last edited by ndmmxiaomayi; 2008-02-27 at 05:25. Reason: Should have read properly.

2008-02-27, 05:28	#7
ndmmxiaomayi Visiting Staff Join Date: Jul 2007 Location: Little Red Dot Posts: 528	Does RootAlyzer use a driver? The last time I tested a rootkit scanner, it crashed my Vista so badly that I had to re-image my Vista back. __________________ 扎西德勒微笑中有阳光不放弃的人都拥有希望 Please do not message me for help. Create a new topic in the Malware Removal room instead.

2008-02-27, 10:37	#8
PepiMK Member of Team Spybot Join Date: Oct 2005 Location: Planet Earth Posts: 3,156 Blog Entries: 15 Rated LASSHes: 9,186	No, it does not Though a file system filter service/driver might be something to look at in a future version. But if it does, then not permanently installed, but just for the moment. What it does now is it just communicates more directly with the NT level of the Operating System, instead of using the Win32 subsystem. If rootkits would hide on the NT level as well (not the standard rootkit current malware ), that would indeed ask for a filesystem filter. Or that other solution in the coming Spybot-S&D plugins update __________________ Just remember, love is life, and hate is living death. Treat your life for what it's worth, and live for every breath (Black Sabbath: A National Acrobat)

2008-02-27, 14:23	#9
ndmmxiaomayi Visiting Staff Join Date: Jul 2007 Location: Little Red Dot Posts: 528	Thanks. __________________ 扎西德勒微笑中有阳光不放弃的人都拥有希望 Please do not message me for help. Create a new topic in the Malware Removal room instead.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode