| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: offtopic at mail.ru (offtopic)
Subject: RKDetect - behaviour based rootkit detection (updated)
Hi list.
New features:
Localized systems support and extended information about service added.
Details:
RKDetect is a little anomaly detection tool that can find services hidden by generic Windows rootkits like Hacker Defender. The tool enumerates the services on a remote computer via WMI (user level) and Services Control Manager (kernel level), the result is then compared and any difference is displayed. In this way we can find hidden services that are usually used to start rootkits. Similar approach can be used to enumerate processes, files, registry keys and anything that rootkits usually hides.
Source Code:
The tool is a VB script which requires the sc.exe application that can be found in %WINDIR%\system32\sc.exe or can be downloaded along with the source code below at: http://www.security.nnov.ru/files/rkdetect.zip
Sample:
C:\hack\rkd>cscript rkdetect.vbs 200.4.4.4
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Query services by WMI...
Detected 70 services
Query services by SC...
Detected 71 services
Finding hidden services...
Possible rootkit found: HXD Service 100 - HackerDefender100
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: HackerDefender100
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\rootkits\hxdef100\hxdef100.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : HXD Service 100
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
Done
(c)oded by offtopic
Powered by blists - more mailing lists