lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <E1BO9MW-000EFF-00.offtopic-mail-ru@f23.mail.ru>
From: offtopic at mail.ru ("offtopic" )
Subject: RKDetect - behaviour based rootkit detection utility

http://www.security.nnov.ru/search/document.asp?docid=6198

Rkdetect is a little anomaly detection tool which can find services hidden by generic Windows rootkits like Hacker Defender.

Tool very simply. It enumerates services on remote computer through WMI (user level) and Services Control Manager (kernel level), compare result and display difference. In this way we can find hidden services which usual used to start rootkit.
Similar approach can be used to enumerate processes, files, registry keys and anything that rootkits can to hide. 

Rkdetect available here:

http://www.security.nnov.ru/files/rkdetect.zip

Tool consists from VBScript file rkdetect.vbs and sc.exe utility.
Sc.exe it's standard Windows tool to work with SCM which you can find on any Windows Box with W2K3.

Usage:
1.      Unzip archive.
2.      If you don't trust me (I hope you
don't :-), copy sc.exe
(c:\WINDOWS\system32\sc.exe in my case) from Windows folder to the rkdetect folder.
3.      Change dir to rkdetect folder. 
4.      Start it:

cscript rkdetect.vbs <machine_name/ip>

Example:

C:\detector>cscript rkdetect.vbs 200.4.4.4 Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation 1996-2001.
All rights reserved.

Query services by WMI...
Detected 79 services
Query services by SC...
Detected 80 services
Finding hidden services...

Possible rootkit found: HXD Service 100
Done

C:\detector>


Thanks to 3APA3A for testing and hosting. 

Thanks for your attention and sorry for my English. 

GL.





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ