Hot Downloads

Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: Rootkit revealer for Windows

Rootkit revealer for Windows 11 years 8 months ago #7665

  • TheBishop
  • TheBishop's Avatar
  • Offline
  • Moderator
  • Posts: 1719
  • Thank you received: 8
  • Karma: 5
The administrator has disabled public write access.

Re: Rootkit revealer for Windows 11 years 8 months ago #7684

  • DaLight
  • DaLight's Avatar
  • Offline
  • Honored Member
  • Posts: 1302
  • Karma: 1
Great tool. It's important to keep it up to date as it's currently undergoing frequent updates. Also take a look at
http://blogs.msdn.com/robert_hensing/archive/2005/03/10/392092.aspx before using it.
The administrator has disabled public write access.

Re: Rootkit revealer for Windows 11 years 8 months ago #7697

  • sahirh
  • sahirh's Avatar
  • Offline
  • Honored Member
  • Posts: 1700
  • Karma: 0
One important thing to note is that it only detects persistent rootkits, aka rootkits that will reload after a reboot from the disk...

An attacker can make do with a memory resident rootkit if the target system is a server that will not be rebooting often.

Furthermore, there are rootkits that can install themselves in the flash memory of your video card or other EEPROM devices.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
The administrator has disabled public write access.

Rootkits 11 years 8 months ago #7699

  • TheBishop
  • TheBishop's Avatar
  • Offline
  • Moderator
  • Posts: 1719
  • Thank you received: 8
  • Karma: 5
Rootkits in flash memory and EEPROM? That's eeeeeeevil!
How do they do it?
The administrator has disabled public write access.

Re: Rootkit revealer for Windows 11 years 8 months ago #7715

  • sahirh
  • sahirh's Avatar
  • Offline
  • Honored Member
  • Posts: 1700
  • Karma: 0
Well, this could get technical but here goes:

You can scan through a systems memory map and identify flash devices... you have to write the queary access code 0x98 to the devices base address plus an offset of 0x55... once in query mode the chip will display the ascii characters 'QRY' at offset 0x10... .. you can then perform a write and a read, if it works, you should have found a storage area..

You can find storage in some really good places, for example,
ethernet cards, video cards multimedia peripherals, cell phones, fax machines, anti-lock brakes, barcode readers, smart cards etc...

A good place is the ethernet card.. since most have an ASIC with its own processor and instruction set... this is what handles what the card does when a packet arrives on the interface..

As an example some Intel cards based on the 82559 ethernet controller has a small EEPROM chip -- an ATMEL 93C46, which would give you about 128k of storage...

This is the technique behind hardware viruses.. if you remember CIH the virus that attacked 430TX compatible motherboards.. this is the same basic concept...

I'm currently writing a review of 'Exploiting Software - How to Break Code' by Hoglund & McGraw which has a wonderful chapter on rootkits with a lot of code.. Hoglunds site www.rootkit.com also has many code examples and sample rootkits as well as rootkits found in the wild.

Its a very interesting yet highly advanced field... you require a lot of familiarity with the way device drivers are written and generally with how to work at ring 0 of the operating system -- For those of you who were unaware.. 'administrator' is not god.. when you work at the kernel level, you have light years more access than 'root' or 'administrator' would ever have.. because you can get the operating system to lie to any userland program.... its the ultimate level of privilege that you can obtain on a system..

You'd actually be scared if you knew what could be done :)
Imagine a rootkit that will exist even if you format the system and rebuild it from scratch... it is perfectly possible!

Cheers,
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
The administrator has disabled public write access.

Rootkits 11 years 8 months ago #7724

  • TheBishop
  • TheBishop's Avatar
  • Offline
  • Moderator
  • Posts: 1719
  • Thank you received: 8
  • Karma: 5
(shudder)
I'll be sleeping with the light on tonight...
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Time to create page: 0.084 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup