[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] RKDetect - behaviour based rootkit detection (updated)
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: [Full-Disclosure] RKDetect - behaviour based rootkit detection (updated)
- From: offtopic <offtopic@xxxxxxx>
- Date: Wed, 08 Sep 2004 13:29:44 +0400
Hi list.
New features:
Localized systems support and extended information about service added.
Details:
RKDetect is a little anomaly detection tool that can find services hidden by
generic Windows rootkits like Hacker Defender. The tool enumerates the services
on a remote computer via WMI (user level) and Services Control Manager (kernel
level), the result is then compared and any difference is displayed. In this
way we can find hidden services that are usually used to start rootkits.
Similar approach can be used to enumerate processes, files, registry keys and
anything that rootkits usually hides.
Source Code:
The tool is a VB script which requires the sc.exe application that can be found
in %WINDIR%\system32\sc.exe or can be downloaded along with the source code
below at: http://www.security.nnov.ru/files/rkdetect.zip
Sample:
C:\hack\rkd>cscript rkdetect.vbs 200.4.4.4
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Query services by WMI...
Detected 70 services
Query services by SC...
Detected 71 services
Finding hidden services...
Possible rootkit found: HXD Service 100 - HackerDefender100
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: HackerDefender100
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\rootkits\hxdef100\hxdef100.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : HXD Service 100
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
Done
(c)oded by offtopic
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html