Rootkit revealer for Windows
19 years 8 months ago #7684
by DaLight
Replied by DaLight on topic Re: Rootkit revealer for Windows
Great tool. It's important to keep it up to date as it's currently undergoing frequent updates. Also take a look at
blogs.msdn.com/robert_hensing/archive/2005/03/10/392092.aspx before using it.
blogs.msdn.com/robert_hensing/archive/2005/03/10/392092.aspx before using it.
19 years 8 months ago #7697
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: Rootkit revealer for Windows
One important thing to note is that it only detects persistent rootkits, aka rootkits that will reload after a reboot from the disk...
An attacker can make do with a memory resident rootkit if the target system is a server that will not be rebooting often.
Furthermore, there are rootkits that can install themselves in the flash memory of your video card or other EEPROM devices.
An attacker can make do with a memory resident rootkit if the target system is a server that will not be rebooting often.
Furthermore, there are rootkits that can install themselves in the flash memory of your video card or other EEPROM devices.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
19 years 8 months ago #7715
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: Rootkit revealer for Windows
Well, this could get technical but here goes:
You can scan through a systems memory map and identify flash devices... you have to write the queary access code 0x98 to the devices base address plus an offset of 0x55... once in query mode the chip will display the ascii characters 'QRY' at offset 0x10... .. you can then perform a write and a read, if it works, you should have found a storage area..
You can find storage in some really good places, for example,
ethernet cards, video cards multimedia peripherals, cell phones, fax machines, anti-lock brakes, barcode readers, smart cards etc...
A good place is the ethernet card.. since most have an ASIC with its own processor and instruction set... this is what handles what the card does when a packet arrives on the interface..
As an example some Intel cards based on the 82559 ethernet controller has a small EEPROM chip -- an ATMEL 93C46, which would give you about 128k of storage...
This is the technique behind hardware viruses.. if you remember CIH the virus that attacked 430TX compatible motherboards.. this is the same basic concept...
I'm currently writing a review of 'Exploiting Software - How to Break Code' by Hoglund & McGraw which has a wonderful chapter on rootkits with a lot of code.. Hoglunds site www.rootkit.com also has many code examples and sample rootkits as well as rootkits found in the wild.
Its a very interesting yet highly advanced field... you require a lot of familiarity with the way device drivers are written and generally with how to work at ring 0 of the operating system -- For those of you who were unaware.. 'administrator' is not god.. when you work at the kernel level, you have light years more access than 'root' or 'administrator' would ever have.. because you can get the operating system to lie to any userland program.... its the ultimate level of privilege that you can obtain on a system..
You'd actually be scared if you knew what could be done
Imagine a rootkit that will exist even if you format the system and rebuild it from scratch... it is perfectly possible!
Cheers,
You can scan through a systems memory map and identify flash devices... you have to write the queary access code 0x98 to the devices base address plus an offset of 0x55... once in query mode the chip will display the ascii characters 'QRY' at offset 0x10... .. you can then perform a write and a read, if it works, you should have found a storage area..
You can find storage in some really good places, for example,
ethernet cards, video cards multimedia peripherals, cell phones, fax machines, anti-lock brakes, barcode readers, smart cards etc...
A good place is the ethernet card.. since most have an ASIC with its own processor and instruction set... this is what handles what the card does when a packet arrives on the interface..
As an example some Intel cards based on the 82559 ethernet controller has a small EEPROM chip -- an ATMEL 93C46, which would give you about 128k of storage...
This is the technique behind hardware viruses.. if you remember CIH the virus that attacked 430TX compatible motherboards.. this is the same basic concept...
I'm currently writing a review of 'Exploiting Software - How to Break Code' by Hoglund & McGraw which has a wonderful chapter on rootkits with a lot of code.. Hoglunds site www.rootkit.com also has many code examples and sample rootkits as well as rootkits found in the wild.
Its a very interesting yet highly advanced field... you require a lot of familiarity with the way device drivers are written and generally with how to work at ring 0 of the operating system -- For those of you who were unaware.. 'administrator' is not god.. when you work at the kernel level, you have light years more access than 'root' or 'administrator' would ever have.. because you can get the operating system to lie to any userland program.... its the ultimate level of privilege that you can obtain on a system..
You'd actually be scared if you knew what could be done
Imagine a rootkit that will exist even if you format the system and rebuild it from scratch... it is perfectly possible!
Cheers,
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.137 seconds