Hi all,

Update!
Latest Version:
SysProt AntiRootkit v1.0.0.4

I am happy to release the SysProt AntiRootkit v1.0.0.3 Beta. Thanks to CC and all who have helped me!
Features:

• Hidden process detection and removal
  
• Hidden drivers detection
  
• SSDT Hooks detection and remvoal
  
• Kernel Inline hooks detection and removal
  
• Sysenter Hook detection
  
• TCP/UDP Ports Info
  
• File System browser
  
• Hidden Services Registry keys detection and removal

Anyone interested in some research rootkits can get them here : /t180919-MalRootkit_droppers_assorted_for_archiving_sharing.html .

I am on my there now .

@nosirrah
Thanks for the info. Downloading them

Looks like SysProt can't see the SSDT hooks of wincom32.sys .

---

1.jpg
Description:
Filesize:	17.06 KB
Viewed:	143 Time(s)

---

Hi,
Thanks for testing SysProt AntiRootkit. I have made some updates, please download the tool from the link given in my first post here.
BTW, I am able to see Wincom32 and Nailuj rootkits in my test box.

Will retest tonight . Is there any chance that SP1 and SP2 would function differently ?

swatkat

Hi,

I'm a little bit later than i would have liked in saying thanx for this, and may i encourage you to update it as often as you can.

I did however manage to include it as soon as you released it over in the SysInternals Rootkit thread - http://forum.sysinternals.com/forum_posts.asp?TID=962&PN=1&TPN=30

All the best,

Spanner

Good job, Mahesh, and Congrats. I know you've been working very hard

Also, very nice of Spanner to insert a link to your program in the Sysinternals thread. I haven't checked out your latest version of SysProt ARK yet, but plan to soon.

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

Hi all,
Thanks for all the support @negster22 and SpannerITWks I will be try my best to keep the tool up-to-date.
And, thank you SpannerITWks, for listing SysProt AntiRootkit at Sysinternals thread

swatkat

Pleasure, and please do try and keep it updated. Don't forget the cheque now will ya, in $ lol.

Spanner

Hi all,
Update:
1] Added "Extended Driver Scan" feature
2] Fixed some bug in Kernel Inline hook detection

Thanks, swat.

Can you explain what an Extended Driver Scan is?

_________________
Negster22 - MS MVP - Consumer Security 2006-2008

Hi,
It searches for Driver Objects, based on some signature, in Kernel memory area, similar to modGREPER. That's why the "Extended Driver Scan" takes time to complete. But, it can't detect driver objects of rootkits which zero out/alter the contents of driver object header (ex: Unreal.A and BadRkDemo?!).

Hi, i'll help spread the word !

Thanx,

Spanner