| View previous topic :: View next topic |
| Author |
Message |
Cudni
Special Response Team
Joined: Dec 10, 2002
Posts: 3718
Location: Et In Arcadia ego
|
 Posted: Mon Aug 28, 2006 2:01 pm Post subject: Rootkit Unhooker |
|
|
from
[Address edited by Forum Mod]
Cudni
_________________
Hecho en Mexico
|
|
| Back to top |
|
 |
Prince_Serendip
Site Moderator
Joined: Sep 07, 2002
Posts: 17542
|
| Posted: Mon Aug 28, 2006 3:29 pm Post subject: |
|
|
Hi Cudni,
We have already tested this application, and it does not meet with our approval. Too buggy and needs more work.
All the best
_________________
Microsoft MVP Consumer Security 2006, 2007 & 2008
|
|
| Back to top |
|
|
Cudni
Special Response Team
Joined: Dec 10, 2002
Posts: 3718
Location: Et In Arcadia ego
|
| Posted: Mon Aug 28, 2006 3:34 pm Post subject: |
|
|
I thought you might have tested it already 
Can it be useful to help reveal what is running?
Cudni
_________________
Hecho en Mexico
|
|
| Back to top |
|
|
Prince_Serendip
Site Moderator
Joined: Sep 07, 2002
Posts: 17542
|
| Posted: Mon Aug 28, 2006 4:09 pm Post subject: |
|
|
Not with a crashed system. Standard Win XP. And, hard to remove as well. We could not get the darn thing to work at all. Not safe, especially for newbies.
_________________
Microsoft MVP Consumer Security 2006, 2007 & 2008
|
|
| Back to top |
|
|
negster22
Security Expert
Premium Member
Joined: Mar 10, 2004
Posts: 5394
|
| Posted: Mon Aug 28, 2006 6:46 pm Post subject: |
|
|
There are many other more stable alternatives.
_________________
Negster22 - MS MVP - Consumer Security 2006-2008 
|
|
| Back to top |
|
|
Cudni
Special Response Team
Joined: Dec 10, 2002
Posts: 3718
Location: Et In Arcadia ego
|
| Posted: Mon Aug 28, 2006 8:00 pm Post subject: |
|
|
so it works on a stable system but not on a owned one?
i tried it on one of my systems and nothing broke but then i didn't try to stop anything
Cudni
_________________
Hecho en Mexico
|
|
| Back to top |
|
|
negster22
Security Expert
Premium Member
Joined: Mar 10, 2004
Posts: 5394
|
| Posted: Mon Aug 28, 2006 9:10 pm Post subject: |
|
|
No - the program itself can cause system instability, so other alternative anti-rootkit programs are preferable.
_________________
Negster22 - MS MVP - Consumer Security 2006-2008
|
|
| Back to top |
|
|
Cudni
Special Response Team
Joined: Dec 10, 2002
Posts: 3718
Location: Et In Arcadia ego
|
| Posted: Mon Aug 28, 2006 9:31 pm Post subject: |
|
|
Thanks
We wait until the authors improve on the prog
Cudni
_________________
Hecho en Mexico
|
|
| Back to top |
|
|
IP: 69.243.*.*
Guest
|
| Posted: Wed Sep 06, 2006 2:31 pm Post subject: |
|
|
I personally have used this tool since its public release and have found it to be as stable as rootkitrevealer, blacklight beta, and IceSword. The bonus is this tool can unhook and restore some hooked ntapi calls and detects hidden processes and drivers that the previously mentioned AntiRootkit tools missed.
Tested on live machines running
4 different WinXP SP2 (clean and heavily infected)
2 different WinXP Home SP2 (clean and infected)
1 Win2K3 SP1 (clean)
I did notice that if other (unnamed here) antirootkit kernel drivers were loaded before or after RkU, there may be crashes. However, by itself, there were no problems.
|
|
| Back to top |
|
|
Cudni
Special Response Team
Joined: Dec 10, 2002
Posts: 3718
Location: Et In Arcadia ego
|
|
| Back to top |
|
|
negster22
Security Expert
Premium Member
Joined: Mar 10, 2004
Posts: 5394
|
| Posted: Wed Sep 06, 2006 5:59 pm Post subject: |
|
|
| Quote: | | I did notice that if other (unnamed here) antirootkit kernel drivers were loaded before or after RkU, there may be crashes. However, by itself, there were no problems. |
Yes, that is precisely the problem. Some anti-rootkit drivers may not unload after closing the program and then the user may be unaware that they are running two antirootkit drivers simultaneously. Also, there should be a warning about not running multiple anti-rootkit programs at the same time and what the consequences can be. If the program conflicts with other programs and serious consequences can result then ideally those program conflicts should be noted.
Some rootkit tools can be run simultaneously with no problem, so it is not that obvious, though the ideal solution is to unload any lingering rootkit drivers manualy using sc or netstop and only run one anti-rootkti program at a time. If that rule is followed, there should be no or minimal problems.
BTW, does rootkit RKU unload its driver when the program is closed? If not, what is the name of the driver so it can be done manually via the cmd line, before any other rootkit apps are run.
| Quote: | | The bonus is this tool can unhook and restore some hooked ntapi calls and detects hidden processes and drivers that the previously mentioned AntiRootkit tools missed. |
Have you tested its driver and process detection compared to DarkSpy? If so please elaborate or test. I would be very interested in a comparison. Also, is it able to detect BadRKDemo's driver and service registry key?
_________________
Negster22 - MS MVP - Consumer Security 2006-2008
|
|
| Back to top |
|
|
IP: 148.208.*.*
Guest
|
| Posted: Thu Sep 07, 2006 3:19 pm Post subject: |
|
|
Hello from Mexico
Well i has been tested RKU in so many version and DS in the last version 1.5 i mean and i found that DS is more unstable and gave me some BSOD in some computers....
remove RKU and DS is so easy just delete the .sys file in the drivers directory
BTW the both tools work fine to find hiden process and drivers
can you tellme where i cant find a BadRootkit sample ??
but i can thell you that RKU will not find the registry key cuz it is not make for that purpose....
Mixel Adm
|
|
| Back to top |
|
|
negster22
Security Expert
Premium Member
Joined: Mar 10, 2004
Posts: 5394
|
|
| Back to top |
|
|
Mixel
Cadet
Joined: Sep 08, 2006
Posts: 5
Location: Mexico
|
|
| Back to top |
|
|
negster22
Security Expert
Premium Member
Joined: Mar 10, 2004
Posts: 5394
|
| Posted: Sat Sep 09, 2006 3:55 am Post subject: |
|
|
I was able to duplicate your BSOD by unloading darkspy but my system was fully recoverable on reboot, so no harm done. I thought it unloaded because I saw this in Autoruns but not so:
DarkSpy File not found: C:\WINDOWS\system32\DarkSpyKernel.sys
I think the order in which the drivers are loaded can influence whether there is a system crash, and the severity of it.
To install a device driver it has to be registered as a system service by creating a service key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\<driver name>
where <driver name> = service DisplayName
The "ImagePath" value in this key contains the driver path (ie. C:\WINDOWS\system32\DarkSpyKernel.sys)
badRKdemo hides its service key from the service control manager using DKOM, and most rootkit detectors cannot see it, but DarkSpy can see it and delete it succesfully.
GMER video w/ badRKdemo:
http://www.gmer.net/badrkdemo.wmv
When/if you get badRKdemo, please test with ssv, too.
_________________
Negster22 - MS MVP - Consumer Security 2006-2008
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
