[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] RKDetect - behaviour based rootkit detection utility
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: [Full-Disclosure] RKDetect - behaviour based rootkit detection utility
- From: "offtopic" <offtopic@xxxxxxx>
- Date: Thu, 13 May 2004 10:06:32 +0400
http://www.security.nnov.ru/search/document.asp?docid=6198
Rkdetect is a little anomaly detection tool which can find services hidden by
generic Windows rootkits like Hacker Defender.
Tool very simply. It enumerates services on remote computer through WMI (user
level) and Services Control Manager (kernel level), compare result and display
difference. In this way we can find hidden services which usual used to start
rootkit.
Similar approach can be used to enumerate processes, files, registry keys and
anything that rootkits can to hide.
Rkdetect available here:
http://www.security.nnov.ru/files/rkdetect.zip
Tool consists from VBScript file rkdetect.vbs and sc.exe utility.
Sc.exe it's standard Windows tool to work with SCM which you can find on any
Windows Box with W2K3.
Usage:
1. Unzip archive.
2. If you don't trust me (I hope you
don't :-), copy sc.exe
(c:\WINDOWS\system32\sc.exe in my case) from Windows folder to the rkdetect
folder.
3. Change dir to rkdetect folder.
4. Start it:
cscript rkdetect.vbs <machine_name/ip>
Example:
C:\detector>cscript rkdetect.vbs 200.4.4.4 Microsoft (R) Windows Script Host
Version 5.6 Copyright (C) Microsoft Corporation 1996-2001.
All rights reserved.
Query services by WMI...
Detected 79 services
Query services by SC...
Detected 80 services
Finding hidden services...
Possible rootkit found: HXD Service 100
Done
C:\detector>
Thanks to 3APA3A for testing and hosting.
Thanks for your attention and sorry for my English.
GL.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html