UBCD4Win Forums: RootKitty - Rootkit Finder - UBCD4Win Forums

Jump to content

  • (3 Pages)
  • +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • You cannot reply to this topic

RootKitty - Rootkit Finder A little program that I made

#1 User is offline   pcuser Icon

  • Project Programmer
  • PipPipPipPipPipPipPip
    • Group: Moderator & Development
    • Posts: 3,822
    • Joined: 20-November 04
    • Gender:Male
    • Location:Kneebrasskee

    Posted 14 July 2005 - 12:39 AM

    RootKitty is a very simple utility that makes a file listing when running from windows and a file listing from PE/ubcd4win then compares the two files and shows you the differences (looking for rootkits).

    What is a Rootkit?
    (from http://www.sysintern...itrevealer.html the maker of "Rootkit Revealer")

    Quote

    The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.

    Persistent Rootkits
    A persistent rootkit is one associated with malware that activates each time the system boots. Because such malware contain code that must be executed automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and configure a method by which the code executes without user intervention.

    Memory-Based Rootkits
    Memory-based rootkits are malware that has no persistent code and therefore does not survive a reboot.

    User-mode Rootkits
    There are many methods by which rootkits attempt to evade detection. For example, a user-mode rootkit might intercept all calls to the Windows FindFirstFile/FindNextFile APIs, which are used by file system exploration utilities, including Explorer and the command prompt, to enumerate the contents of file system directories. When an application performs a directory listing that would otherwise return results that contain entries identifying the files associated with the rootkit, the rootkit intercepts and modifies the output to remove the entries.

    The Windows native API serves as the interface between user-mode clients and kernel-mode services and more sophisticated user-mode rootkits intercept file system, Registry, and process enumeration functions of the Native API. This prevents their detection by scanners that compare the results of a Windows API enumeration with that returned by a native API enumeration.

    Kernel-mode Rootkits
    Kernel-mode rootkits can be even more powerful since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel's list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer.
    This is from http://research.microsoft.com/rootkit/

    Quote

    Simple steps you can take to detect some of today's ghostware:
    1.  Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially infected OS and save the results.
    2.  Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the same drive, and save the results.
    3.  Run a clean version of WinDiff from the CD on the two sets of results to detect file-hiding ghostware (i.e., invisible inside, but visible from outside). See Hacker Defender ghostware files revealed (highlighted) for an example.
    4.  Note: there will be some false positives. Also, this does not detect stealth software that hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc.


    This is exactly what RootKitty does.

    RootKitty only scan for files right now although I might add registry scanning sometime soon.

    Feel free to download and try RootKitty but please don't link to it or add it to your production build yet. Notice that the version number is 1.0.0... In fact, it was still just a thought up until about 2 hours ago.

    As stated in the above link:

    Quote

    Note: there will be some false positives. Also, this does not detect stealth software that hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc.


    The same goes for RootKitty so don't just delete anything that it finds!

    Here's the link:
    http://EzPcFix.net/dload/RootKitty.exe

    Here's how to use it:

    1. Boot into windows and click on "Win-Scan". The mouse pointer will turn into an hourglass and a dos box will open. You have to wait until the dos box disappears and the mouse pointer goes back to normal before closing the program. This can take quite a while if you have alot of files.
    2. Boot into ubcd4win and click on "PE-Scan" and wait for it to finish
    3. Click on "Compare"

    If a file was detected in PE/ubcd4win and was stealthed from windows then it'll show up in the listbox.

    Tom
    If you're afraid of taking any chances then the chances are great that you will never learn anything

    Multiboot Plugins - UBUSB (Ultimate Boot USB) - EzPcFix - RootKitty - Network Configuration Utility - UnIsoFS - A Small Linux Distro - SELogger - HashME - WSock - My Paypal
    0

    #2 User is offline   lawson23 Icon

    • Ultra Member
    • PipPipPipPipPipPip
      • Group: Members
      • Posts: 1,007
      • Joined: 14-January 05
      • Location:Michigan

      Posted 14 July 2005 - 07:16 AM

      I'm going to have to check this out!

      Thank you very much.

      One quick question. Do you choose where to place the files to compare? Or does it do this automatically and does it delete them at the end?
      0

      #3 User is offline   REM Icon

      • Regular Member
      • PipPipPip
        • Group: Members
        • Posts: 123
        • Joined: 10-September 04
        • Location:Nacogdoches, Texas
        • Interests:Astronomy and computing.

        Posted 14 July 2005 - 07:53 AM

        pcuser, on Jul 14 2005, 01:39 AM, said:

        RootKitty is a very simple utility that makes a file listing when running from windows and a file listing from PE/ubcd4win then compares the two files and shows you the differences (looking for rootkits).

        Tom


        Very interesting!!
        0

        #4 User is offline   pcuser Icon

        • Project Programmer
        • PipPipPipPipPipPipPip
          • Group: Moderator & Development
          • Posts: 3,822
          • Joined: 20-November 04
          • Gender:Male
          • Location:Kneebrasskee

          Posted 14 July 2005 - 09:11 AM

          Quote

          One quick question. Do you choose where to place the files to compare? Or does it do this automatically and does it delete them at the end?


          By default, it writes the windows directory listing to "c:\Win-out.txt" and the PE directory listing to "c:\PE-out.txt" but you can change them to whatever you want.

          It doesn't delete the files but I should add that it overwrites the contents of them evertime you click "Scan-Win" or "Scan-PE".

          Tom
          If you're afraid of taking any chances then the chances are great that you will never learn anything

          Multiboot Plugins - UBUSB (Ultimate Boot USB) - EzPcFix - RootKitty - Network Configuration Utility - UnIsoFS - A Small Linux Distro - SELogger - HashME - WSock - My Paypal
          0

          #5 User is offline   SteelTrepid Icon

          • Administrator
          • PipPipPipPipPipPipPipPip
            • Group: Admin
            • Posts: 6,181
            • Joined: 27-April 04
            • Gender:Male
            • Location:Ohio

            Posted 14 July 2005 - 09:20 AM

            This sounds pretty awesome. RootKit Revealer seems to work pretty good, but not in UBCD4Win or BPE. It will be interesting to watch this new project grow. :)Good work Tom, if you need any assistance with it I hope to be able to help you!!
            "I play Russian roulette everyday, a man's sport, with a bullet called life"
            0

            #6 User is offline   lawson23 Icon

            • Ultra Member
            • PipPipPipPipPipPip
              • Group: Members
              • Posts: 1,007
              • Joined: 14-January 05
              • Location:Michigan

              Posted 14 July 2005 - 09:41 AM

              Well I also believe they are using two different methods of looking for rootkits. As Rootkit Revealer has no way of Scanning outside of windows and doing a compare. So it is a great addition to have two different methods.

              Tom,
              In next version do you think you could possibly look at adding a delete option to delete the files it created. Not a major need.
              0

              #7 User is offline   SteelTrepid Icon

              • Administrator
              • PipPipPipPipPipPipPipPip
                • Group: Admin
                • Posts: 6,181
                • Joined: 27-April 04
                • Gender:Male
                • Location:Ohio

                Posted 14 July 2005 - 10:55 AM

                :DExactly!!! :D
                "I play Russian roulette everyday, a man's sport, with a bullet called life"
                0

                #8 User is offline   pcuser Icon

                • Project Programmer
                • PipPipPipPipPipPipPip
                  • Group: Moderator & Development
                  • Posts: 3,822
                  • Joined: 20-November 04
                  • Gender:Male
                  • Location:Kneebrasskee

                  Posted 14 July 2005 - 06:50 PM

                  Quote

                  In next version do you think you could possibly look at adding a delete option to delete the files it created


                  Done. The updated version is already uploaded. I also added the ability to delete the potential rootkits.

                  Thanks for the feedback/suggestions :)

                  Tom
                  If you're afraid of taking any chances then the chances are great that you will never learn anything

                  Multiboot Plugins - UBUSB (Ultimate Boot USB) - EzPcFix - RootKitty - Network Configuration Utility - UnIsoFS - A Small Linux Distro - SELogger - HashME - WSock - My Paypal
                  0

                  #9 User is offline   pcuser Icon

                  • Project Programmer
                  • PipPipPipPipPipPipPip
                    • Group: Moderator & Development
                    • Posts: 3,822
                    • Joined: 20-November 04
                    • Gender:Male
                    • Location:Kneebrasskee

                    Posted 14 July 2005 - 10:54 PM

                    I'm thinking about doing away with this program and just adding it to EzPcFix. Any thoughts or objections?

                    Tom
                    If you're afraid of taking any chances then the chances are great that you will never learn anything

                    Multiboot Plugins - UBUSB (Ultimate Boot USB) - EzPcFix - RootKitty - Network Configuration Utility - UnIsoFS - A Small Linux Distro - SELogger - HashME - WSock - My Paypal
                    0

                    #10 User is offline   lawson23 Icon

                    • Ultra Member
                    • PipPipPipPipPipPip
                      • Group: Members
                      • Posts: 1,007
                      • Joined: 14-January 05
                      • Location:Michigan

                      Posted 15 July 2005 - 07:22 AM

                      I like the rootkit app as a single app but it is a decision you need to make. In one hand it would make EzPcFix more attractive but on the other hand for those just wanting a sweet rootkit detection. The seperate app is nice.

                      In the end I will be happy to have it either way.

                      This post has been edited by lawson23: 15 July 2005 - 07:26 AM

                      0

                      #11 User is offline   REM Icon

                      • Regular Member
                      • PipPipPip
                        • Group: Members
                        • Posts: 123
                        • Joined: 10-September 04
                        • Location:Nacogdoches, Texas
                        • Interests:Astronomy and computing.

                        Posted 15 July 2005 - 07:27 AM

                        pcuser, on Jul 14 2005, 11:54 PM, said:

                        I'm thinking about doing away with this program and just adding it to EzPcFix.  Any thoughts or objections?

                        Tom


                        I am lost with EzPcFix Tom. I guess that I need to spend more time reading up and trying the program.

                        I'd prefer the program as a nice, simple, standalone app myself.

                        I got tied up yesterday and I never made it back, but here are my results. It looks to be normal:

                        ------------------------------------------------------------------------------

                        C:\System Volumn Information\MountPointManagerRemoteDatabase

                        C:\System Volumn Information\tracking.log

                        ------------------------------------------------------------------------------

                        Suggestion: Make a result report for ease in copy\paste. Or, use a form that allows copy and pasting out of the result window. I'm sure people will want feedback on the results, as with HijackThis.

                        Another tool for the belt! Very nice work!
                        0

                        #12 User is offline   pcuser Icon

                        • Project Programmer
                        • PipPipPipPipPipPipPip
                          • Group: Moderator & Development
                          • Posts: 3,822
                          • Joined: 20-November 04
                          • Gender:Male
                          • Location:Kneebrasskee

                          Posted 15 July 2005 - 06:54 PM

                          Quote

                          Suggestion: Make a result report for ease in copy\paste. Or, use a form that allows copy and pasting out of the result window. I'm sure people will want feedback on the results, as with HijackThis.


                          Great idea ;)

                          It now has the ability to save the log file to disk or copy/paste the results. The new version (1.0.3) is already uploaded.

                          Thanks for the help everyone. Your feedback and suggestions are really appreciated.

                          Tom
                          If you're afraid of taking any chances then the chances are great that you will never learn anything

                          Multiboot Plugins - UBUSB (Ultimate Boot USB) - EzPcFix - RootKitty - Network Configuration Utility - UnIsoFS - A Small Linux Distro - SELogger - HashME - WSock - My Paypal
                          0

                          #13 User is offline   pcuser Icon

                          • Project Programmer
                          • PipPipPipPipPipPipPip
                            • Group: Moderator & Development
                            • Posts: 3,822
                            • Joined: 20-November 04
                            • Gender:Male
                            • Location:Kneebrasskee

                            Posted 16 July 2005 - 12:05 AM

                            I've updated the program a little more...

                            When you click on "Save Log" it now saves it to the location that you specified but also opens it in notepad so you can copy/paste.

                            I'm really not an artist so the colors are just an attempt to give you an idea as to what needs to be clicked.

                            I don't really like these colors but I couldn't find anything better, any suggestions?

                            Are these colors too extreme?

                            Tom
                            If you're afraid of taking any chances then the chances are great that you will never learn anything

                            Multiboot Plugins - UBUSB (Ultimate Boot USB) - EzPcFix - RootKitty - Network Configuration Utility - UnIsoFS - A Small Linux Distro - SELogger - HashME - WSock - My Paypal
                            0

                            #14 User is offline   REM Icon

                            • Regular Member
                            • PipPipPip
                              • Group: Members
                              • Posts: 123
                              • Joined: 10-September 04
                              • Location:Nacogdoches, Texas
                              • Interests:Astronomy and computing.

                              Posted 16 July 2005 - 04:03 AM

                              pcuser, on Jul 16 2005, 01:05 AM, said:

                              I've updated the program a little more...

                              When you click on "Save Log" it now saves it to the location that you specified but also opens it in notepad so you can copy/paste.

                              I'm really not an artist so the colors are just an attempt to give you an idea as to what needs to be clicked.

                              I don't really like these colors but I couldn't find anything better, any suggestions?

                              Are these colors too extreme?

                              Tom


                              The colors are fine by me. I'm not overly talented as an artist either.

                              I just ran v1.0.4 and noticed that I got dupe entries:

                              ------------------------------------------------------------------------------

                              C:\System Volume Information\MountPointManagerRemoteDatabase

                              C:\System Volume Information\tracking.log

                              C:\System Volume Information\MountPointManagerRemoteDatabase

                              C:\System Volume Information\tracking.log

                              ------------------------------------------------------------------------------


                              It appears that the PE run might have appended to, rather than overwriting the old file.

                              Here is an interesting article I found linked from Sysinternal's site:

                              http://www.phrack.or...w.php?p=62&a=12

                              These guys seem to be well ahead of most methods of detection.
                              0

                              #15 User is offline   pcuser Icon

                              • Project Programmer
                              • PipPipPipPipPipPipPip
                                • Group: Moderator & Development
                                • Posts: 3,822
                                • Joined: 20-November 04
                                • Gender:Male
                                • Location:Kneebrasskee

                                Posted 16 July 2005 - 01:11 PM

                                Quote

                                I just ran v1.0.4 and noticed that I got dupe entries:

                                ------------------------------------------------------------------------------

                                C:\System Volume Information\MountPointManagerRemoteDatabase

                                C:\System Volume Information\tracking.log

                                C:\System Volume Information\MountPointManagerRemoteDatabase

                                C:\System Volume Information\tracking.log

                                ------------------------------------------------------------------------------


                                It appears that the PE run might have appended to, rather than overwriting the old file.


                                Hmm. I can't seem to duplicate this scenario (no pun intended).

                                "Win-Scan", "PE-Scan" and "Save Log" simply overwrite any existing contents. Nothing is ever appended, it only overwrites.

                                Was this copied directly from RootKitty.log? If so, did the duplicates show up in the listbox? If they did show up in the listbox then can you search PE-Out.txt and see if those files are listed twice?

                                [EDIT] Sorry, I figured out the problem and it WAS my mistake. [EDIT]

                                Thanks for the help.

                                BTW. I just uploaded 1.0.5

                                The only real change that I made was added the ability to delete the log file.

                                Tom
                                If you're afraid of taking any chances then the chances are great that you will never learn anything

                                Multiboot Plugins - UBUSB (Ultimate Boot USB) - EzPcFix - RootKitty - Network Configuration Utility - UnIsoFS - A Small Linux Distro - SELogger - HashME - WSock - My Paypal
                                0

                                • (3 Pages)
                                • +
                                • 1
                                • 2
                                • 3
                                • You cannot start a new topic
                                • You cannot reply to this topic

                                1 User(s) are reading this topic
                                0 members, 1 guests, 0 anonymous users