UBCD4Win Forums: RootKitty - Rootkit Finder - UBCD4Win Forums

Jump to content

  • (3 Pages)
  • +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • You cannot reply to this topic

RootKitty - Rootkit Finder A little program that I made

#16 User is offline   pcuser Icon

  • Project Programmer
  • PipPipPipPipPipPipPip
    • Group: Moderator & Development
    • Posts: 4371
    • Joined: 20-November 04
    • Gender:Male
    • Location:Kneebrasskee

    Posted 16 July 2005 - 07:06 PM

    Sorry REM,

    I was playing with some different options in the source code last night and must have forgot to change APPEND to WRITE before compiling. It's fixed now (ver 1.0.6) :blush:

    Tom
    If you're afraid of taking any chances then the chances are great that you will never learn anything

    Multiboot Plugins - UBUSB (Ultimate Boot USB) - EzPcFix - RootKitty - Network Configuration Utility - UnIsoFS - A Small Linux Distro - SELogger - HashME - WSock - My Paypal
    0

    #17 User is offline   cray1000 Icon

    • Member
    • PipPip
      • Group: Members
      • Posts: 47
      • Joined: 17-June 05

      Posted 16 July 2005 - 07:49 PM

      awesome app. How does it compare to the other rootkit detection program listed earlier?

      As far as combining it with ezpcfix, i would say make it a module of ezpcfix that can also be stand alone.... :)best of both worlds....

      If ezpcfix supports add-on modules you can just keep adding your new programs to it as modules that work standalone....

      just a suggestion...
      0

      #18 User is offline   pcuser Icon

      • Project Programmer
      • PipPipPipPipPipPipPip
        • Group: Moderator & Development
        • Posts: 4371
        • Joined: 20-November 04
        • Gender:Male
        • Location:Kneebrasskee

        Posted 16 July 2005 - 08:44 PM

        Quote

        How does it compare to the other rootkit detection program listed earlier?
        It doesn't scan for hidden registry entries (yet) but I'm working on it.

        Quote

        As far as combining it with ezpcfix, i would say make it a module of ezpcfix that can also be stand alone....  best of both worlds....


        Excellent idea! I think that's what I'll do then.

        Thanks for the help :)

        Tom
        If you're afraid of taking any chances then the chances are great that you will never learn anything

        Multiboot Plugins - UBUSB (Ultimate Boot USB) - EzPcFix - RootKitty - Network Configuration Utility - UnIsoFS - A Small Linux Distro - SELogger - HashME - WSock - My Paypal
        0

        #19 User is offline   pcuser Icon

        • Project Programmer
        • PipPipPipPipPipPipPip
          • Group: Moderator & Development
          • Posts: 4371
          • Joined: 20-November 04
          • Gender:Male
          • Location:Kneebrasskee

          Posted 17 July 2005 - 02:19 AM

          I attempted to add registry scanning functions today and only suceeded at opening several cans of worms :(

          I rewrote the entire program today because I found that previous versions had a limitation of 32,768 files, so that's fixed.

          I would still like to include registry scanning in the program but it's going to require adding lots of code that EzPcFix already has so if it's added in the future then it's most likely going to be integrated into EzPcFix and not in the "Standalone" version.

          Please let me know about anything that needs to be changed/added/removed as this might be the final release if nothing is reported.

          Like I said, it was rewritten from scratch today (completely new everything) so everything needs to be tested.

          Big thanks to everyone that's helped develop and test this new project!


          Tom
          If you're afraid of taking any chances then the chances are great that you will never learn anything

          Multiboot Plugins - UBUSB (Ultimate Boot USB) - EzPcFix - RootKitty - Network Configuration Utility - UnIsoFS - A Small Linux Distro - SELogger - HashME - WSock - My Paypal
          0

          #20 User is offline   lawson23 Icon

          • Ultra Member
          • PipPipPipPipPipPip
            • Group: Members
            • Posts: 1014
            • Joined: 14-January 05
            • Gender:Male
            • Location:Lexington, Kentucky

            Posted 18 July 2005 - 09:10 AM

            In my eyes a rootkit has nothing to really do with the registry. As long as you can locate the bad file the registry is really a mood point. Kind of like Viruses. Registry cleaning is great because it removes error messages but it isn't the issue correct? The rootkit needs to exist as an application on the machine. Which is what the original app looks for.

            Please enlighten me on why Registry scanning might be needed so that I may understand.
            0

            #21 User is offline   pcuser Icon

            • Project Programmer
            • PipPipPipPipPipPipPip
              • Group: Moderator & Development
              • Posts: 4371
              • Joined: 20-November 04
              • Gender:Male
              • Location:Kneebrasskee

              Posted 18 July 2005 - 05:23 PM

              Quote

              In my eyes a rootkit has nothing to really do with the registry. As long as you can locate the bad file the registry is really a mood point. Kind of like Viruses. Registry cleaning is great because it removes error messages but it isn't the issue correct? The rootkit needs to exist as an application on the machine. Which is what the original app looks for.

              Please enlighten me on why Registry scanning might be needed so that I may understand.


              As long as the files are found and removed then the stealthed registry entries that the file may have been hiding will be revealed so the only purpose that I can think of is just for the sake of being complete.

              Tom
              If you're afraid of taking any chances then the chances are great that you will never learn anything

              Multiboot Plugins - UBUSB (Ultimate Boot USB) - EzPcFix - RootKitty - Network Configuration Utility - UnIsoFS - A Small Linux Distro - SELogger - HashME - WSock - My Paypal
              0

              #22 User is offline   pcuser Icon

              • Project Programmer
              • PipPipPipPipPipPipPip
                • Group: Moderator & Development
                • Posts: 4371
                • Joined: 20-November 04
                • Gender:Male
                • Location:Kneebrasskee

                Posted 19 July 2005 - 12:34 AM

                After thinking more about this...

                It might be pointless to scan the registry just to find out where the rootkit gets started from. After all, that's the job of EzPcFix!

                Tom
                If you're afraid of taking any chances then the chances are great that you will never learn anything

                Multiboot Plugins - UBUSB (Ultimate Boot USB) - EzPcFix - RootKitty - Network Configuration Utility - UnIsoFS - A Small Linux Distro - SELogger - HashME - WSock - My Paypal
                0

                #23 User is offline   lawson23 Icon

                • Ultra Member
                • PipPipPipPipPipPip
                  • Group: Members
                  • Posts: 1014
                  • Joined: 14-January 05
                  • Gender:Male
                  • Location:Lexington, Kentucky

                  Posted 19 July 2005 - 10:28 AM

                  Not a REG expert but could a program (reg entry) be written through the registry to redownload a bad app and reexecute it?

                  In other words I delete a virus exe but get the exe back because of a reg entry that keeps retrieving the app?
                  0

                  #24 User is offline   pcuser Icon

                  • Project Programmer
                  • PipPipPipPipPipPipPip
                    • Group: Moderator & Development
                    • Posts: 4371
                    • Joined: 20-November 04
                    • Gender:Male
                    • Location:Kneebrasskee

                    Posted 19 July 2005 - 09:12 PM

                    Quote

                    Not a REG expert but could a program (reg entry) be written through the registry to redownload a bad app and reexecute it?

                    In other words I delete a virus exe but get the exe back because of a reg entry that keeps retrieving the app?


                    Yes and No.

                    I started explaining how this could be done but realized what I was writing was something that I don't beleive in making public (proof of concept exploits).

                    Yes, it is possible that an unpatched system (or with modified security settings) could be set to download and run code locally just by settings in the registry but an up to date system with the security settings set to default will at the least, warn you before doing anything like this.

                    EzPcFix is designed to show you all the places that apps can get loaded from so after removing a rootkit, you should run EzPcFix and find where it's getting started from.

                    Here's what I'm asking from anyone using this utilty to find rootkits...

                    If a rootkit is found, run EzPcFix (from PE/ubcd4win) to see where it's getting started from.

                    If you can't find it with EzPcFix then do a search in the registry with EzPcFix running and your registry hives loaded and see where it's getting started from. If it's a location that EzPcFix isn't searching then I really, really need to know about it so I can update EzPcFix to look in that location.

                    Thanks,

                    Tom
                    If you're afraid of taking any chances then the chances are great that you will never learn anything

                    Multiboot Plugins - UBUSB (Ultimate Boot USB) - EzPcFix - RootKitty - Network Configuration Utility - UnIsoFS - A Small Linux Distro - SELogger - HashME - WSock - My Paypal
                    0

                    #25 User is offline   lawson23 Icon

                    • Ultra Member
                    • PipPipPipPipPipPip
                      • Group: Members
                      • Posts: 1014
                      • Joined: 14-January 05
                      • Gender:Male
                      • Location:Lexington, Kentucky

                      Posted 19 July 2005 - 09:57 PM

                      Tom,
                      Yeah thanks for not explaining how. My big question was the possiblity? In one sense I thought yes it is possible and in another I thought no it isn't.

                      Thanks for clearing that up. This is a circumstance I have been wondering about for awhile now. As people may think a rootkit is scary so would something like this.
                      0

                      #26 User is offline   lawson23 Icon

                      • Ultra Member
                      • PipPipPipPipPipPip
                        • Group: Members
                        • Posts: 1014
                        • Joined: 14-January 05
                        • Gender:Male
                        • Location:Lexington, Kentucky

                        Posted 09 August 2005 - 10:55 PM

                        Used Rootkitty for my first time today. Nice.
                        The only suggestion I would make is once you have the results in Rootkitty you can't scroll left to right to view long entries and have to resort to the log. Not a big deal.
                        0

                        #27 User is offline   Greg214 Icon

                        • Newbie
                        • Pip
                          • Group: Members
                          • Posts: 6
                          • Joined: 29-September 05

                          Posted 29 September 2005 - 12:47 PM

                          sorry see new thread.

                          This post has been edited by Greg214: 29 September 2005 - 01:36 PM

                          0

                          #28 User is offline   SteelTrepid Icon

                          • Administrator
                          • PipPipPipPipPipPipPipPip
                            • Group: Admin
                            • Posts: 6328
                            • Joined: 27-April 04
                            • Gender:Male
                            • Location:Ohio

                            Posted 29 September 2005 - 12:55 PM

                            You probably should have started a new post about this. I'm sure Tom will find this post later today, but it makes it easier when new things are posted in their own thread.
                            Need some hardware or software at super low prices? Check out my online store here: Burrows Solutions

                            "I play Russian roulette everyday, a man's sport, with a bullet called life"
                            "My cause is noble, my power is pure"
                            "My new computer came with Windows 7. Windows 7 is much more user-friendly than Windows Vista. I don't like that."
                            "Is Wayne Brady gonna have to choke a bitch?"

                            Can we smoke in here?
                            Cigarettes or crack?
                            Don't make me choose.
                            0

                            #29 User is offline   Greg214 Icon

                            • Newbie
                            • Pip
                              • Group: Members
                              • Posts: 6
                              • Joined: 29-September 05

                              Posted 29 September 2005 - 01:06 PM

                              i tried to do that after u told me to but it says i do not have permission to start new topics/threads here.

                              thanks for trying to guide me in the right direction though.
                              0

                              #30 User is offline   SteelTrepid Icon

                              • Administrator
                              • PipPipPipPipPipPipPipPip
                                • Group: Admin
                                • Posts: 6328
                                • Joined: 27-April 04
                                • Gender:Male
                                • Location:Ohio

                                Posted 29 September 2005 - 01:21 PM

                                Hmm, yeah....I thought about that after I posted. I couldn't remember if I "allowed" regular members to start topics here. I just changed it in my Admin. area. Sorry.
                                Need some hardware or software at super low prices? Check out my online store here: Burrows Solutions

                                "I play Russian roulette everyday, a man's sport, with a bullet called life"
                                "My cause is noble, my power is pure"
                                "My new computer came with Windows 7. Windows 7 is much more user-friendly than Windows Vista. I don't like that."
                                "Is Wayne Brady gonna have to choke a bitch?"

                                Can we smoke in here?
                                Cigarettes or crack?
                                Don't make me choose.
                                0

                                • (3 Pages)
                                • +
                                • 1
                                • 2
                                • 3
                                • You cannot start a new topic
                                • You cannot reply to this topic

                                1 User(s) are reading this topic
                                0 members, 1 guests, 0 anonymous users