rootkits
Does anyone have any ideas about how to detect an NT rootkit without professional-level tools in the field? Assume,hypothetically that you have no net access, a CD and possibly infected machine.
What do you do?
****************************************
Excellence Breeds! Go Hard or Go Home.
Let Penguins rule the earth.
Break some windows today.
What do you do?
****************************************
Excellence Breeds! Go Hard or Go Home.
Let Penguins rule the earth.
Break some windows today.
Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Categories
- 140.8K All Categories
- 103.6K Programming Languages
- 6.4K Assembler Developer
- 401 Assembly Code Share
- 239 Getting started in assembly
- 4.6K x86 Assembly
- 1.9K Basic
- 97 Qbasic
- 39.9K C and C++
- 5.6K Beginner C/C++
- 330 C/C++ on Linux/Unix
- 450 C/C++ Windows API
- 522 C++ Builder
- 253 C++ Game Development
- 3.3K C++ MFC
- 103 C++.NET
- 404 Visual C++
- 2.9K C#
- 7.9K Delphi and Kylix
- 334 Advanced Delphi
- 360 Delphi beginners
- 4 Haskell
- 9.7K Java
- 56 Enterprise JavaBeans
- 1.3K Java Beginners
- 304 Java Server Pages
- 4.1K Pascal
- 1.3K Perl
- 11 Perl 6
- 2K PHP
- 546 Python
- 37 Ruby
- 4.4K VB.NET
- 258 Advanced VB.Net
- 1.6K VBA
- 20.9K Visual Basic
- 767 Access databases and VB
- 831 Advance Visual Basic
- 1.2K Beginner VB
- 2.6K Game programming
- 315 Console programming
- 90 DirectX Game dev
- 1 Minecraft
- 112 Newbie Game Programmers
- 2 Oculus Rift
- 9K Applications
- 1.8K Computer Graphics
- 279 3D Graphics
- 129 DirectX
- 125 OpenGL
- 740 Computer Hardware
- 9 Cooling & Overclocking
- 3.4K Database & SQL
- 1.1K Access
- 91 ADO Programming
- 288 MySQL
- 358 Oracle
- 440 SQL-Server
- 535 Electronics development
- 1.6K Matlab
- 628 Sound & Music
- 25 DirectSound
- 257 XML Development
- 3.3K Classifieds
- 200 Co-operative Projects
- 198 For sale
- 190 FreeLance Software City
- 1.9K Jobs Available
- 603 Jobs Wanted
- 209 Wanted
- 2.9K Microsoft .NET
- 1.8K ASP.NET
- 1.1K .NET General
- 22 .NET WEB-Services
- 129 .NET WinForms
- 14 .NET XML
- 50 ADO.NET
- 144 C# & VB.NET School Support
- 3.4K Miscellaneous
- 4 Join the Team
- 354 Comments on this site
- 69 Computer Emulators
- 2.1K General programming
- 187 New programming languages
- 621 Off topic board
- 200 Mobile & Wireless
- 72 Android
- 126 Palm Pilot
- 338 Multimedia
- 154 Demo programming
- 184 MP3 programming
- 0 Bash scripts
- 27 Cloud Computing
- 1 Witsbits Go Cloud
- 53 FreeBSD
- 1.7K LINUX programming
- 1 Awk scripting
- 332 Linux Support
- 0 Sed scripting
- 370 MS-DOS
- 0 Shell scripting
- 321 Windows CE & Pocket PC
- 4.1K Windows programming
- 177 COM/DCOM
- 61 Networking And Security
- 17 Windows 2003 Server
- 6 Windows Vista
- 176 Windows XP
- 941 Software Development
- 417 Algorithms
- 68 Object Orientation
- 24 RUP & UML
- 92 Project Management
- 95 Quality & Testing
- 268 Security
- 63 Evil Scripting
- 81 Hacking
- 7.7K WEB-Development
- 1.8K Active Server Pages
- 61 AJAX
- 4 Bootstrap Themes
- 55 CGI Development
- 28 ColdFusion
- 224 Flash development
- 1.4K HTML & WEB-Design
- 1.4K Internet Development
- 131 Mobile Internet & Messaging
- 211 Wireless development
- 2.2K JavaScript
- 37 JQuery
- 304 WEB Servers
- 153 Apache
- 79 IIS
- 150 WEB-Services / SOAP
Comments
: professional-level tools in the field? Assume,hypothetically that you
: have no net access, a CD and possibly infected machine.
:
: What do you do?
:
A rootkit checker will be a good start. There's a free one here, along with some possibly intresting links.
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
Jonathan
###
for(74,117,115,116){$::a.=chr};(($_.='qwertyui')&&
(tr/yuiqwert/her anot/))for($::b);for($::c){$_.=$^X;
/(p.{2}l)/;$_=$1}$::b=~/(..)$/;print("$::a$::b $::c hack$1.");
1.) Sysinternals does produce a strong product. Those guys give me the tools I need to do all sorts of things daily, from regmon and filemon to PSTools. However, root kits are nefarious beasts which can easily dupe rootkit revealer--as is shown in their documentation.
2.) The challenge is to discover the rootkit with only a CD (presumably the Op/sys installation CD and no net access). Here lies the rub, what other tools (from these available resources would be necessary?
3.) Remember, the Op/sys has been trojanized. The counter-hack requires stepping outside the box. File sizes and versions may be altered (but a good rootkit can conceal this if the trojanized op/sys files are hexedited to contain the malicious code without altering the file size or version. Time stamps can then be spoofed. Otherwise a batch file could be constructed to compare files. Ahh....
4.) There lies the solution, perhaps! What if a batch file were to compare the op/sys files from a clean (CD) boot to known good files, identifying which files differ from the original? Could this reveal the root?
5.) What if the op/sys alters some arbitrary file during operation. Then the known good and operational unknown file could not be compared to find the root. Only those files which do not change could be eliminated from the problem.
[Note: This may be resolved by a collateral language project I am working on, which requires software components to authenticate themselves.]
****************************************
Excellence Breeds! Go Hard or Go Home.
Let Penguins rule the earth.
Break some windows today.