Utilities for Automating Rootkit Analysis
A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. Rootkits are using hooking technique to intercept function calls or messages or events passed between software components communication by adding a special function to the top of the hook chain, Installing hook can be used for legitimate purposes such as remote administration, system monitoring and non-legitimate like spyware, rootkits, key loggers and other malicious programs and aims to supervise user activities on the operating systems.
Here I wanted to share two easy to use tools for automating rootkit analyses:
GMER is an application that detects and removes rootkits it scans for hidden processes, threads, modules, services, files, disk sectors (MBR) and drivers hooking for SSDT/IDT and IRP calls.
RootRepeal is another rootkit detector that allows to:
- Driver Scan – scans the system for kernel-mode drivers. Displays all drivers currently loaded, and shows if a driver has been hidden, and whether the driver’s file is visible on-disk.
- Files Scan – scans any fixed drive on the system for hidden, locked or falsified* files.
- Processes Scan – scans the system for processes. Displays all processes currently running, and shows if a process is hidden or locked.
- SSDT Scan – shows whether any of the functions in the System Service Descriptor Table (SSDT) are hooked.
- Stealth Objects Scan – attempts to determine if any rootkits are active by looking for typical symptoms.
- Hidden Services Scan – scans for hidden system services.
- Shadow SSDT Scan – counterpart to the SSDT Scan, but deals mostly with graphics and window-related functions.
You can use both tool for a quick way to scan your system against any rootkit.