ROOTKIT TEST

Publié le par Kareldjag


Here we just illustrate some rootkit behaviours and show detection by some well known or not anti-rootkit tools.
For more information, it can be suited to take a look at the next version of my article which will be updated this summer.

NB.Srip32.exe is shown as kareldjag.over.blog.exe in some screeshots, just to  prevent the use of these images in  other sites or blogs: this article for instance seems a little bit similar to this one (included the example of locate32 tool)!
Writing an article without mentionning its sources is not ethical and profesional.


If we try to launch HackerDefender, it needs to load its driver:





Then it begins to patch system's process to hide itself:





Here's the libraries hooked by HackerDefender:




Here the hooked functions shows clearly that something tries to hide from the Service Controler Manager:





By using Fu to hide objects (drivers, processes etc):






The detection of FU and HxDef drivers with Darkspy:




And here processes (Fu is represented by cmd.exe):



The result by IceSword:



And here with another detector:




Now if we hide Fu and srip32.exe renamed as kareldjag.over.blog.com:



With another detector from Russia:




The result of the IceSword's check:





Publié dans METHODOLOGY

Pour être informé des derniers articles, inscrivez vous :
Vous aimerez aussi :
Rootkit test 3
Rootkit test 3
METHODOLOGY Part 2
METHODOLOGY Part 2
Why some tests are done with HIPS disabled
Why some tests are done with HIPS disabled
METHODOLGY Part 3
METHODOLGY Part 3
MAN in the MIDDLE TEST with SSLAGY (R)
MSN TEST 2
Commenter cet article