|
(aka AbuIbrahim12) |
|
A. Elshafei |
|
How to Detect Rootkits using RootkitRevealer
Well there isn't much more to add on how to determine rootkits using rootkitrevealer. The authors of rootkitrevealer provide an excellent tutorial on how to use the tool: http://www.sysinternals.com/Utilities/RootkitRevealer.html
But to keep things simple and succinct, here is a good tip on how to detect a rootkit regardless on how many discrepancies and unconfirmed false positives were found:
Most rootkits register themselves as services in the windows registry. Therefore a rootkit exists if rootkitreveler finds one or more of the following entries: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\xxxxx HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\xxxx HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\xxxxx HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\xxxx HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\xxxx HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\xxxx HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\xxxx HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xxxx
where xxxx is an arbitrary service name given by the rootkit. So to make this clear, if you find any one of these entries in the rootkitrevealer results, then you have a rootkit. If you have none of these entries in your log then <u>most </u>likely you dont have a rootkit.
EDITED:
A. Elshafei
References: http://www.sysinternals.com/Utilities/RootkitRevealer.html |
|
English: www.islaam.ca - Arabic: www.sahab.net |
