Cr4sh wrote:Hi,
Does anyone knows any tool for user-mode code hooks detection that works on modern x86 and x64 versions of Windows? I already checked a thread with the list of anti-rootkits, but seems that there is nothing usable for my task.
Hello,
Despite the fact you have already found sort of solution, I'll answer on
https://twitter.com/d_olex/status/526816432126849024.
This list contains programs of the type "antirootkit" (or proclaimed) which we were able to find in the beginning. Huge amount of them are kids/students works never intended to be "actually" working anyhow. This is main specialty of this software type - failure by design, low quality code based on numerous system hacks, without proper debugging and sometimes lack of system architecture understanding. This software type were raised in the middle of 00x because regular antimalware software were sucking soo hard no one can't imagine (well
you can). And Windows XP was the failure OS was everywhere. Most of these software were developed on Windows XP with Windows XP in mind. Sad but this is true for all "antirootkits", even those who are incorporated in modern fakea... I mean antiviruses. We can't keep a "comprehensive" list of "working" antirootkits, because:
1) no methodology how we can determinate that, for example, efficiency -> they can detect, but unable to remove, fail to start here, and run on other computer just fine <- and all this just fine for this type of software. This is "intended".
2) We can't do ridiculous ark tests like antimalware.ru did in the other way -> we don't have a large amount of free time to waste it playing with this crapware out-dated in all aspects soft.
Windows moved forward from that ark era long time ago, malware too. ARK's now replaced by debuggers/own made special forensic on research side and specialized tools(which can only target limit type of rootkits and designed only for this)/offline removers (livedvd, liveusb) on users side. Malware adapted for new Windows versions and surprisingly it revealed that you don't need any rootkit components to maintain and gain profitable botnet - sirefef is an excellent example. As in fact all these rootkit components were always malware self-revealing feature -> when user asked for antirootkit assistance he/she were already aware about "anomalies" on their PC, so it was a question of time to kill the bot.
Despite few still supported tools -> this list is mostly for museum purposes.
TL;DR
If you need something *really* efficient - write your own or use anything else. This software class is dead for a long time. They did what intended and now they are dead, and this is good for all.