So my old hdd had an alureon rootkit in the last sectors of the drive and I was wondering how can I determine when it was created. Would there be a time stamp associated with it? Would looking at with a hex editor yield any results?
A forum for reverse engineering, OS internals and malware analysis
Old, unused hdd -> no way. You can determine when it was compiled however, if you manage to extract TDL components from drive. Also old TDL version may store install date in the config file.
Ring0 - the source of inspiration
