ARKit is an open-source rootkit detection library for Microsoft Windows. ARKit has two components:http://code.google.com/p/arkitlib/
1. ARKitLib - A Win32/C++ static library that exposes various methods to scan system and detect rootkits
2. ARKitDrv - A device driver that actually implements methods to scan and detect rootkits
Currently, ARKit has following features:
1. Process scanning – Detect all running processes (hidden and visible)
2. DLL scanning – Detect DLLs loaded in a process
3. Driver scanning – Detect all loaded drivers (hidden and visible)
4. SSDT hook detection
5. Sysenter hook detection
6. Kernel inline hook detection
ARKit works on 32-bit flavors of Windows 2000, XP, 2003 and Vista. It has not been tested on Windows 2008 and Windows 7 yet.
A forum for reverse engineering, OS internals and malware analysis
Copy-pasted methods from author of SysProt inspired by old Hoglunds book.
I can't find a source code to acknowledge this, but from ...
It is useless even against 3 years old demo rootkits and completely useless against malware rootkits.
I can't find a source code to acknowledge this, but from ...
Summary of detection techniques in ARKit¶... I believe it is.
Process detection methods:
* PID brute force
* TID brute force
Driver detection methods:
* PsLoadedModuleList traversing
* \Driver\ directory traversing in Object Manager
* \Device\ directory traversing in Object Manager
It is useless even against 3 years old demo rootkits and completely useless against malware rootkits.
Ring0 - the source of inspiration
Thanks.
Open source rootkit detection :p
edit : ah swatcat is the author of SysProt :)
http://swatrant.blogspot.com/
Open source rootkit detection :p
Brute forceOld known rootkit detection, can't see brute forcing ID's working today.
edit : ah swatcat is the author of SysProt :)
http://swatrant.blogspot.com/
Who controls the past controls the future
Who controls the present controls the past
Who controls the present controls the past
If you're particularly bored, here's the source:
http://code.google.com/p/arkitlib/sourc ... k/ARKitDrv
http://code.google.com/p/arkitlib/sourc ... k/ARKitLib
http://code.google.com/p/arkitlib/sourc ... k/ARKitDrv
http://code.google.com/p/arkitlib/sourc ... k/ARKitLib
Not really impressive scope of beginners methods. Practical usefulness of these methods around zero.
Simple PEB unlinking eliminates dll detection (wtf he coded it in driver nobody knows, perhaps he likes blue screens).
Scanning of object directory is primitive and incomplete. What about brute-forcing by PID/TID, well this is LOL method.
This project can detect something < 2007. As open-source even KsBinSword is better.
Simple PEB unlinking eliminates dll detection (wtf he coded it in driver nobody knows, perhaps he likes blue screens).
Scanning of object directory is primitive and incomplete. What about brute-forcing by PID/TID, well this is LOL method.
This project can detect something < 2007. As open-source even KsBinSword is better.
Ring0 - the source of inspiration