A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #1232  by a_d_13
 Thu Jun 03, 2010 11:28 am
Hello,

Deep System Explorer and HookShark both mirrored here - links have been added. Thanks to EP_X0FF for providing them.

Thanks,
--AD
 #1315  by a_d_13
 Wed Jun 23, 2010 4:03 pm
Hello,

List has been updated with a 64-bit antirootkit - TrueX64. If you know of any other tools that support 64-bit Windows (and show meaningful results), please post links here and I will update main list.

Thanks,
--AD
 #1321  by EP_X0FF
 Thu Jun 24, 2010 5:09 pm
Find_Hidden_Dll (by Eric_71) link is dead.
 #1322  by a_d_13
 Thu Jun 24, 2010 5:34 pm
EP_X0FF wrote:Find_Hidden_Dll (by Eric_71) link is dead.
I have sent Eric_71 a PM regarding this. With his permission, I will mirror the tool here.

Thanks,
--AD
 #1411  by kareldjag/michk
 Sun Jul 04, 2010 7:13 pm
hi

For information purpose only, some tools can be mentioned:
A good and known (here i guess) list can be found here:
http://www.ntinternals.org/anti_rootkits.php
ARK 2007 and Rootkitshark are not available on their official site.
Malcode Analyst Pack: hidden process detection via GDISharedHandle Table:
http://labs.idefense.com/files/labs/rel ... views/map/
SSDT Revealer: http://zairon.wordpress.com/2007/03/20/ ... -revealer/
SDT Cleaner: http://oss.coresecurity.com/projects/sdtcleaner.html
Filter Monitor: http://ntcore.com/filtermon.php
Security Task Manager: http://www.neuber.com/taskmanager/index.html
VmxARK from mj0011, for VM rootkits:
http://hi.baidu.com/mj0011/blog/item/c2 ... 187d2.html
http://code.google.com/p/vmxark/downloads/list
A french detector is under dev. against BluePill clones.

IceSword clones (i guive links to complete NtInternals list)
Wsyscheck english version: http://tailong.webng.com/Wsyscheck.rar
chinese version: http://down.tech.sina.com.cn/content/36345.html
Syscheck: http://download.chinaprj.cn/detail/DbDsisi
http://download.chinaprj.cn/detail/iDbDiTsE
SnipeSword: http://download.chinaprj.cn/detail/BBEDTbE
KsBinSword: http://en.pudn.com/downloads140/sourcec ... 43_en.html
http://download.chinaprj.cn/detail/iOTbiBqi
NhsScan 0.9.5.rar :http://www.mediafire.com/?tinqniznigx

Old cmdline tool for information purpose:

System Virginity Verifier: http://www.invisiblethings.org/code.html
SDTRestore: http://www.security.org.sg/code/sdtrestore.html
KprocCheck: http://www.security.org.sg/code/kproccheck.html
Kernel SC: http://dondie.de/?action=25&letter=Y&id=16
Find Hidden Service: http://dondie.de/?action=25&letter=Y&id=3
Process Master v1.2: http://dondie.de/?action=25&letter=Y&id=30
Hidden Service Detector: http://www.jhdscript.com/downloadview.php?id=189

http://g3nius.org/hsd/index.php


I do not list forensic tools which are not "check and find", and as i do not travel with my externals HD, i've forgotten a few detectors.
There's a lot "to drink and to eat" on rootkit detectors, even if all are not equal of course...
Old discussion ..."Yes but well" as is is said in french: http://www.ouaismaisbon.ch/

Au revoir
 #1416  by Meriadoc
 Mon Jul 05, 2010 2:39 am
Hi kareldjag/michk,
...Rootkitshark are not available on their official site
I think Advances are no more. Here is RootkitShark anyway - forgot I had this.
Attachments
no pass
(40.35 KiB) Downloaded 48 times
 #1564  by Meriadoc
 Fri Jul 16, 2010 11:08 am
Process Master from Holy Father posted above by kareldjag/michk reminded me of another Process Master (in fact there were a few) that also show hidden processes.

Anyway after going through a stack of CD's...

Process Master 1.1 - one for the archive :)
An advanced utility for hidden processes detection and killing. It successfully detects the presence of such famous rootkits as HackerDefender and Fu. Recommended for advanced users.
fu -ph 1576
Image
Attachments
no pass
(515.94 KiB) Downloaded 45 times