Hello,
Finally, after nearly a year, another release of RootRepeal is close to ready. I've rewritten most of the code involved in RootRepeal, and rewritten the GUI from scratch. As a result, the file size is now about 130KB, and it's substantially more stable and extensible.
In addition, I have included some upgrades that will allow RootRepeal to detect the TDL3 rootkit. It should detect all variants conceptually, including the latest version(s).
This is BETA software, so it may crash your computer, or break something. Please be sure to backup all your files first! If you experience a crash, please upload the minidumps and/or crash report(s) here, or you can email them to me at rootrepeal[at]gmail[d0t]com.
Sample report detecting TDL3:
--AD
Finally, after nearly a year, another release of RootRepeal is close to ready. I've rewritten most of the code involved in RootRepeal, and rewritten the GUI from scratch. As a result, the file size is now about 130KB, and it's substantially more stable and extensible.
In addition, I have included some upgrades that will allow RootRepeal to detect the TDL3 rootkit. It should detect all variants conceptually, including the latest version(s).
This is BETA software, so it may crash your computer, or break something. Please be sure to backup all your files first! If you experience a crash, please upload the minidumps and/or crash report(s) here, or you can email them to me at rootrepeal[at]gmail[d0t]com.
Sample report detecting TDL3:
Code: Select all
Thanks,ROOTREPEAL (c) AD, 2007-2010
==================================================
Report Save Time: 2010/04/18 00:09
Program Version: Version 2.0.0.0
Windows Version: Windows XP SP2
==================================================
DRIVERS
-------------------
File Invisible Dbgv.sys 0xfbe9f000 C:\WINDOWS\system32\Drivers\Dbgv.sys, 15616 bytes
File Invisible dump_atapi.sys 0xfbe83000 C:\WINDOWS\System32\Drivers\dump_atapi.sys, 98304 bytes
File Invisible dump_WMILIB.SYS 0xfc9f4000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS, 8192 bytes
File Invisible rootrepeal.sys 0xfb4d7000 C:\WINDOWS\system32\drivers\rootrepeal.sys, 90112 bytes
PROCESSES
-------------------
4 - System
324 - C:\WINDOWS\system32\smss.exe
388 - C:\WINDOWS\system32\alg.exe
420 - C:\WINDOWS\system32\csrss.exe
452 - C:\WINDOWS\system32\winlogon.exe
548 - C:\WINDOWS\system32\services.exe
560 - C:\WINDOWS\system32\lsass.exe
716 - C:\WINDOWS\system32\svchost.exe
784 - C:\WINDOWS\system32\svchost.exe
860 - C:\WINDOWS\system32\svchost.exe
980 - C:\WINDOWS\system32\svchost.exe
1004 - C:\WINDOWS\system32\svchost.exe
1084 - C:\WINDOWS\system32\wbem\wmiprvse.exe
1144 - C:\WINDOWS\system32\cmd.exe
1172 - C:\Documents and Settings\A\Desktop\RRGui.exe
1176 - C:\WINDOWS\system32\svchost.exe
1196 - C:\WINDOWS\explorer.exe
1260 - C:\Documents and Settings\A\Desktop\Dbgview.exe
1344 - C:\WINDOWS\system32\spoolsv.exe
1476 - C:\WINDOWS\system32\wuauclt.exe
1484 - C:\WINDOWS\system32\wbem\wmiadap.exe
1656 - C:\WINDOWS\system32\wbem\wmiprvse.exe
1864 - C:\WINDOWS\system32\wuauclt.exe
FILES
-------------------
STEALTH CODE
-------------------
System 0x8125a02f - Hidden Code [ETHREAD: 0x812915a8, TID: 8]
System 0x81257ff4 - Hidden Code [ETHREAD: 0x812915a8, TID: 8]
System 0x8125807e - Hidden Code [ETHREAD: 0x812915a8, TID: 8]
System 0x81256434 - Hidden Code [ETHREAD: 0x812915a8, TID: 8]
System 0x81262dff - Hidden Code [ETHREAD: 0xffb67608, TID: 1568]
System 0xfc4145f7 - Modified Entry Point [Driver: atapi, Other Val: 0xfc415380]
System 0x8129e680 - Modified Image Section [Driver: atapi, Section Name: .reloc]
System 0x8129e680 - Modified Image Section [Driver: atapi, Section Name: .rsrc]
System 0x8129e680 - Modified Image Section [Driver: atapi, Section Name: INIT]
HIDDEN SERVICES
-------------------
SSDT
-------------------
SYSCALL OK, INT 0x2E OK, ServiceTable OK, Driver IAT OK
SHADOW SSDT
-------------------
CALLBACKS
-------------------
LoadImage 0x8125a6a8 <unknown>
--AD
Attachments
RootRepeal 2.0.0 Beta
(125.46 KiB) Downloaded 262 times
(125.46 KiB) Downloaded 262 times