[redp]

download
documentation

[Cr4sh]

Nice tool for anomalies detection, much more powerful than most of the "classical" anti-rootkits.
Surprisingly stable: no BSoDs on my test machines since early beta releases.

[CloneRanger]

@ redp

Thanks for the tool :) After allowing it through several of my security Apps i was able to run it. When it completed though it closed with no visable Log ? I expected to see one in the same folder i placed Wincheck. Where should it be ?

Also i got a FP from Avira !

[redp]

Just bad detect. I suspect because KeServiceDescriptorTable presents in import table ;)
wincheck writes to standard stdout, so just redirect it to file

[CloneRanger]

wincheck writes to standard stdout, so just redirect it to file

What's the easiest way to do that, i'm no expert ;)

TIA

[redp]

run cmd.exe as administrator
type:
fullpath2wincheck > some.log

[CloneRanger]

run cmd.exe as administrator
type:
fullpath2wincheck > some.log

OK thanks :)

[redp]

uploaded new version
Changelog:
- add -f option to point log file name
- add -k option for processes killing
- add -uem option for finding strange memory ranges with executable attributes. Not considered memory mapped for loaded modules, PEB.GdiSharedHandleTable & SHAREDINFO.aheList

[redp]

new version
Can print system threads with -st option

[redp]

uploaded new version
Now it's able to dump all KTIMERs with option -kt on both 32 & 64bit