[Alex]

I've updated results of Hidden Dynamic-Link Library Detection Test, because in previous version of Invisible DLL 1.0 there was serious mistake which allowed to detect hidden DLL by software like: Find_Hidden_Dll 0.1.1.1 and XueTr 0.32. I didn't remove previous results of the test, to allow everyone to compare them with current table.

I'd like to thank Eric_71 who helped me to find and correct this mistake.

Alex

[sww]

Hehe, our (former) DwShark is still good on that :)

Alex, does a process crash after erasing VAD? Or you just erase some unimportant fields? :)

[Alex]

Hi SWW,

Yes, DwShark is one of best anti rootkits. It's a pity that improved versions of DwShark are no longer available as stand-alone tools.

No, process doesn't crash after erasing VAD, just because I erase/change only some fields.

Alex

[sww]

It's a pity that improved versions of DwShark are no longer available as stand-alone tools.

It's just b-coz we've changed our job :) Kaspersky right now.

[EP_X0FF]

A simple loader that maps dll into foreign process address space should be able to bypass such kind of detection. Or very easy manipulation with vad entry, for example zeroing FilePointer :)

[Alex]

It's just b-coz we've changed our job :) Kaspersky right now.

But Kaspersky also doesn't provide stand-alone tool :(

A simple loader that maps dll into foreign process address space should be able to bypass such kind of detection.

It's true, but this is other story ;)

Or very easy manipulation with vad entry, for example zeroing FilePointer :)

Yes, I do very easy manipulation, but zeroing FilePointer without other modifications it's not enough. Tools like RootRepeal or HookShark will show module without name as hidden - other detectors don't see such hidden module.

Alex

[EP_X0FF]

Yes, I do very easy manipulation, but zeroing FilePointer without other modifications it's not enough. Tools like RootRepeal or HookShark will show module without name as hidden - other detectors don't see such hidden module.

Yes, I know :) However I doubt that real malware will use such hiding trick. It is too complicated when more easy and safe solution is available (especailly if we are talking about user mode trojans).

[Alex]

Don't invoke wolf from a forest :D Becaus malware writers always take the line of least resistance, I don't think so, that this method will be used by them in the future.

Alex

[sww]

I think, that it's more easy to do not use DLL"s at all. Just memory, just code, just thread.

[Alex]

Hidden Dynamic-Link Library Detection Test
- retested - XueTr 0.33

This time it isn't a mistake in the code of Invisible Dll 1.1, XueTr 0.33 can detect hidden DLL using additional information taken from structures related to modified VAD leaf. I'm going to update Invisible Dll to 1.2 version. This will be a final version of this tool, since hiding DLL loaded in usual way is too complicated and problematic for potential malware, so there's no point in it to updating this code ad infinitum.

There is another implementation of DLL hiding code based on VAD manipulation - Hidding Module from the Virtual Address Descriptor Tree. In a result of "unlinking" hidden VAD leaf, process (calc.exe) become very unstable, some additional VADs become unaccessible - not only ntdll.dll related, which should be hidden.

In connection with suggestions about creating RSS feed I created simple RSS feed available under this link.

Alex