A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #9804  by Cr4sh
 Mon Nov 21, 2011 9:14 pm
Nice tool for anomalies detection, much more powerful than most of the "classical" anti-rootkits.
Surprisingly stable: no BSoDs on my test machines since early beta releases.
 #9810  by CloneRanger
 Tue Nov 22, 2011 8:21 am
@ redp

Thanks for the tool :) After allowing it through several of my security Apps i was able to run it. When it completed though it closed with no visable Log ? I expected to see one in the same folder i placed Wincheck. Where should it be ?

Also i got a FP from Avira !
Attachments
drv2.gif
drv2.gif (35.21 KiB) Viewed 1499 times
 #9812  by redp
 Tue Nov 22, 2011 8:30 am
Just bad detect. I suspect because KeServiceDescriptorTable presents in import table ;)
wincheck writes to standard stdout, so just redirect it to file
 #9813  by CloneRanger
 Tue Nov 22, 2011 8:32 am
wincheck writes to standard stdout, so just redirect it to file
What's the easiest way to do that, i'm no expert ;)

TIA
 #9814  by redp
 Tue Nov 22, 2011 8:37 am
run cmd.exe as administrator
type:
fullpath2wincheck > some.log
 #9815  by CloneRanger
 Tue Nov 22, 2011 8:39 am
run cmd.exe as administrator
type:
fullpath2wincheck > some.log
OK thanks :)
 #10037  by redp
 Wed Nov 30, 2011 7:56 pm
uploaded new version
Changelog:
- add -f option to point log file name
- add -k option for processes killing
- add -uem option for finding strange memory ranges with executable attributes. Not considered memory mapped for loaded modules, PEB.GdiSharedHandleTable & SHAREDINFO.aheList
 #10463  by redp
 Mon Dec 19, 2011 2:45 pm
uploaded new version
Now it's able to dump all KTIMERs with option -kt on both 32 & 64bit