|
RootRepeal (old name: DriverDetect) |
Post Reply 
|
Page <1 4041424344 59> |
| Author |
 Share Topic Printable Version Delicious Digg Facebook Furl Google MySpace Newsvine reddit StumbleUpon Translate Twitter Windows Live Yahoo Bookmarks Topic Search  Topic Options
|
|
a_d_13 
Senior Member 
Joined: 08 September 2007 Online Status: Offline Posts: 266 |
 Post Options
 Quote Reply
 Topic: RootRepeal (old name: DriverDetect)Posted: 06 March 2008 at 6:24am |
|
|
Hello,
Thanks for the name suggestions! I'm still trying to decide what name to pick, but I will let you know if I chose one of yours.
Yes, it does have a "Save Report" button, which saves a log of the current page.
Vista compatibility is very bad. I don't have a copy to test on, but it may still work, as I've tried to refrain from using hard-coded offsets anywhere. I would advise that, if someone is to use it on Vista, they DO NOT use the "Wipe File" or "Copy File" features! I can't guarantee that anything will work, and you may get BSoDs at any time!
Finally, it will indeed work on a VM. It is currently conceptually unable to detect rootkits like Blue Pill or hypervisor-based rootkits, though.
Thanks,
--AD
|
||
 |
||
|
CooKooBird
Senior Member
Joined: 03 March 2008 Location: United States Online Status: Offline Posts: 148 |
Post Options
Quote Reply
Posted: 06 March 2008 at 2:49am |
|
|
I have come up with a name or 2:
ADHD
ADs' Hidden Detector
or
ADs' Stream Finder
or
ADIOSmf
All Detection Inside OS many files
or
hadIT
hidden ads detector Improving Technology
or
HINTfs / HINTds
Hidden Inside NT file scanner / Hidden Inside NT detector scanner
or
PUFF ador
Process Unhiding File Finder ads detector
Does it save a log?
all n00bs need log saving feature. That way we have proof of our stupidty.
How is the Vista compatability now?
How does it fare against VM malware/rootkit? Are they wild yet? Edited by CooKooBird - 06 March 2008 at 3:00am |
||
|
||
|
EASTER
Senior Member
Joined: 27 October 2006 Location: United States Online Status: Offline Posts: 336 |
Post Options
Quote Reply
Posted: 01 March 2008 at 11:33pm |
|
|
There just might be something useful to come out from these exchanges, replies, reviews afterall......
.....Listening, Watching, Waiting |
||
|
INTENSIVE TECHNICAL RESEARCH ANALYSIS AND STEALTH EXAMINER.
|
||
|
||
|
SystemPro
Senior Member
Joined: 26 April 2007 Location: Germany Online Status: Offline Posts: 504 |
Post Options
Quote Reply
Posted: 01 March 2008 at 2:11pm |
|
Edited by SystemPro - 02 March 2008 at 7:11am |
||
|
||
|
leecher
Newbie 
Joined: 26 February 2008 Location: Austria Online Status: Offline Posts: 35 |
Post Options
Quote Reply
Posted: 01 March 2008 at 12:59pm |
|
Oh no, I already feared the day would come that EP_X0FF would stumble across my little utility, even tough I didn't post it on rootkit.com...
 Some history about Radix:
I originally developed the tool mid-2005 for my diploma thesis when there weren't so many Rootkit-Detectors around that could also patch back the modifications made by Rootkits. I just took Hoglund and Butler's Book about Rootkits and tried to find methods that could revert the changes described in there.
As there are only few articles out there about Rootkit removal methods , I had to develop them on my own which was quite interesting.
After I got my degree, I used Radix to help other people that were infected with Rootkits to remove them. So I thought it would be nice to release my application to the public. But there was still a lot of work to do to transform a PoC-Commandlinetool into a Tool with a GUI that could be compiled for command line operation as well as a Tool with a GUI without reimplementing all the code pieces twice. After testing the app on various different system configurations I got serious doubts if I really should release it as a user that doesn't know anything about Rootkits could easily ruin his system with such a tool. But as this is also true for other antirootkit tools, I finally did it anyway and well, here it is
 Of course, in the meantime rootkit technology and also other antirootkit tools advanced and therefore it may be a little bit outdated. However I'm still interested in improving this project, therefore I would be interested in your test suite so that I can try to raise my detection rate a bit...
Do you have some details about your failed tests?
I was unable to find a mthod for removing IRP-Hooks, as the original address gets overwritten, so there is not much chance to restore the original pointers, as they get set by the driver on startup.
But for other modifications I found methods for patching the original values back, so I'm a bit surprised about this...
Do you have some suggestions for improvement?
|
||
|
||
|
SystemPro
Senior Member
Joined: 26 April 2007 Location: Germany Online Status: Offline Posts: 504 |
Post Options
Quote Reply
Posted: 28 February 2008 at 1:19am |
|
Edited by SystemPro - 28 February 2008 at 5:28am |
||
|
||
|
EP_X0FF
Senior Member
Joined: 08 March 2006 Location: Russian Federation Online Status: Offline Posts: 4753 |
Post Options
Quote Reply
Posted: 27 February 2008 at 4:42pm |
|
|
Like I said before I tried this Radix. And found nothing interesting. Currently it is not a antirootkit in my meaning. It is more system information tool, which was unable to pass almost ~50% of my tests with several concepts (was unable to detect them completely). It can be simple tricked from user mode with old good stuff. In kernel mode it can be bypassed more easily. And it isn't cover all what need to be covered by utility which is pretending to be an antirootkit. Moreover its removing abilities very weak. So it is not in my list, and after brief looking on its driver, in the near future it will not be, nothing personal and with respect to its author
AD tool looks for me more interesting, because it is in earlier phase of development and I can see some progress. Edited by EP_X0FF - 27 February 2008 at 4:51pm |
||
|
Ring0 - the source of inspiration
|
||
|
||
|
SystemPro
Senior Member
Joined: 26 April 2007 Location: Germany Online Status: Offline Posts: 504 |
Post Options
Quote Reply
Posted: 27 February 2008 at 1:08pm |
|
Radix.
Edited by SystemPro - 27 February 2008 at 1:11pm |
||
|
||
|
EP_X0FF
Senior Member
Joined: 08 March 2006 Location: Russian Federation Online Status: Offline Posts: 4753 |
Post Options
Quote Reply
Posted: 27 February 2008 at 8:55am |
|
|
@sww
Very funny indeed, maybe you are another instance of multifaced eXeBug phenomena? Just to clarify some things, since your appearing here as reported related to your pretty discussion with AntiEXE at rootkits.ru, so I wouldn't "Глумится" in your case, simple because I don't care , since I'm working on a different program with a different targets and methods. I'm just pointing on the obvious things, but we are going to the full offtopic and if you still want this pointless discussion then you will have to create another topic on the another forum and wait, will I come in or not. That is all, nothing personal :) |
||
|
Ring0 - the source of inspiration
|
||
|
||
|
sww_
Groupie 
Joined: 27 February 2008 Location: Russian Federation Online Status: Offline Posts: 74 |
Post Options
Quote Reply
Posted: 27 February 2008 at 8:07am |
|
"As WE expect"? You look like a "virtual" with many faces Haha. Just kiddin'.Edited by sww_ - 27 February 2008 at 8:07am |
||
|
||
|
Post Reply
|
Page <1 4041424344 59> |
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
