Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Malware
  New Posts New Posts RSS Feed: Detecting rootkits with a dos cmd?
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

Detecting rootkits with a dos cmd?
 Post Reply Post Reply Page  12>
Author
Message Reverse Sort Order
  Share Topic Share Topic  Topic Search Topic Search  Topic Options Topic Options
CrazyFish View Drop Down
Newbie
Newbie


Joined: 23 May 2008
Location: United Kingdom
Online Status: Offline
Posts: 27 		Post Options Post Options   Quote CrazyFish Quote  Post ReplyReply Direct Link To This Post Topic: Detecting rootkits with a dos cmd?
    Posted: 14 June 2008 at 8:20am
hihihi
prorootect you are really so stupid or it's just a kinda joking style?

sc.exe SCM based on advapi32.dll calls to the native api's which is always intercepts by rootkits of any kind, including the old one AFX/Hxdef. Also it would be very interesting to see, how exactly your pitty advices will help with CmCallbacks, or SSDT hookers rootkits =) All what you can kinda find with this - system visible stuff.

Just another lame advice from you like your previous one with (non)paged memory size, I laughed a lot with it, keep trying bring more circus here :)

Here also a point to you - there are exists so called Performance Counters, hows about that, maybe you can use them against rootkits 0_o
ROFL Shocked


Edited by CrazyFish - 14 June 2008 at 8:21am
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17492 		Post Options Post Options   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 14 June 2008 at 8:17am
If the service / driver is not hidden from enumeration, and it doesn't have a group, it will show up in the output.  If this technique helps someone to find a rootkit, good for them.  But I really don't see the value in it, over other discovery techniques.
Daily affirmation:
net helpmsg 4006
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17492 		Post Options Post Options   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 14 June 2008 at 7:00am
While one may make the argument a service or driver not being in a group may add to the "suspiciousness" of a service or driver, the number of results I get when I run the commands on my system (40 and 50, as indicated previously) makes it seem to me that not being in a group is not very unique or significant.
Daily affirmation:
net helpmsg 4006
Back to Top
controler View Drop Down
Senior Member
Senior Member


Joined: 01 October 2006
Online Status: Offline
Posts: 222 		Post Options Post Options   Quote controler Quote  Post ReplyReply Direct Link To This Post Posted: 14 June 2008 at 6:57am
CookoBird
 
 
Microsoft never did anything with Strider GhostBuster did they?
I never have heard anymore on the project and If EP works for them maybe the canned the old Strider peojeact for something new.
 
Back to Top
Kaupp View Drop Down
Newbie
Newbie


Joined: 02 October 2007
Online Status: Offline
Posts: 4 		Post Options Post Options   Quote Kaupp Quote  Post ReplyReply Direct Link To This Post Posted: 13 June 2008 at 10:03pm
Thanks!
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17492 		Post Options Post Options   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 13 June 2008 at 4:25pm
Can I disable alternate data streams?  
Don't use NTFS.
Daily affirmation:
net helpmsg 4006
Back to Top
CooKooBird View Drop Down
Senior Member
Senior Member
Avatar

Joined: 03 March 2008
Location: United States
Online Status: Offline
Posts: 148 		Post Options Post Options   Quote CooKooBird Quote  Post ReplyReply Direct Link To This Post Posted: 13 June 2008 at 4:08pm
Can I disable alternate data streams?


You might be interested in this!
I Am Not A Malware Expert
For Other Queries Use **1*'
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17492 		Post Options Post Options   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 13 June 2008 at 2:51pm
40 and 50, are the counts for each command, run on my system, which is clean of malware... Confused
 
Don't see how that really helps eliminate things.


Edited by molotov - 13 June 2008 at 2:52pm
Daily affirmation:
net helpmsg 4006
Back to Top
Santana View Drop Down
Newbie
Newbie
Avatar

Joined: 11 April 2007
Location: Germany
Online Status: Offline
Posts: 21 		Post Options Post Options   Quote Santana Quote  Post ReplyReply Direct Link To This Post Posted: 13 June 2008 at 2:48pm
Originally posted by PROROOTECT

Hi , Syntax Examples of commands ( cmd ) :  # sc query type= driver group= ""   - Enumerates all active kernel drivers not in a group ( + rootkit  drivers !??... )   # sc queryex group= ""   - Enumerates active services not in a group ( + Malware shared ... ) ...  Thanks 
If detecting rootkits were that easy, don't ya think that any AV software would be clever enough to include those commands in their products? Ermm

Santana
Back to Top
PROROOTECT View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 April 2008
Location: Fort Lee, NJ ..
Online Status: Offline
Posts: 559 		Post Options Post Options   Quote PROROOTECT Quote  Post ReplyReply Direct Link To This Post Posted: 13 June 2008 at 2:17pm
Hi , Syntax Examples of commands ( cmd ) :  # sc query type= driver group= ""   - Enumerates all active kernel drivers not in a group ( + rootkit  drivers !??... )   # sc queryex group= ""   - Enumerates active services not in a group ( + Malware shared ... ) ...  Thanks 
Back to Top
 Post Reply Post Reply Page  12>

Forum Jump Forum Permissions View Drop Down