Another antirootkit tool: CodeWalker - Sysinternals Forums

@fl3a:

Hi, im currently building a generic method for finding rootkit processes which use their own implementation of thread/process scheduler such as phide_ex and Metraton's private PoC rootkit. I couldnt talk much about the method but i think it will detect some of the hidden rootkit process, even if it's private like Metraton's ;)

In this beta version, the main improves to other ark is heavily put in hidden driver object (System Modules tab) and code hooking detection.

For hidden driver detection, you can test it with some pretty well hidden driver PoC such as phide_ex and many builds of Rustock.B variants. Although you have to use the "Hardcore Scan" method to detect them.

For code hooking detection, the engine walks all the branches of scanned module i.e any execution path of it to detect modification (btw, that's why i call it CodeWalker). IMHO, It can detect code hooking very well especially with rootkits that place abnormal hooks like Rustock.C (FF25 & FF15 - jmp/call dword ptr [abc]) tho there're still some problems with false-positive hooks/modifications.

@Metraton:

Hi, thanks for bein one of my betatesters :) Glad to know it couldn't detect your rk like others ark out there becos it doesn't have a specific "weird" thread/process scheduler detector like abovementioned.

BTW, I would like to know which features you think that i can add to this tool also :) Thanks in advance.

@Vetinari:

I can assure you that this is just a false-positive of Avira ;) This is just because my tool use some techniqes which easily flag anti-malwares heuristic scanners. You can use this tool w/o being afraid of being "infected" with anything :)

Edited by thug4lif3 - 27 November 2008 at 5:10am

stay hungry, stay foolish.

CodeWalker AntiRootkit:
http://cmcinfosec.com/download/cmcark_cw0.2.4.500.rar

@fl3a:

Hello,

I've tested POC and is invisible

@thug4lif3:

imho very effective but you must add a few more features

Edited by Metraton - 25 November 2008 at 10:48pm

A. Einstein: "Tutti sanno che una cosa � impossibile da realizzare, finch� arriva uno sprovveduto che non lo sa e la inventa"

@GamingMasteR &

In next build I will try to limit the false-positive kernel code modification to lower rate. Thanks ;)

@redhawk:

I'll fix these bugs soon. May be it's becos of GUI bugs.

@controler:

Yes, virustotal always flag "rootkit tool" for programs which drop and load driver. Anyway, it's an anti-"rootkit tool", rite :D?

I will upload the new build asap. Thank you.

Edited by thug4lif3 - 21 November 2008 at 2:49am

stay hungry, stay foolish.

CodeWalker AntiRootkit:
http://cmcinfosec.com/download/cmcark_cw0.2.4.500.rar

Scanning memory then locks up Windows 100% after a few seconds only the mouse moves.
Tested on XP Pro SP2, with no SSDT hooks, AV or firewall software installed.

Richard S.

Up.

Im waiting for feedback :)

+FIX:
- fix bug in initializing & acquiring ERESOURCE

Edited by thug4lif3 - 20 November 2008 at 8:55am

stay hungry, stay foolish.

CodeWalker AntiRootkit:
http://cmcinfosec.com/download/cmcark_cw0.2.4.500.rar

Author	Message Share Topic Printable Version Delicious Digg Facebook Furl Google MySpace Newsvine reddit StumbleUpon Translate Twitter Windows Live Yahoo Bookmarks Topic Search Topic Options Post Reply Create New Topic
Metraton Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 14 October 2008 Location: Italy Online Status: Offline Posts: 15	Post Options Post Reply Quote Metraton Report Post Quote Reply Topic: Another antirootkit tool: CodeWalker Posted: 27 November 2008 at 4:48pm
	@Vetinari: Avira system includes many false positives, I had an experience too @thug4life: "even if it's private like Metraton's": 1) You can add notify routines scanner; 2) Randomize file, driver, service and window program name I noticed that kernelmode hooks can be deceiving by using dkom, btw imho it's good ark Edited by Metraton - 27 November 2008 at 5:11pm
	A. Einstein: "Tutti sanno che una cosa � impossibile da realizzare, finch� arriva uno sprovveduto che non lo sa e la inventa"

thug4lif3 Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 05 August 2008 Location: Vietnam Online Status: Offline Posts: 62	Post Options Post Reply Quote thug4lif3 Report Post Quote Reply Posted: 27 November 2008 at 4:55am
	@fl3a: Hi, im currently building a generic method for finding rootkit processes which use their own implementation of thread/process scheduler such as phide_ex and Metraton's private PoC rootkit. I couldnt talk much about the method but i think it will detect some of the hidden rootkit process, even if it's private like Metraton's ;) In this beta version, the main improves to other ark is heavily put in hidden driver object (System Modules tab) and code hooking detection. For hidden driver detection, you can test it with some pretty well hidden driver PoC such as phide_ex and many builds of Rustock.B variants. Although you have to use the "Hardcore Scan" method to detect them. For code hooking detection, the engine walks all the branches of scanned module i.e any execution path of it to detect modification (btw, that's why i call it CodeWalker). IMHO, It can detect code hooking very well especially with rootkits that place abnormal hooks like Rustock.C (FF25 & FF15 - jmp/call dword ptr [abc]) tho there're still some problems with false-positive hooks/modifications. @Metraton: Hi, thanks for bein one of my betatesters :) Glad to know it couldn't detect your rk like others ark out there becos it doesn't have a specific "weird" thread/process scheduler detector like abovementioned. BTW, I would like to know which features you think that i can add to this tool also :) Thanks in advance. @Vetinari: I can assure you that this is just a false-positive of Avira ;) This is just because my tool use some techniqes which easily flag anti-malwares heuristic scanners. You can use this tool w/o being afraid of being "infected" with anything :) Edited by thug4lif3 - 27 November 2008 at 5:10am
	stay hungry, stay foolish. CodeWalker AntiRootkit: http://cmcinfosec.com/download/cmcark_cw0.2.4.500.rar

Vetinari Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 20 July 2008 Online Status: Offline Posts: 11	Post Options Post Reply Quote Vetinari Report Post Quote Reply Posted: 27 November 2008 at 12:43am
	Avira flags your tool as a trojan... :\

Metraton Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 14 October 2008 Location: Italy Online Status: Offline Posts: 15	Post Options Post Reply Quote Metraton Report Post Quote Reply Posted: 25 November 2008 at 10:39pm
	@fl3a: Hello, I've tested POC and is invisible @thug4lif3: imho very effective but you must add a few more features Edited by Metraton - 25 November 2008 at 10:48pm
	A. Einstein: "Tutti sanno che una cosa � impossibile da realizzare, finch� arriva uno sprovveduto che non lo sa e la inventa"

fl3a Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 12 October 2006 Online Status: Offline Posts: 82	Post Options Post Reply Quote fl3a Report Post Quote Reply Posted: 25 November 2008 at 5:04pm
	Hi thug4lif3, I've tested CodeWalker with BadRkDemo, Unreal.A, phite_ex, it works fine. Did you implemented sth new like detection of threads/processes hidden by means of own scheduler? Could you tell us which part of detection are improved? @Metraton did you tested it with your PoC rootkit?

thug4lif3 Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 05 August 2008 Location: Vietnam Online Status: Offline Posts: 62	Post Options Post Reply Quote thug4lif3 Report Post Quote Reply Posted: 21 November 2008 at 2:45am
	@GamingMasteR & In next build I will try to limit the false-positive kernel code modification to lower rate. Thanks ;) @redhawk: I'll fix these bugs soon. May be it's becos of GUI bugs. @controler: Yes, virustotal always flag "rootkit tool" for programs which drop and load driver. Anyway, it's an anti-"rootkit tool", rite :D? I will upload the new build asap. Thank you. Edited by thug4lif3 - 21 November 2008 at 2:49am
	stay hungry, stay foolish. CodeWalker AntiRootkit: http://cmcinfosec.com/download/cmcark_cw0.2.4.500.rar

controler Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 01 October 2006 Online Status: Offline Posts: 222	Post Options Post Reply Quote controler Report Post Quote Reply Posted: 20 November 2008 at 11:40pm
	Virus Total flagging it Rootkit tool No BSODs at least Edited by controler - 20 November 2008 at 11:41pm

redhawk Members Profile Send Private Message Find Members Posts Add to Buddy List Moderator Group Joined: 14 September 2005 Location: United Kingdom Online Status: Offline Posts: 1220	Post Options Post Reply Quote redhawk Report Post Quote Reply Posted: 20 November 2008 at 8:29pm
	Scanning memory then locks up Windows 100% after a few seconds only the mouse moves. Tested on XP Pro SP2, with no SSDT hooks, AV or firewall software installed. Richard S.

GamingMasteR Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 10 August 2008 Online Status: Offline Posts: 210	Post Options Post Reply Quote GamingMasteR Report Post Quote Reply Posted: 20 November 2008 at 4:42pm
	many false results in kernel code hooks.

thug4lif3 Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 05 August 2008 Location: Vietnam Online Status: Offline Posts: 62	Post Options Post Reply Quote thug4lif3 Report Post Quote Reply Posted: 20 November 2008 at 8:52am
	Up. Im waiting for feedback :) +FIX: - fix bug in initializing & acquiring ERESOURCE Edited by thug4lif3 - 20 November 2008 at 8:55am
	stay hungry, stay foolish. CodeWalker AntiRootkit: http://cmcinfosec.com/download/cmcark_cw0.2.4.500.rar