Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Malware
  New Posts New Posts RSS Feed: phide_ex -untimate process hiding example
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

phide_ex -untimate process hiding example
 Post Reply Post Reply Page  123 6>
Author
Message Reverse Sort Order
  Share Topic Share Topic  Topic Search Topic Search  Topic Options Topic Options
Diablo View Drop Down
Senior Member
Senior Member
Avatar

Joined: 16 July 2008
Location: Western Sahara
Online Status: Offline
Posts: 251 		Post Options Post Options   Quote Diablo Quote  Post ReplyReply Direct Link To This Post Topic: phide_ex -untimate process hiding example
    Posted: 01 August 2008 at 6:30am
does current RKU incorporate both pwalker and csrwalker?

Not yet. Future version will incorporate pwalker methods. Csrwalker provides too limited information about hidden stuff, it can't be incorporated in RKU.
Back to Top
coconut View Drop Down
Senior Member
Senior Member


Joined: 05 January 2007
Online Status: Offline
Posts: 557 		Post Options Post Options   Quote coconut Quote  Post ReplyReply Direct Link To This Post Posted: 31 July 2008 at 8:33pm
yes i remember using it well. does current RKU incorporate both pwalker and csrwalker? and thanks for your efforts into these tools
Back to Top
Diablo View Drop Down
Senior Member
Senior Member
Avatar

Joined: 16 July 2008
Location: Western Sahara
Online Status: Offline
Posts: 251 		Post Options Post Options   Quote Diablo Quote  Post ReplyReply Direct Link To This Post Posted: 31 July 2008 at 6:24pm
Yes. It provides much more information about processes it detects. It's quite old program, first release 1st page of this thread.
Back to Top
coconut View Drop Down
Senior Member
Senior Member


Joined: 05 January 2007
Online Status: Offline
Posts: 557 		Post Options Post Options   Quote coconut Quote  Post ReplyReply Direct Link To This Post Posted: 31 July 2008 at 6:20pm

does this differ completely in terms of detection from your csrwalker?
Back to Top
Diablo View Drop Down
Senior Member
Senior Member
Avatar

Joined: 16 July 2008
Location: Western Sahara
Online Status: Offline
Posts: 251 		Post Options Post Options   Quote Diablo Quote  Post ReplyReply Direct Link To This Post Posted: 31 July 2008 at 5:31pm
I'm rising this apparently dead thread only to notify those who interested that we updated Process Walker to v1.08.

Added full support of the Windows 2000 (mostly related to scheduler lists, and process name obtain method)

Added full support of the Windows 2003 all SP's (schedulers list scanning)

Added support of the Windows 2008
Added full support of the Windows Vista all SP's
(handle table / scheduler lists scanning)

Fixed: few possibilities of BSOD while using previous versions.

There is nothing 0day in this software, so we decided to publish it for everybody. We tested it with most of available PoC's and it was able to uncover them all

This version contains more stable code, however since this is antirootkit (even if it more looks like PoC), it is always will be small possibility of Blue Screen Of Death etc

MD5 for files in the archive
e7e2e11844eb98d004a761d92fb9e31d *pwalker.exe
fb49d5793b77c61ab30feb39fc1db7dc *pwalker.sys
cb8c51c6c38d33e299d6e308a903c448 *readme.txt

D/L
Back to Top
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Online Status: Offline
Posts: 4753 		Post Options Post Options   Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Posted: 15 December 2006 at 10:33am
Hi, controler.

Those videos about Rustock behaviour. Rustock no need process to run. It is fully kernel mode rootkit.

If that were the case why would phide_ex use a "hidden process" & driver?


Because it is technological demo, that was intended to show how weak in reality all of available currently rootkit detectors. Only GMER/Process Walker/RKU can detect it process. I not mentioned HIPS like SSM because they are not detectors. It is only demo not fully functional rootkit. But it's most impressive demo-rootkit that available now.

Not so long time ago I found that DrWeb v4.33 recognized phide_ex as Trojan.Phide. It is nonsense for me.

Edited by EP_X0FF - 15 December 2006 at 10:34am
Ring0 - the source of inspiration
Back to Top
controler View Drop Down
Senior Member
Senior Member


Joined: 01 October 2006
Online Status: Offline
Posts: 222 		Post Options Post Options   Quote controler Quote  Post ReplyReply Direct Link To This Post Posted: 15 December 2006 at 10:22am


Saso, Thanks for the links


I did not see EP_XOFF and MP_ART mentioned in those videos or even phide_ex. Old video huh? LOL

Did I hear the dude in the second video right when he says rustok B has no process to hide but rather the main code runs from the kernel mode driver.
The user-mode component runs injected as a thread into services.exe but hooks no system calls from services.exe.

If that were the case why would phide_ex use a "hidden process" & driver?
Is it not a good idea to use a hidden process or are you saying it is ideal to use a better hidden process?



Edited by controler - 15 December 2006 at 10:24am
Back to Top
SpannerITWks View Drop Down
Senior Member
Senior Member
Avatar

Joined: 14 August 2005
Location: United Kingdom
Online Status: Offline
Posts: 896 		Post Options Post Options   Quote SpannerITWks Quote  Post ReplyReply Direct Link To This Post Posted: 14 December 2006 at 6:17pm

saso

Nice links Thanx !

Spanner
Stay Safe - SpannerITWks/SpannerInTheWorks -
BOClean AntiMalware - http://www.nsclean.com/boclean.html
Back to Top
saso View Drop Down
Groupie
Groupie


Joined: 10 August 2006
Location: Slovenia
Online Status: Offline
Posts: 96 		Post Options Post Options   Quote saso Quote  Post ReplyReply Direct Link To This Post Posted: 14 December 2006 at 10:48am
Symantec about Rustock

blog annoucement
    general page about handling today's though security threats
        webcast 1
        webcast 2




Edited by saso - 14 December 2006 at 10:53am
Back to Top
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Online Status: Offline
Posts: 4753 		Post Options Post Options   Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Posted: 13 December 2006 at 6:39am
Hi, steely.

Good to see you here again. I don't know about wpyung's issue. It could be new malware, or something well known. I don't think that this is Rustock.B.

The latest version of RKU is 3.0 RC3.
Ring0 - the source of inspiration
Back to Top
 Post Reply Post Reply Page  123 6>

Forum Jump Forum Permissions View Drop Down