Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Malware
  New Posts New Posts RSS Feed: Unreal: Rootkit Detectors / Bypassing
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

Unreal: Rootkit Detectors / Bypassing
 Post Reply Post Reply Page  123 22>
Author
Message Reverse Sort Order
  Share Topic Share Topic  Topic Search Topic Search  Topic Options Topic Options
fl3a View Drop Down
Groupie
Groupie
Avatar

Joined: 12 October 2006
Online Status: Offline
Posts: 82 		Post Options Post Options   Quote fl3a Quote  Post ReplyReply Direct Link To This Post Topic: Unreal: Rootkit Detectors / Bypassing
    Posted: 09 November 2008 at 3:22pm
Metatron did you see last article posted on rootkit.com. I suppose there is described the method you used to hide SSDT modifications...
Back to Top
USForce View Drop Down
Senior Member
Senior Member


Joined: 26 October 2007
Location: United States
Online Status: Offline
Posts: 150 		Post Options Post Options   Quote USForce Quote  Post ReplyReply Direct Link To This Post Posted: 08 November 2008 at 5:36pm
Originally posted by thug4lif3

well, IMHO the game is only 100% fair in two cases:

- private rks vs. private detectors.
- public rks vs. public detectors.

As long as the rk stays private, it can be a phantom to most of arks.


100% agree
Back to Top
thug4lif3 View Drop Down
Groupie
Groupie
Avatar

Joined: 05 August 2008
Location: Vietnam
Online Status: Offline
Posts: 62 		Post Options Post Options   Quote thug4lif3 Quote  Post ReplyReply Direct Link To This Post Posted: 08 November 2008 at 5:07pm
well, IMHO the game is only 100% fair in two cases:

- private rks vs. private detectors.
- public rks vs. public detectors.

As long as the rk stays private, it can be a phantom to most of arks.
stay hungry, stay foolish.

CodeWalker AntiRootkit:
http://cmcinfosec.com/download/cmcark_cw0.2.4.500.rar
Back to Top
SystemPro View Drop Down
Senior Member
Senior Member
Avatar

Joined: 26 April 2007
Location: Germany
Online Status: Offline
Posts: 504 		Post Options Post Options   Quote SystemPro Quote  Post ReplyReply Direct Link To This Post Posted: 07 November 2008 at 1:04pm
I have PRIVATE RK detector also, which probably is able to detect Metatron's RK (Process). And probably not only we have own private detectors which are able to detect Metatron's RK, but I think Metatron's goal was to show everyone that all public ARKs are defeated (only) and that's all...
Think so, btw meta your emotional failure is not reasonable for me.
Concentrate on your strengths.
Back to Top
USForce View Drop Down
Senior Member
Senior Member


Joined: 26 October 2007
Location: United States
Online Status: Offline
Posts: 150 		Post Options Post Options   Quote USForce Quote  Post ReplyReply Direct Link To This Post Posted: 07 November 2008 at 12:31pm
Originally posted by Metraton

 
@USForce:
Why not publish your ark? Wink


Why don't you publish your rk? LOL


Edited by USForce - 07 November 2008 at 12:31pm
Back to Top
fl3a View Drop Down
Groupie
Groupie
Avatar

Joined: 12 October 2006
Online Status: Offline
Posts: 82 		Post Options Post Options   Quote fl3a Quote  Post ReplyReply Direct Link To This Post Posted: 07 November 2008 at 11:23am

OK. Now all is clear.

Tool I was talking about isn't complete ARK. It is only user Process/Thread detector - nothing special.



Edited by fl3a - 07 November 2008 at 11:24am
Back to Top
Metraton View Drop Down
Newbie
Newbie
Avatar

Joined: 14 October 2008
Location: Italy
Online Status: Offline
Posts: 15 		Post Options Post Options   Quote Metraton Quote  Post ReplyReply Direct Link To This Post Posted: 07 November 2008 at 11:13am
@fl3a:
" thought that you are hiding user process what is extremely difficult and stupid (practiced by malware)"
I used this technique only in the first version, but rightly as you say is a obsolete technique
 
"it should include a thread object (should hide), doesn't it?"
yes, it is...
What kind of hidden objects can see your ark? (Process, Drivers, SSDT, Stealth Code, Code Hooks...etc.etc.)
A. Einstein: "Tutti sanno che una cosa é impossibile da realizzare, finché arriva uno sprovveduto che non lo sa e la inventa"
Back to Top
fl3a View Drop Down
Groupie
Groupie
Avatar

Joined: 12 October 2006
Online Status: Offline
Posts: 82 		Post Options Post Options   Quote fl3a Quote  Post ReplyReply Direct Link To This Post Posted: 07 November 2008 at 10:48am

@fl3a:
My POC does not include a process (Unreal docet), then do not hide

But even if it doesn't include a process object (doesn't hide it) it should include a thread object (should hide), doesn't it? I thought that you are hiding user process what is extremely difficult and stupid (practiced by malware)...
Back to Top
Metraton View Drop Down
Newbie
Newbie
Avatar

Joined: 14 October 2008
Location: Italy
Online Status: Offline
Posts: 15 		Post Options Post Options   Quote Metraton Quote  Post ReplyReply Direct Link To This Post Posted: 07 November 2008 at 10:24am
@SystemPro:
"Okay, but you could create private builds that only work on computers with a special id.
The other possibility are nags to disable the chance of malicious use."
Wow...you are worst of St. Thomas LOL
 
@USForce:
Why not publish your ark? Wink
 
@fl3a:
My POC does not include a process (Unreal docet), then do not hide
A. Einstein: "Tutti sanno che una cosa é impossibile da realizzare, finché arriva uno sprovveduto che non lo sa e la inventa"
Back to Top
fl3a View Drop Down
Groupie
Groupie
Avatar

Joined: 12 October 2006
Online Status: Offline
Posts: 82 		Post Options Post Options   Quote fl3a Quote  Post ReplyReply Direct Link To This Post Posted: 07 November 2008 at 10:11am

Originally posted by USForce

As someone said, it can defeat all PUBLIC ark

If Metraton is so kind to send me this PoC, I can see if a private ark is able to detect it  (of course I could post a video too)

I have PRIVATE RK detector also, which probably is able to detect Metatron's RK (Process). And probably not only we have own private detectors which are able to detect Metatron's RK, but I think Metatron's goal was to show everyone that all public ARKs are defeated (only) and that's all...

 
Back to Top
 Post Reply Post Reply Page  123 22>

Forum Jump Forum Permissions View Drop Down