Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Malware
  New Posts New Posts RSS Feed: Unreal: Rootkit Detectors / Bypassing
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

Unreal: Rootkit Detectors / Bypassing
 Post Reply Post Reply Page  <12345 22>
Author
Message Reverse Sort Order
  Share Topic Share Topic  Topic Search Topic Search  Topic Options Topic Options
Metraton View Drop Down
Newbie
Newbie
Avatar

Joined: 14 October 2008
Location: Italy
Online Status: Offline
Posts: 15 		Post Options Post Options   Quote Metraton Quote  Post ReplyReply Direct Link To This Post Topic: Unreal: Rootkit Detectors / Bypassing
    Posted: 06 November 2008 at 5:34pm

@SystemPro:

*) GD are initials of mine real name
*) can you give me the names of your arks list? thanks
ok, next time I test it with DSE, and with your entirely list of arks
 
@fl3a:
Hello,
The technique used in my ark to hide its driver is not used in any other ark, isn't yet a documented method. I've used also an undocumented method for hide SSDT modification...
I discovered that rku uses a very good method to find the modification of the kernel file name at runtime
PSEUDOCODE (RING0 EXECUTION):
if(ControlRegister4->PAE == false)
       real image kernel name="ntoskrnl.exe"
else
       real image kernel name="ntkrnlpa.exe"
A. Einstein: "Tutti sanno che una cosa é impossibile da realizzare, finché arriva uno sprovveduto che non lo sa e la inventa"
Back to Top
SystemPro View Drop Down
Senior Member
Senior Member
Avatar

Joined: 26 April 2007
Location: Germany
Online Status: Offline
Posts: 504 		Post Options Post Options   Quote SystemPro Quote  Post ReplyReply Direct Link To This Post Posted: 06 November 2008 at 3:51pm
@SystemPro
Originally you can get phunter from: hxxp://www.wasm.ru/baixado.php?mode=tool&id=359 but if you looking app with nice GUI interface I suggest to get this stuff: hxxp://www.anvir.com/downloads/secsuite.exe It uses driver from phunter, but in driver description we can find sth like this: "Free Anti-Rootkit Tool", ver: "1.1.0.4". Nice, isn't it? What could they do without phunter sources :D Another copy of copies.
Yeah, thanks fl3a. Unfortunately there´s is really lots of plagiarism rising up. For all who don´t know Sysprot 1.0.7 is released. Sysprot 1.0.0.7
Probably no-one will be interested your rootkit until it will be private PoC only.
Probably.
As you showed in this video, your rootkit need system restart to correct work.
That means: Ring0 Rootkit, driver-based.

@Metatron next time uninstall or unhook KIS2009 and use the whole ark collection not only 50%. I want to see it against DSE.

Edited by SystemPro - 06 November 2008 at 4:00pm
Concentrate on your strengths.
Back to Top
fl3a View Drop Down
Groupie
Groupie
Avatar

Joined: 12 October 2006
Online Status: Offline
Posts: 82 		Post Options Post Options   Quote fl3a Quote  Post ReplyReply Direct Link To This Post Posted: 06 November 2008 at 3:42pm

Hi Metraton,

We all can see that your rootkit defeated all Process/Driver/SSDT detectors, but where gone all ARKs authors? Probably they are waiting for another version phunter/dhunter and so one. Since few months/years I didn't see any new methods of rootkit detection. Last time most ARKs/AVs was focused on MBR rootkit only. It looks like all authors waiting for new malware which will use improved rootkit. Probably no-one will be interested your rootkit until it will be private PoC only.

As you showed in this video, your rootkit need system restart to correct work. At the beginning, when you wrote about plans driver hiding I was sure you will use technique presented in Unreal.A and Rustock.B to hide device and driver objects. But now I don't think so you used this technique. Probably you "touched" other drivers... And mysterious SSDT. There are panty ways to hide SSDT modifications.

@SystemPro
Originally you can get phunter from: hxxp://www.wasm.ru/baixado.php?mode=tool&id=359 but if you looking app with nice GUI interface I suggest to get this stuff: hxxp://www.anvir.com/downloads/secsuite.exe It uses driver from phunter, but in driver description we can find sth like this: "Free Anti-Rootkit Tool", ver: "1.1.0.4". Nice, isn't it? What could they do without phunter sources :D Another copy of copies.

 
Back to Top
SystemPro View Drop Down
Senior Member
Senior Member
Avatar

Joined: 26 April 2007
Location: Germany
Online Status: Offline
Posts: 504 		Post Options Post Options   Quote SystemPro Quote  Post ReplyReply Direct Link To This Post Posted: 06 November 2008 at 10:11am
Thanks Meria for the link , btw empty your pmbox.
Concentrate on your strengths.
Back to Top
SystemPro View Drop Down
Senior Member
Senior Member
Avatar

Joined: 26 April 2007
Location: Germany
Online Status: Offline
Posts: 504 		Post Options Post Options   Quote SystemPro Quote  Post ReplyReply Direct Link To This Post Posted: 06 November 2008 at 1:55am
Where can I get this phunter? It lacks in my nearly complete ark collection.

GD stands for Global Descriptor?
Concentrate on your strengths.
Back to Top
Metraton View Drop Down
Newbie
Newbie
Avatar

Joined: 14 October 2008
Location: Italy
Online Status: Offline
Posts: 15 		Post Options Post Options   Quote Metraton Quote  Post ReplyReply Direct Link To This Post Posted: 05 November 2008 at 11:20pm
New test results here
A. Einstein: "Tutti sanno che una cosa é impossibile da realizzare, finché arriva uno sprovveduto che non lo sa e la inventa"
Back to Top
Metraton View Drop Down
Newbie
Newbie
Avatar

Joined: 14 October 2008
Location: Italy
Online Status: Offline
Posts: 15 		Post Options Post Options   Quote Metraton Quote  Post ReplyReply Direct Link To This Post Posted: 23 October 2008 at 11:55pm
Originally posted by thug4lif3

USForce:


Metraton:

Any progress on hidden driver ?
Hello thug4lif3 in a few days post test results for detect hidden process - hidden driver - hidden ssdt entry
A. Einstein: "Tutti sanno che una cosa é impossibile da realizzare, finché arriva uno sprovveduto che non lo sa e la inventa"
Back to Top
thug4lif3 View Drop Down
Groupie
Groupie
Avatar

Joined: 05 August 2008
Location: Vietnam
Online Status: Offline
Posts: 62 		Post Options Post Options   Quote thug4lif3 Quote  Post ReplyReply Direct Link To This Post Posted: 23 October 2008 at 3:28pm
USForce:


Metraton:

Any progress on hidden driver ?
stay hungry, stay foolish.

CodeWalker AntiRootkit:
http://cmcinfosec.com/download/cmcark_cw0.2.4.500.rar
Back to Top
USForce View Drop Down
Senior Member
Senior Member


Joined: 26 October 2007
Location: United States
Online Status: Offline
Posts: 150 		Post Options Post Options   Quote USForce Quote  Post ReplyReply Direct Link To This Post Posted: 21 October 2008 at 1:31pm
I don't know why, but I feel like I know you Embarrassed
Back to Top
thug4lif3 View Drop Down
Groupie
Groupie
Avatar

Joined: 05 August 2008
Location: Vietnam
Online Status: Offline
Posts: 62 		Post Options Post Options   Quote thug4lif3 Quote  Post ReplyReply Direct Link To This Post Posted: 21 October 2008 at 4:06am
Yeah, hidden processes rootkits age is long gone, injected DLLs by queueing APC is almost enough for all functions malware writers wish for.
stay hungry, stay foolish.

CodeWalker AntiRootkit:
http://cmcinfosec.com/download/cmcark_cw0.2.4.500.rar
Back to Top
 Post Reply Post Reply Page  <12345 22>

Forum Jump Forum Permissions View Drop Down