RootkitRevealer v1.71 | Search for a title, author or keyword | ||||||||
RootkitRevealer v1.71 By Bryce Cogswell and Mark Russinovich. RootkitRevealer is an advanced rootkit detection utility. It runs on Windows XP ( 32-bit ) and Windows Server 2003 ( 32-bit ), and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer is not intended to detect rootkits like Fu that don't attempt to hide their files or registry keys. The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. A persistent rootkit is one associated with malware that activates each time the system boots. Because such malware contain code that must be executed automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and configure a method by which the code executes without user intervention. Memory-based rootkits are malware that has no persistent code and therefore does not survive a reboot. A user-mode rootkit might intercept all calls to the Windows FindFirstFile/FindNextFile APIs, which are used by file system exploration utilities, including Explorer and the command prompt, to enumerate the contents of file system directories. When an application performs a directory listing that would otherwise return results that contain entries identifying the files associated with the rootkit, the rootkit intercepts and modifies the output to remove the entries. Kernel-mode rootkits can be even more powerful since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel's list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer. Since persistent rootkits work by changing API results so that a system view using APIs differs from the actual view in storage, RootkitRevealer compares the results of a system scan at the highest level with that at the lowest level. The highest level is the Windows API and the lowest level is the raw contents of a file system volume or Registry hive ( a hive file is the Registry's on-disk storage format ). Is there any alternative RootkitRevealer version for 64 bit systems or Windows Vista or Windows 7? It does not. RootkitRevealer is a Sysinternals product and Sysinternals name was bought by Microsoft. No 64-Bit version available, today.
|
|||||||||
RootkitRevealer v1.71 | Disclaimer: this link points to content provided by other sites. |