GMER
GMER is an application that detects and removes rootkits .
It scans for:
hidden processes hidden threads hidden modules hidden services hidden files hidden Alternate Data Streams hidden registry keys drivers hooking SSDT drivers hooking IDT drivers hooking IRP calls inline hooks
http://www2.gmer.net/gmer.jpg
GMER runs on Windows NT/W2K/XP/VISTA
You can download GMER here.
Please see my FAQ section and feel free to send me any comments here .
DownloadThe latest version ofGMER 1.0.15.15011
GMER runs only on Windows NT/W2K/XP/VISTA
GMER application:or ZIP archive: gmer.zip ( 284kB )
It's recommended to download randomly named EXE (click button above) because some malware won't let gmer.exe launch.
Userland rootkit detector:catchme.exe( 25kB )
MBR rootkit detector:mbr.exe( 70kB )
Example of rootkit scanning and removalgmer.wmv( 87kB Windows Media Video 9 codec )
Sample of undetectable rootkit:test.wmv( 950kB Windows Media Video 9 codec )
Gromozon rootkit unhooking :gromozon.wmv( 0,6MB Windows Media Video 9 codec )
Log samples:Rustock.B, Gromozon, Haxdoor, hxdef, BadRKDemo
IceSword + DarkSpy + GMER + pe386 rootkit :pe386.wmv( 0,5MB Windows Media Video 9 codec )
Thanks to: MR Team, CastleCops, ...
Version History:
This is list of changes for each release of GMER:
1.0.15 - Changed installation method
- Improved files scanning
- Improved kernel & user mode code sections scanning
1.0.14 - Improved files scanning
- Improved registry scanning
- Improved "delete file" function
- Added disk browser
- Added registry browser and editor
- Added registry exports
- Added "Kill file" and "Disable service" options to help remove stubborn malware
- Added new option "gmer.exe -nodriver"
- Added new option "gmer.exe -killfile"
gmer.exe -killfile C:\WINDOWS\system32\drivers\runtime2.sys
gmer.exe -killfile C:\WINDOWS\system32:pe386.sys
- Simplified displaying of device hooks
- Added detection and removal of MBR rootkit
1.0.13 - Added kernel & user IAT hooks detection
- Added AttachedDevice hooks detection
- Added detection of hooks outside code sections
- Added button "Save ..." log
1.0.12 - Added kernel & user mode code sections scanning ( inline hooks )
- Added code restoring
- Improved "GMER Safe Mode"
- Improved hidden process scanning
1.0.11 - Added "Simple mode"
- Added threads tab
- Added hidden Alternate Data Stream ( NFTS Stream ) scanning
- Added hidden threads scanning
- Improved hidden process scanning
- Improved hidden modules scanning
- Improved hidden files scanning
- Fixed devices scanning
1.0.10 - English version
- Improved process monitoring
- Added Autostart tab
- Added "GMER Safe Mode"
- Added "Files" window
- Added full path of process
- Added loaded libraries
- Added hidden libraries scanning
1.0.9 - Improved hidden services scanning.
- Improved ROOTKIT scanning.
- Improved "Kill all" and "Restart".
1.0.8 - Added hidden services scanning.
- Added hidden services deletion.
- Added hidden files deletion.
- Added restoring SSDT table.
- Added Interpretation of the rootkit scanning.
- Added CMD tab - executing shell commands
- Fixed showning registry keys
- Fixed tracing library loading.
1.0.7 - Improved hidden files scanning.
- Added "Services" tab.
1.0.6 - Fixed hidden registry keys scanning.
1.0.5 - Added online antivirus scanning.
- Fixed scanning of rootkits that hooks devices' IRP calling
1.0.4 - Added rootkit scanning.
- Added loading devices monitoring.
1.0.3 - Added log.
- Fixed NTVDM.EXE tracing.
1.0.2 - Added processes tab
- Added "Kill all" function.
- Added "Shell" option in the "Process" section, that executes an application other than Explorer.exe
Shell=gmer.exe1.0.1 - First release.
News2009.03.08
New version 1.0.15.14878 has been released.
2008.03.30
ALWIL Software has released AVAST 4.8 containing anti-rootkit based on GMER technology.
2008.01.18
Version 1.0.14.14116 released.
2008.01.02
Stealth MBR rootkt found in the wild !
You can read about it here: [1], [2]
2007.06.26
Version 1.0.13.12540 released.
2007.03.14
Just another DDoS story - One Person's Perspective by Paul Laudanski
"... Around the middle of February 2007, CastleCops itself became the target of a large scale DDoS. Not new to this kind of attack, it is the first time CastleCops experienced such a large throughput at nearly 1Gbit/s ..."
2007.03.09
Andy Manchesta added catchme into SDFix tool.
2007.02.26
Thanks to Marco Giuliani for preparing Italian version of help !
http://www.pcalsicuro.com/main/2007/02/guida-a-gmer/
2007.02.21
New version of catchme with Windows Vista support released.
Catchme has been integrated with combofix developed by sUBs. Keep up the good fight sUBs !.
2007.01.20
After over a month of fight my web page is up and running.
Thank you Paul Vixie and ISC, Matt Jonkman, guys from register.com, MR Team and everyone who helped me.
Special thanks to Paul Laudanski who won this battle.
You can read about it here: [1], [2]
2006.12.13
My doman DDoS-ed for the first time.
2006.12.06
I developed sample rootkit "test.sys" which hides its file from all public rootkit detectors:
BlackLight Sophos ARK RootkitRevealer IceSword DarkSpy SVV ... GMER Rootkit doesn't create hooks ( SSDT, IRP, SYSENTER, IDT, inline, FSF ) and its modifications are not visible.
You can see it in action in these movies: test.wmv, test2.wmv ( 0.9MB, 0.7MB Windows Media Video 9 codec ).
The detection of this type of rootkit will be added into the next version.
2006.11.28
Version 1.0.12.12011.
2006.10.17
New tool - catchme released.
FAQFrequently Asked Questions
Question:Do I have a rootkit?
Answer:You can scan the system for rootkits using GMER. Run gmer.exe, select Rootkit tab and click the "Scan" button.
If you don't know how to interpret the output, please Save the log and send it to my email address.
Warning ! Please, do not select the "Show all" checkbox during the scan.
Question:How to install the GMER software ?
Answer:Just run gmer.exe. All required files will be copied to the system during the first lanuch.
Question:My computer is infected and GMER won't start:
Answer:Try to rename gmer.exe to test.exe and click test.exe.
Question:How do I remove the Rustock rootkit ?
Answer:When GMER detects hidden service click "Delete the service" and answer YES to all questions.
http://www2.gmer.net/rustock.jpg
Question:How do I show all NTFS Streams ?
Answer:On the "Rootkit Tab" select only: Files + ADS + Show all options and then click the Scan button.
Question:Can I launch GMER in Safe Mode ?
Answer:Yes, you can launch GMER in Safe Mode, however rootkits which doesn't work in Safe Mode won't be detected.
Question:I am confused as to use delete or disable the hidden "service".
Answer:Sometimes "delete the service" option wont work because the rootkit protects its service. So, in such case use: 1) "disable the service", 2) reboot your machine, and 3) "delete the service".
用过一段时间,后来删了,没太用!
呵呵,对我来说,一个冰刃,再来一个RKUnhooker,也就差不多了! 難道波蘭人出品的那個? 没有从来正常运行起来过,不是蓝屏就是死机 gmer太强大了,只有它查到Conficker的隐藏服务....膜拜.... gmer太强大了,只有它查到Conficker的隐藏服务....膜拜....
Hmily 发表于 2009-3-31 16:25 http://www.52pojie.cn/images/common/back.gif
狙剑也可以
狙剑也可以
vistalong 发表于 2009-4-1 00:38 http://www.52pojie.cn/images/common/back.gif
狙剑用一次蓝一次就不敢用了....感觉太繁琐了.... 用国产的狙剑,很好用的! 1.0.15 - Changed installation method
- Improved files scanning
- Improved kernel & user mode code sections scanning 没有中文 说明
页:
[1]
2