CMC CodeWalker: Rootkits Detector
Hi all,
I've developed an antirootkit tool called CodeWalker which can:
+ Detect hidden processes
+ Detect hidden drivers
+ Detect hidden files (support NTFS only)
+ Detect hooks in both kernel mode and usermode.
+ Works on Windows English 2000/XP/2003/Vista/2008.
The tool is currently in beta stage and im looking for people for testing it. I've already tested it with all rootkits samples I have and its detection rate seems optimistic. I think it's very great if you guys test it against your rootkit zoo and provide the result you got with the tool. If there's BSOD (of cos, you can never write a bug free proggie, rite? :P), it would be very appreciated of you to upload minidumps to help me correct the tool. Thanks in advance.
I will update this tool frequently for new detection methods, bug fixs etc. Welcome for your all suggestions, bugs and minidumps
In this beta version, the main improves to other ark is heavily put in hidden driver object (System Modules tab) and code hooking detection.
For hidden driver detection, you can test it with some pretty well hidden driver PoC such as phide_ex and many builds of Rustock.B variants. Although you have to use the "Hardcore Scan" method to detect them.
For code hooking detection, the engine walks all the branches of scanned module i.e any execution path of it to detect modification (btw, that's why i call it CodeWalker). IMHO, It can detect code hooking very well especially with rootkits that place abnormal hooks, although there're false-positive detections.
Here's the tool: https://www.rootkit.com/vault/thug4lif3/cmcark_cw.0.2.2.9.12.rar
扫了下好像没扫出来是不是我理解错了啊 这个是扫隐藏文件的,比如木马什么的,被隐藏的才可以扫出来~ 这个用过没感觉和别的有什么区别 看看是干什么用的 文件流 ? 还是仅仅被系统的隐藏属性给隐藏? 能不能识别木马
页:
[1]