吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 7473|回复: 6
收起左侧

CMC CodeWalker: Rootkits Detector

[复制链接]
Hmily 发表于 2009-6-4 12:07
1.jpg

Hi all,

I've developed an antirootkit tool called CodeWalker which can:

+ Detect hidden processes
+ Detect hidden drivers
+ Detect hidden files (support NTFS only)
+ Detect hooks in both kernel mode and usermode.
+ Works on Windows English 2000/XP/2003/Vista/2008.

The tool is currently in beta stage and im looking for people for testing it. I've already tested it with all rootkits samples I have and its detection rate seems optimistic. I think it's very great if you guys test it against your rootkit zoo and provide the result you got with the tool. If there's BSOD (of cos, you can never write a bug free proggie, rite? :P), it would be very appreciated of you to upload minidumps to help me correct the tool. Thanks in advance.

I will update this tool frequently for new detection methods, bug fixs etc. Welcome for your all suggestions, bugs and minidumps

In this beta version, the main improves to other ark is heavily put in hidden driver object (System Modules tab) and code hooking detection.

For hidden driver detection, you can test it with some pretty well hidden driver PoC such as phide_ex and many builds of Rustock.B variants. Although you have to use the "Hardcore Scan" method to detect them.

For code hooking detection, the engine walks all the branches of scanned module i.e any execution path of it to detect modification (btw, that's why i call it CodeWalker). IMHO, It can detect code hooking very well especially with rootkits that place abnormal hooks, although there're false-positive detections.


Here's the tool:
 https://www.rootkit.com/vault/thug4lif3/cmcark_cw.0.2.2.9.12.rar

CMC CodeWalker.0.2.2.9.12.part1.rar

824 KB, 下载次数: 7, 下载积分: 吾爱币 -1 CB

CMC CodeWalker.0.2.2.9.12.part2.rar

622.5 KB, 下载次数: 6, 下载积分: 吾爱币 -1 CB

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

wgz001 发表于 2009-6-4 12:34
扫了下  好像没扫出来  是不是我理解错了啊
QQ截图未命名1.jpg
QQ截图未命名.jpg
未命名2.jpg
 楼主| Hmily 发表于 2009-6-4 12:36
这个是扫隐藏文件的,比如木马什么的,被隐藏的才可以扫出来~
fireworld 发表于 2009-6-4 12:57
kinghtgg 发表于 2009-6-5 11:56
看看是干什么用的
fweiger 发表于 2010-12-23 21:08
文件流 ? 还是仅仅被系统的隐藏属性给隐藏?
Ja0dy 发表于 2013-12-23 08:53
能不能识别木马
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-11-23 10:17

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表