RootkitRevealer is a popular, free software only available for Windows, belonging to the category Security software with subcategory Anti-virus. More about RootkitRevealer. Since the program has been added to our selection of programs and apps in , it has managed to reach 18, installations, and last week it achieved 5 installations. Download RootkitRevealer – An advanced root kit detection utility. RootkitRevealer helps users with rootkit detection on Windows XP and Windows Server (bit-versions only). Nov 24, · Replied on November 24, Hi Jeff, The Rootkit Revealer tool is already obsolete and it was originally designed for Windows XP and Server Microsoft has a scan tool, Microsoft Safety Scanner, that is designed to find and remove malware from Windows computers. For more information about the Microsoft Safety Scanner, you can check this link.
RootkitRevealer is a popular, free software only available for Windows, belonging to the category Security software with subcategory Anti-virus. More about RootkitRevealer. Since the program has been added to our selection of programs and apps in , it has managed to reach 18, installations, and last week it achieved 5 installations. Download RootkitRevealer – An advanced root kit detection utility. RootkitRevealer helps users with rootkit detection on Windows XP and Windows Server (bit-versions only). RootkitRevealer is a rootkit scanner from Microsoft Sysinternals. This program will search for user-mode or kernel-mode rootkits and list any API discrepancies that are found.
Analyze your system and detect rootkits
Rootkit Revealer – Microsoft Community
RootkitRevealer is an advanced rootkit detection utility. It runs on Windows XP bit and Windows Server bit , and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects many persistent rootkits including AFX, Vanquish and HackerDefender note: RootkitRevealer is not intended to detect rootkits like Fu that don’t attempt to hide their files or registry keys.
If you use it to identify the presence of a rootkit please let us know! The reason that there is no longer a command-line version is that malware authors have started targetting RootkitRevealer’s scan by using its executable name. We’ve therefore updated RootkitRevealer to execute its scan from a randomly named copy of itself that runs as a Windows service. This type of execution is not conducive to a command-line interface. Note that you can use command-line options to execute an automatic scan with results logged to a file, which is the equivalent of the command-line version’s behavior.
The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.
Persistent Rootkits A persistent rootkit is one associated with malware that activates each time the system boots. Because such malware contain code that must be executed automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and configure a method by which the code executes without user intervention.
Memory-Based Rootkits Memory-based rootkits are malware that has no persistent code and therefore does not survive a reboot. User-mode Rootkits There are many methods by which rootkits attempt to evade detection.
When an application performs a directory listing that would otherwise return results that contain entries identifying the files associated with the rootkit, the rootkit intercepts and modifies the output to remove the entries. The Windows native API serves as the interface between user-mode clients and kernel-mode services and more sophisticated user-mode rootkits intercept file system, Registry, and process enumeration functions of the Native API. This prevents their detection by scanners that compare the results of a Windows API enumeration with that returned by a native API enumeration.
Kernel-mode Rootkits Kernel-mode rootkits can be even more powerful since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel’s list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer.
Since persistent rootkits work by changing API results so that a system view using APIs differs from the actual view in storage, RootkitRevealer compares the results of a system scan at the highest level with that at the lowest level. The highest level is the Windows API and the lowest level is the raw contents of a file system volume or Registry hive a hive file is the Registry’s on-disk storage format.
Doing so would require intercepting RootkitRevealer’s reads of Registry hive data or file system data and changing the contents of the data such that the rootkit’s Registry data or files are not present. However, this would require a level of sophistication not seen in rootkits to date. Changes to the data would require both an intimate knowledge of the NTFS, FAT and Registry hive formats, plus the ability to change data structures such that they hide the rootkit, but do not cause inconsistent or invalid structures or side-effect discrepancies that would be flagged by RootkitRevealer.
Is there a sure-fire way to know of a rootkit’s presence In general, not from within a running system. A kernel-mode rootkit can control any aspect of a system’s behavior so information returned by any API, including the raw reads of Registry hive and file system data performed by RootkitRevealer, can be compromised.
While comparing an on-line scan of a system and an off-line scan from a secure environment such as a boot into an CD-based operating system installation is more reliable, rootkits can target such tools to evade detection by even them. RootkitRevealer requires that the account from which its run has assigned to it the Backup files and directories, Load drivers and Perform volume maintenance tasks on Windows XP and higher privileges. The Administrators group is assigned these privileges by default.
In order to minimize false positives run RootkitRevealer on an idle system. For best results exit all applications and keep the system otherwise idle during the RootkitRevealer scanning process. If you have questions or problems please visit the Sysinternals RootkitRevealer Forum.
To scan a system launch it on the system and press the Scan button. RootkitRevealer scans the system reporting its actions in a status area at the bottom of its window and noting discrepancies in the output list. The options you can configure:. If you specify the -c option it does not report progress and discrepancies are printed in CSV format for easy import into a database.
You can perform scans of remote systems by executing it with the Sysinternals PsExec utility using a command-line like the following:. This is a screenshot of RootkitRevealer detecting the presence of the popular HackerDefender rootkit. The Registry key discrepancies show that the Registry keys storing HackerDefender’s device driver and service settings are not visible to the Windows API, but are present in the raw scan of the Registry hive data.
Similarly, the HackerDefender-associated files are not visible to Windows API directory scans, but are present in the scan of the raw file system data. You should examine all discrepancies and determine the likelihood that they indicate the presence of a rootkit.
Unfortunately, there is no definitive way to determine, based on the output, if a rootkit is present, but you should examine all reported discrepancies to ensure that they are explainable. If you determine that you have a rootkit installed, search the web for removal instructions. If you are unsure as to how to remove a rootkit you should reformat the system’s hard disk and reinstall Windows. In addition to the information below on possible RootkitRevealer discrepancies, the RootkitRevealer Forum at Sysinternals discusses detected rootkits and specific false-positives.
There are also antivirus products, such as Kaspersky Antivirus, that use rootkit techniques to hide data they store in NTFS alternate data streams. RootkitRevealer does not support output filters because rootkits can take advantage of any filtering.
Finally, if a file is deleted during a scan you may also see this discrepancy. Access is Denied. RootkitRevealer should never report this discrepancy since it uses mechanisms that allow it to access any file, directory, or registry key on a system. These discrepancies indicate that a file appears in only one or two of the scans. A common reason is that a file is either created or deleted during the scans.
This is an example of RootkitRevealer’s discrepancy report for a file created during the scanning:. Windows API length not consistent with raw hive data. Rootkits can attempt to hide themselves by misrepresenting the size of a Registry value so that its contents aren’t visible to the Windows API.
You should examine any such discrepancy, though it may also appear as a result of Registry values that change during a scan. Type mismatch between Windows API and raw hive data. Key name contains embedded nulls. The Windows API treats key names as null-terminated strings, whereas the kernel treats them as counted strings. Thus, it is possible to create Registry keys that are visible to the operating system, yet only partially visible to Registry tools like Regedit. The Reghide sample code at Sysinternals demonstrates this technique, which is used by both malware and rootkits to hide Registry data.
Use the Sysinternals RegDelNull utility to delete keys with embedded nulls. Data mismatch between Windows API and raw hive data. This discrepancy will occur if a Registry value is updated while the Registry scan is in progress.
Values that change frequently include timestamps such as the Microsoft SQL Server uptime value, shown below, and virus scanner “last scan” values. You should investigate any reported value to ensure that its a valid application or system Registry value. Windows Internals, 4th Edition , by Mark Russinovich and Dave Solomon the book doesn’t talk about rootkits, but understanding the Windows architecture is helpful to understanding rootkits.
What is a Rootkit? How RootkitRevealer Works Since persistent rootkits work by changing API results so that a system view using APIs differs from the actual view in storage, RootkitRevealer compares the results of a system scan at the highest level with that at the lowest level.
Using RootkitRevealer RootkitRevealer requires that the account from which its run has assigned to it the Backup files and directories, Load drivers and Perform volume maintenance tasks on Windows XP and higher privileges. Manual Scanning To scan a system launch it on the system and press the Scan button.
Scan Registry: this option is on by default. Deselecting it has RootkitRevealer not perform a Registry scan. Launching an Automatic Scan RootkitRevealer supports several options for auto-scanning systems: Usage: rootkitrevealer [-a [-c] [-m] [-r] outputfile] Parameter Description -a Automatically scan and exit when done.
Note that the file output location must be on a local volume. Is this page helpful? Yes No. Any additional feedback? Skip Submit.