David,
The following paragraph is from the rootkitrevealer page:
"
Can a Rootkit hide from RootkitRevealer?
It is theoretically possible for a rootkit to hide from RootkitRevealer.
Doing so would require intercepting RootkitRevealer’s reads of Registry hive
data or file system data and changing the contents of the data such that the
rootkit’s Registry data or files are not present. However, this would
require a level of sophistication not seen in rootkits to date. Changes to
the data would require both an intimate knowledge of the NTFS, FAT and
Registry hive formats, plus the ability to change data structures such that
they hide the rootkit, but do not cause inconsistent or invalid structures
or side-effect discrepancies that would be flagged by RootkitRevealer.
"
My understanding is that the rootkitrevealer simply reads the registry hive
and file system tables from the disk and parses them just like the registry
API and file system driver would. This comes to detect hooking of kernel and
user mode API’s that are related to registry and file system. A disk filter
that fakes the data that is read from the disk will certainly will not be
detected by this tool. Then again you can read the last sentence in the
quoted paragraph - this is not a simple task, not even remotely close in its
difficulty to API hooking.
Shahar
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of David Lavo
Sent: Thursday, March 10, 2005 2:33 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Inspiration
The webpage for rootkitreveal mentions doing “raw reads” of the filesystem
(and registry hive) for comparison to the data returned by normal reads.
Please forgive the naive question, but how are raw reads done?
I ask because yesterday I was trying to read something from a CdRom and
found that all my read requests were blocked by a lower filter driver called
“pfc.sys”. (This was during a rip with DiscJuggler.) I think this is the
Patin-Couffin ASPI-type driver, which apparently offers an “exclusive
access” mode where it blocks all other read requests.
I don’t know whether a raw read mechanism could bypass such filter
manipulations, but it seems like it would be a good thing to know how to do.
Thanks,
David
Norbert Kawulski wrote:
Just another great Utility from sysinternals !!!
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
:-)))
Thanks Bryce and Mark.
Norbert.
“Only those who attempt the absurd can achieve the impossible.”
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@safend.com To unsubscribe
send a blank email to xxxxx@lists.osr.com