Just another great Utility from sysinternals !!!
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
:-)))
Thanks Bryce and Mark.
Norbert.
“Only those who attempt the absurd can achieve the impossible.”
---- snip ----
There are other potentially very dangerous techniques, such as determining
the addresses of internal kernel synhronization objects
and using them in your code to accomplish black magic. I had to use
such techniques in past
On the other hands, there are cases in which you simply cant accomplish
what you want whithout performing dangerous things. My position on
this is that you always should use the less instrusive technique, and
always inform your customer about what you did to make their request
possible. Debugging and analysis tools are just a example. There are others.
About such identifying, I maintain my statement that a debugger is your best
friend. You should be able with minimal effort to determine most used
method of hooking, if you know where you should look for them.
As for the product which so far to my knowledge has the biggest number of
hooks installed, it;s Numega NTICE.
Use educated guesses to determine whatever a third party driver you
installed uses hooking, and a debugger and a minimal analysis will reveal
more than you think.
Norbert, dont grow paranoid. Its futile =)
Dan
----- Original Message -----
From: “Norbert Kawulski”
> To: “Windows System Software Devs Interest List”
> Sent: Friday, December 17, 2004 12:30 PM
> Subject: Re:Inspiration
>> Thanks to John Alderson and Marco Peretti
>> for pointing out these sites.
>> Yes Peter, it is scary. My paranoia grows…
>> But because modifying the SDT is only one form of hooking and there
>> are many more forms of patching at runtime my proposed utility seems
>> to be impossible (imperfect).
>> Norbert.
>> --------
>> “A professor is one who talks in someone else’s sleep.”
>> ---- snip ----
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
> You are currently subscribed to ntdev as: xxxxx@stollmann.de
> To unsubscribe send a blank email to xxxxx@lists.osr.com
---- snip ----