Rkdetect is a little anomaly detection tool
which can find services hidden by generic
Windows rootkits like Hacker Defender.
Tool very simply. It enumerates services on
remote computer through WMI (user level) and
Services Control Manager (kernel level),
compare result and display difference. In this
way we can find hidden services which usual
used to start rootkit.
Similar approach can be used to enumerate
processes, files, registry keys and anything
that rootkits can to hide.
Rkdetect available here:
http://www.security.nnov.ru/files/rkdetect.zip
Tool consists from VBScript file rkdetect.vbs
and sc.exe utility. Sc.exe it's standard
Windows tool to work with SCM which you can
find on any Windows Box with W2K3.
Usage:
Unzip archive.
If you don't trust me (I hope you
don't :-), copy sc.exe
(c:\WINDOWS\system32\sc.exe in my case) from
Windows folder to the rkdetect folder.
3. Change dir to rkdetect folder.
4. Start it:
cscript rkdetect.vbs <machine_name/ip>
Example:
C:\detector>cscript rkdetect.vbs 200.4.4.4
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001.
All rights reserved.
Query services by WMIβ¦
Detected 79 services
Query services by SCβ¦
Detected 80 services
Finding hidden servicesβ¦
Possible rootkit found: HXD Service 100
Done
C:\detector>
Thanks for your attention and sorry for my
English.
Sergey V. Gordeychik, [email protected]